Antivirus - How does it work?

How Antivirus Works

How Antivirus Works

Antivirus software is a multi-layered security strategy that is easy to apply to your devices.  Antivirus runs in the background, happily defending you from malware and viruses as you go about your day.  So, how does it do that, exactly?

Traditional Method

Traditional antivirus products use a series of signature files.  Their scanning consists of checking files against a database of known viruses.  Programs, documents, and any file type that could contain malicious code go through a rapid check to be certain it is safe.   If a threat is detected, the files are quarantined while the user is notified on the screen.  This method is now considered obsolete.  Firstly, Malware is growing at an exponential rate.  Secondly, malware has become polymorphic.  This means every time the malware moves from one location to another, it changes and would no longer appear the same when compared to a list of signatures.

Modern Global Threat Intelligence

Modern products use master cloud databases of known threats.  These systems gather data from several sources around the globe.  These include sensor networks designed to watch for malicious code, global threat databases, security partners, and other customers of the antivirus system.  By using all of these sources, the system is always updating with up to the second information.

Machine Learning

The antivirus software loaded on the PC will also employ machine learning techniques.  This consists of capturing, analyzing, classifying, and then publishing information about every interaction, whether it is opening a file or going to a website.

Contextual Referencing

Going one step beyond just determining that we received a bad file, the system will track some context about that file.  For example, what website did the file come from?  What IP address?  By gathering this additional context, the system is able to further enhance the overall data by determining know problem websites and stopping the threat before the next user ever gets to the point of receiving the bad file.


Occasionally, the system encounters a file that has never been seen.  In that case, the system will employ a technique called sandboxing.  The antivirus software creates a protected space for the program to run.  If everything runs smoothly, the process is allowed to complete.  Then the information about this file is added to the threat databases as a known good file.  If something goes wrong, the system will stop the malicious code. Then it will “roll back” whatever the program tried to do back to a point before it was launched.  The file information is then updated in the database as a known bad program and the very next user who tries to access this file will be prevented from harm.

While antivirus software are really complicated bits of programming in order to catch viruses in the wild, hopefully this article gave you a better understanding of how they work to help keep your safe as you work.

Want to know more about cybersecurity?  You can check out our event Hacking the Hacker.