How Antivirus Works

Antivirus software is software used to protect computers, notebooks, and other devices from malware. Here's how they work

Protecting yourself against all the cyber threats hiding on the web has become increasingly difficult. One weapon that can never be missing on any device is antivirus, especially on computers and notebooks, which are notoriously more fragile than tablets and smartphones. They work silently, preventing any malware from hitting the device.

All users have to do is find and install one: antivirus will take care of the rest. In fact, protection programs are designed to perform continuous checks on the machine. We can imagine them as virtual gates that open to let only legitimate files through, blocking harmful ones and isolating suspicious ones. Without an antivirus, a machine would be at the mercy of Trojans, worms and other malware. A computer without a protective shield is like a house without doors. And leaving a home unattended means exposing yourself to numerous dangers.

Once you understand the important task performed by an antivirus, it is also useful to question how these security programs work. How do they protect us from hackers?

How does an antivirus work

In general, we can start by saying that antivirus scans any file or program that is about to enter the system. The elements are compared with what in jargon are called "virus signatures", an archive of signatures in which information about malware is inserted. If the file matches the definitions present in the "file cabinet", the antivirus blocks it.

The others, instead, are let through the first gate and conveyed to another security "space", present in some firewalls and antivirus: the Host Based Intrusion Prevention System (HIPS). What happens in this area? Simple. Reliable programs are circulated in the system, while files not known to the antivirus are given a sort of temporary "clearance": they run on the computer, but only in isolated "environments". It will then be up to the user to decide whether to open the machine's doors to these programs, or close them forever. In the second case, like other malware, the files end up in quarantine.

Analysis techniques

As mentioned, antivirus programs perform continuous and real-time scans, scouring the entire "territory". The main attack tool is, as we have seen, malware. This is why it is very important to keep antivirus up-to-date: an obsolete signature archive would not be able to block a new malware.

There are also other investigation techniques. One popular method is heuristics, which usually work in conjunction with "virus signatures". What is this all about? It is used to detect malicious codes that are not known to the antivirus. Through this technology, the protection program analyzes a suspicious file in a virtual zone isolated from the system. In this way, if the file is dangerous it doesn't risk infecting the whole machine.

Then there is also the technique that performs behavioral analysis, that is, the program detects malware by studying its "behaviors" while it is running.

One of the most advanced investigation solutions is data mining, which analyzes the file by extracting parts of binary code. Another analysis method is Sandbox: suspicious files are run in a virtual environment, where the antivirus can figure out whether they are malicious or not.