How antivirus software works: Is it worth it?

Michael Kassner is frequently asked whether antivirus programs are worth the bother of employing. His typical response has been yes, but recently, he started to question that.

I frequently get asked whether antivirus programs are worth it. My typical response has been yes. Recently, I started wondering why?


We are told, in order to survive on the Internet, our computers need protection afforded by antivirus applications. If that's true:

  • Why do computers still get infected?
  • Would it be a lot worse if we didn't use antivirus programs?

Pondering those questions, I realized I may not have all the facts. So I began researching antivirus methodology. Here's what I found out.

What we are up against

Take note, the bad guys are motivated. Leveraging malware-infected computers to make money is easier and safer than any other illegal endeavor. That said, I'd like to think we (victims) are motivated as well, especially since it's our money they're after. So why do cybercriminals have the upper hand? For starters, they benefit from:

  • Vulnerable software: It's a given; software, especially complex code, will have exploitable bugs.
  • Element of surprise: Normal users do not look for vulnerabilities in software. The bad guys do, affording themselves opportunities to exploit weaknesses long before the rest of us know about them.
  • Playing catch up: It's difficult to determine what malware will look like, forcing antivirus developers into a reactionary mode.

I couldn't ask for a better example than what recently happened to Google. Attackers leveraged unknown (zero-day) vulnerabilities in Internet Explorer to gain a foothold in Google's supposedly-secure network. Check how close the exploit follows the three steps I outlined above:

  • Vulnerable software: Internet Explorer has an exploitable vulnerability.
  • Element of surprise: Only the attackers knew about it.
  • Playing catch up: AV companies are trying to develop a detection method and Microsoft is scrambling to create a fix for Internet Explorer.

Still not understanding why antivirus applications are failing to protect our computers, I pursued the matter with an experienced software engineer. He pointed out that it's hard to remove something you can't find. Talk about an understatement. I get it though; detecting malware is not as easy as we're lead to believe. My next step, find out why.

Malware detection

Malware detection can be divided into two methods; signature-based malware detection and behavior-based malware detection. Antivirus applications can employ one or both of the methods; depending on the sophistication of the program. Signature-based malware detection has been around for many years, so let's look at that first.

Signature-based malware detection

Signature-based malware detection depends on pattern recognition. Here's how it works. The AV application scans the file in question, comparing specific bytes of code against information in its malware-signature database. If the scanned file has a pattern duplicating one in the database, the file is considered malware. The antivirus application will then either quarantine or delete the file, depending upon the program configuration.


Presently, signature-based malware detection is included in almost every antivirus program. That said, AV companies are trying to move away from signature-based malware detection due to the following:

  • Signature-based malware detection is not effective against new or unknown malware.
  • New malware is being created daily, requiring the signature database to be updated ever more frequently.

These are valid concerns and why AV companies are investing a great deal of time and effort translating to behavior-based malware detection.

Behavior-based malware detection

Behavior-based malware detection makes sense because it monitors how programs act, not the software build. To explain, if abnormal behavior is detected, the program is flagged, regardless if the software seems correct. Behavior-based malware detection is broken up into two types; anomaly-based and specification-based malware detection.

Anomaly-based malware detection

The key ingredient to anomaly-based malware detection is determining what is considered normal behavior. Thus, any variation from the normal profile would be considered suspicious (anomalous). For example, normally a program, when executed, does not create any files. Then, all of a sudden, the program moves a file into one of the operating system's folders. That action would immediately be flagged by this type of antivirus software.

Anomaly-based malware detection can be further divided into:

  • Passive detection: Uses scanning to detect derivations from the program's normal profile.
  • Active detection: Involves executing a questionable program within a controlled environment such as a sandbox or virtual machine. Then observing the behavior of the program. If the program meets certain negative criteria, it will be flagged as suspicious.

As good as this sounds, anomaly-based malware detection has shortcomings. False positives are more common with this type of detection, simply because of the complexity of modern-day programs. Second, if an attacker makes sure his malcode behaves like a good program, it will not be detected. Threatfire Zero-Day Malware Protection is an example of anomaly-based malware detection software.

Specification-based malware detection

Right now, specification-based malware detection (Point IV-B) is our best hope for reducing malware problems. That's because, all actions taken by any programs (operating system and applications alike) are mediated by a predetermined policy. For example, if so configured, the policy would disallow execution of files downloaded from a Web site specified by the person in charge of the computer.

The advantage of specification-based malware detection is its flexibility and minimal false positives when compared to anomaly-based malware detection. One example of specification-based malware detection is NovaShield AntiMalware.

My findings

I seldom find quarantined malware on computers. I've noticed something else. Most infected computers protected with typical antivirus programs require specialized scanners to remove any offending malware. After writing this article, I know why that is.

Final thoughts

Being one of those "rather be safe than sorry" types, I will continue to suggest using an antivirus program. What I will change, is the type of antivirus program I recommend. They definitely will include anomaly and specification-based malware detection methods.