Anti-virus software is a computer program that works to keep computer free from virus and other malicious programs. There are multiple approaches, antivirus software use to identify viruses.
Dictionary method –In this method Anti virus program continue to match programs with the pre-identified virus definitions and then take appropriate option (quarantine or delete the infected file). New viruses are included in the dictionary as identified. Success of this method is based on how quickly new threats are identified and included in the dictionary.
Suspicious behavior – Suspicious behavior method monitors behavior of all program and raises warning flag if the behavior looks suspicious such as modifying an executable file. The user can then act on the warning by allowing or blocking the program. The method can identify unknown viruses but generates lot of false warnings which is annoying for the user. The success is also dependent on user’s ability to correctly identify the virus from false warning.
Whitelisting – Whitelisting is another method that blocks all executable programs except the trustworthy programs already identified by system admin. The success of the method depends on the ability of the system administrator to correctly identify trustworthy programs.
Heuristic Analysis – Antivirus software tries to emulate running of new executable before transferring control to the program. If it finds suspicious behavior, it can alert the user.
Sandbox method – Sandbox method imitates Operating system and run the executable in the simulation. After the simulation run, antivirus program analyzes the run and look for changes indicating viruses. This can be a system hog and is only run on demand.
The most common method remains Dictionary method. That’s why it is very important to keep virus definitions current by running frequent updates.
