The IT Law Wiki


Antivirus software is

[a] program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.[1]


It provides protection against viruses and malicious code, such as worms and Trojan horses, by detecting and removing the malicious code and by preventing unwanted effects and repairing damage that may have resulted. Antivirus software uses a variety of techniques — such as signature scanners, activity blockers, and heuristic scanners — to protect computer systems against potentially harmful viruses, worms, and Trojan horses.

How the technology works[]

Antivirus software products can use a combination of the following technologies:

  • Signature scanners can identify known malicious code. Scanners search for “signature strings” or use algorithmic detection methods to identify known code. They rely on a significant amount of prior knowledge about the malicious code. Therefore, it is critical that the signature information for scanners be current. Most scanners can be configured to automatically update their signature information from a designated source, typically on a weekly basis; scanners can also be forced to update their signatures on demand.
  • Activity (or behavior) blockers contain a list of rules that a legitimate program must follow. If the program breaks one of the rules, the activity blockers alert the users. The idea is that untrusted code is first checked for improper behavior. If none is found, the code can be run in a restricted environment, where dynamic checks are performed on each potentially dangerous action before it is permitted to take effect. By adding multiple layers of reviews and checks to the execution process, activity blockers can prevent malicious code from performing undesirable actions.
  • Heuristic scanners work to protect against known viruses and are also able to detect unknown viruses. Heuristic scanners can be classified as either static or dynamic. Static heuristic scanners use virus signatures, much like standard signature scanners, but instead of scanning for specific viruses, they scan for lines of code that are associated with virus-like behaviors. These scanners are often supplemented by additional programs that search for more complex, virus-like behavior patterns. Dynamic heuristic scanners identify suspicious files and load them into a simulated computer system to emulate their execution. This allows the scanner to determine whether the file is infected.

Effectiveness of the technology[]

Signature scanners require frequent updates to keep their databases of virus signatures current. This updating is necessary to safeguard computer systems against new strains of viruses. When they are properly updated, scanners effectively combat known viruses. However, they are less effective against viruses that change their code each time they infect another computer system.

Activity blockers are generally ineffective against many viruses, including macro viruses that make use of the programming features of common applications such as spreadsheets and word processors. Macro viruses constitute the majority of today’s viruses and are encoded within a document as macros — sequences of commands or keyboard strokes that can be stored and then recalled with a single command or keystroke. The macro generally modifies a commonly used function (for example, opening or saving a file) to initiate the effect of the virus. Activity blockers are generally more successful against Trojan horses and worms than they are against viruses.

Heuristic scanners have the primary advantage of being able to detect unknown viruses. Static heuristic scanners, when supplemented with additional programs, can detect behaviors associated with more complex viruses. Dynamic heuristic scanners consume more time and system resources than static heuristic scanners.


See also[]