How antivirus programs protect your computer

Learning about antivirus programs and how antivirus programs protect your computer is a good first step toward keeping your data and privacy safe. Furthermore, with today’s expanding cyber threat landscape, it’s more urgent than ever that your digital life is secure. Here is just a sample of some truly staggering cybersecurity statistics originally shared by the hashedout.com blog:

• The cybercrime economy has grown to at least $1.5 trillion in profits each year.
• Cybercrime damages are anticipated to cost businesses and organizations $6 trillion annually by 2021. 
• Ransomware damage is estimated to reach $20 billion globally by 2021.
• Ransomware attacks occur every 14 seconds and are expected to occur every 11 seconds by 2021.
• Security breaches have seen a 67% increase over the past five years.

Fortunately, we’re not without a way to defend our data and privacy. Cybercrime has spawned an entire industry of antivirus programs.  These programs were originally designed to detect and remove computer viruses, but today they also detect and remove all kinds of malware including spyware, ransomware, rootkit, worms, Trojans and more.  Below is a brief look at virus detection techniques used by antivirus (AV) software today:

1. Signature-based detection. Signature-based detection is one of the earliest detection methods, but it is still widely used by AV software today.  With this method, the AV software examines virus ‘signatures’ stored in a signature database that is regularly updated. The signatures are made up of a string of data and the AV identifies viruses on a PC whenever it finds files or programs with a signature that matches one of the signatures in the signature database. This is a very effective way of detecting known viruses, but it cannot detect previously unknown viruses.
2. Heuristics-based detection. To rectify the shortcomings of signature-based detection, other detection methods that can detect viruses that haven’t yet been discovered, are used in conjunction with signature-based detection. Heuristics-based detection is one such method. Heuristic analysis works by checking for specific commands or instructions that are not usually found in an application. If anomalies in a file’s destination, purpose, intent etc., are detected, the AV software uses specific rules to determine if there is a potential threat. If that determination is positive, the AV software will take preemptive action against the malware.  While heuristics-based detection can detect previously unknown computer viruses, it also often reports false positives.
3. Behavior-based detection. Behavior-based detection is a more advanced form of malware detection and as the name suggests, analyzes behavior or potential behavior for suspicious activities. Like heuristic detection, behavior-based detection is able to detect previously unknown malware. Examples of behavior that this technique might identify as malware are deleting a large number of files, changing security settings, and monitoring keystrokes. Abnormal, or unauthorized behaviors such as these are an indication that an object is malicious.
4. Sandbox detection**.** The sandbox-detection method takes a very cautionary approach; instead of attempting to detect malware at run-time, this approach executes the suspected malware in a virtual environment, away from where it could expose the malware to the files on the computer. If a program’s actions in the virtual environment look malicious, the file will be quarantined. If not, it is executed in the real environment. This is a highly effective detection method, but it is heavy and slow so it is rarely included as part of an end-user solution.
5. Data mining detection. Data mining is relatively new to the AV scene. It involves sifting through large data sets and applying data mining and machine learning algorithms to analyze the data and classify a file’s behavior as malicious or benign.

Why are so many different detection methods needed?

The ever-evolving and sophisticated nature of the cyber threat landscape requires an equally sophisticated and evolving response. Today’s AV software must use multiple detection methods to meet the challenges posed by cybersecurity attacks. While there are differences between AV software brands as well as between subscription and free versions, all AV software will only be effective if it takes a multi-level approach to protection.