Integrity checkers examine stored files or network packets to determine if they have been altered or changed. They can only flag a change as suspicious; they cannot determine if the change is a genuine virus infection.
These checkers are based on checksums — a simple mathematical operation that turns an entire file or a message into a number. More complex hash functions that result in a fixed string of encrypted data are also used. The integrity checking process begins with the creation of a baseline, where checksums or hashes for clean data are computed and saved. Each time the integrity checker is run, it again makes a checksum or hash computation and compares the result with the stored value.