How does antivirus software work?

How does antivirus software work?

One of the most important and essential pieces of software on Windows computers nowadays is antivirus software to protect you against malware, exploits and hackers. With new advanced malware being released every day used to compromise privacy, blackmail the owners of infected machines and send spam, antivirus software is more important than ever. Most malware is designed and spread with a financial motive, ransomware for instance which encrypts all files on your computer and demands a payment in Bitcoin for the decryption key.

Malware is often spread through infected websites that contain malicious software, phishing e-mails and online downloads. In many occasions users are infected by their own actions, for example opening a malicious attachment in the mail or downloading a file from the internet. But sometimes there isn’t a single thing you can do to prevent infection, for example by visiting a mainstream news website which is infected with malicious software. On these occasions your antivirus software becomes really important. Antivirus protects your privacy, your precious and priceless files and business processes for a price from $10,- to $40,- dollar. But how does Antivirus work? What does a full system scan and a quick scan do? How does antivirus detect a virus? Why does it update all the time? In this article we will be answering these questions and more.

How does antivirus software search for malware?

Antivirus software uses multiple ways to detect malicious software. Antivirus scan uses full system scans, quick scans and on-access scans to search for malware. We will have a look at the different scans available, what they do and how to use them.


Full system scan

The full systems can may run for a long time and scans all the files on your hard drive, network, system memory and other storage devices for malicious software. Modern systems often contain a lot of files and therefore a full system scan may run for a very long time. A full system scan is very useful when you’ve just installed antivirus software and you want to check if your computer contains any malicious software. Another reason to run a full system scan is when you suspect an infection which has gone unnoticed until than or if you want to check the system for dormant malware with the latest virus definitions. For the purpose of dormant virus detection most antivirus software schedule a full system scan weekly after the virus definitions have been updated.

Quick scan

Most antivirus software offers a function called a quick scan to check the start-up items, system memory and boot sectors for malware. Depending on the used antivirus software the quick scan also checks for malware on locations which are often used by malware, for persistence mechanisms for example. The quick scan uses only a fraction of the time and resources a full system scan uses. Therefor you can run a quick scan anytime you like without having the antimalware software slowing down your computer.

On-access scanning

The on-access scan or real time protection is probably the most important scanning mechanism used by antivirus software. An on-access scan is run every time an executable is executed and a file is opened or downloaded, regardless of the file type. The antivirus software will run the on-access scan before the application interface or file is presented to the user. A great benefit of on-access scans is that security flaws in applications are also being caught by the antivirus software. For example it will detect malicious flash files when vulnerabilities in flash are being exploited. For this reason it is advised to never turn off on-access scanning on your antivirus even if it impacts your computer performance. A lot of malware infections have great impact on your system and it might cost a lot of time, effort and sometimes money to remove the malware and make sure it has been completely removed.

How does antivirus software detect viruses?

But what mechanisms does antivirus software uses to detect a virus and distinct them from non-malicious files? This is done by using virus definitions for known viruses and by employing heuristics to detect new or modified viruses. Read on to know what virus definitions are, how antivirus uses them to detect malware and how antivirus employs heuristics.

Over 10% of the people is taking a huge risk by still using Windows XP.

Virus definitions

Antivirus software relies heavily on virus definitions to detect malware on your system and this is the most traditional way of detecting malware on your system. Virus definitions contain signatures which are used to determine the kind of malware. New malware is released every day and so are virus definitions. The bigger antivirus software vendors have dedicated antivirus labs where new malware is researched to develop new definitions and signatures for them. This is a costly process because millions of new malicious software is released every year. Without the latest virus definitions it may be impossible for your antivirus software to detect the latest malware. Most antivirus software vendors update malware definitions multiple times a day for this reason. Another method for antivirus software is heuristic based detection which we will explain in more detail.


Heuristic bases detection is used in combination with virus definitions to detect malware which is based on known and modified malware. Even without virus definitions for the modified malware the antivirus software is able to recognize variations of malware and put it in quarantine. Antivirus uses generic signature detection for this purpose and can be explained as malware with different fingerprints but exactly the same malicious code. Another method for antivirus software is file analysis for example to see if an executable has instructions to alter or delete certain files. Regular software does not try to modify or delete important system software and therefore this action could be considered malicious behaviour and should therefore be considered malware.


One big downside of heuristic based virus detection are false positives. False positives is when antivirus flags files or programs as malicious or marks them as a threat when they are not, it is just a false alarm. In normal daily use of your computer you should rarely encounter false positives. But with so much software around it may be possible to run into a false positive. In general it is advised that if your antivirus software claims a file to be malicious, consider it malicious too. If you want to be 100% sure if you’re facing a false positive, you can upload the file to ]]>VirusTotal]]> for analysis. VirusTotal will scan the file for you and show you how other antivirus software think about its contents.

Which antivirus software should I buy?

There are a lot of antivirus software vendors who offer even more antivirus software. It is advised to go with proprietary antivirus software instead of free software. The paid antivirus software offers better protection to infections, exploits and hackers than free virus scanners. Currently the award winning antivirus vendors are Bitdefender, ESET, Norton, F-Secure and Kaspersky.


Share This Story

Subscribe to

Keep Up with Technology! Our news to your Email

About Author

Student, Geek, And generally an IT enthusiast.