Antivirus is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware.
Virus Detection Methods
There are four major methods of virus detection in use today: scanning, integrity checking, interception, and heuristic detection. Of these, scanning and interception are very common, with the other two only common in less widely-used anti-virus packages. Unfortunately, while scanning is very effective against known viruses, it is completely incapable of dealing with new viruses, forcing anti-virus analysis centers into a reactive stance.
A scanner will search all files in memory, in the boot sector (the sector on disk that specifies where boot information is,) and on disk for code snippets that will uniquely identify a file as a virus. Obviously, this requires a list of unique signatures that will be found in viruses and not in benign programs. To prevent false alarms, most scanners also will check the code of a suspected file against either the virus code itself or a checksum of it. (A checksum is a method frequently used to determine if data has been changed, and involves summing all of the bits in a file.) This is the most common method of virus detection available, and is implemented in all major anti-virus software packages. There are two types of scanning: on-access and on-demand. On-access scanning scans files when they are loaded into memory prior to execution. On-demand scanning scans all of main memory, the boot sector, and disk memory as well, and is started by a user when he/she wishes. On-access scanning has become more aggressive recently, with virus scans occurring even if files are selected, but not loaded.
An integrity checker records integrity information about important files on disk, usually by checksumming. Should a file change due to virus activity or corruption, the file will no longer match the recorded integrity information. The user is prompted, and can usually be given an option to restore the file to its pre-corrupted/infected state. This is an extensive process, and few virus checkers today utilize it. Norman Virus Control, however, is one.
Heuristic Virus Checking
This is a generic method of virus detection. Anti-virus software makers develop a set of rules to distinguish viruses from non-viruses. Should a program or code segment follow these rules, then it is marked a virus and dealt with accordingly. This allows detection of any virus, and theoretically, should be sufficient to deal with any new virus attacks. F-secure virus software uses this method in addition to scanning, although not very many software packages available today utilize heuristic virus checking.
Interception software detects virus-like behavior and warns the user about it. How to detect virus-like behavior? Use heuristics again. Many viruses will perform some suspicious action, like relocating themselves in memory and installing themselves as resident programs.