Antivirus (also spelled anti-virus) refers to a type of computer software that attempts to identify, thwart, and eliminate computer viruses and other malicious software (malware). Antivirus software typically uses two different techniques to accomplish this:

• Examining (scanning) files to look for known viruses matching definitions in a virus dictionary
• Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach.

Approaches

Dictionary

In the virus dictionary approach, the antivirus software compares the characteristics of a suspect file to a database of known viruses. Different antivirus programs often refer to different dictionaries, which are specific to the antivirus software manufacturer. These dictionaries are compiled by through of independent research, public virus references, and voluntary submissions by computer users.

Antivirus software typically examines files when the computer's operating system creates, opens, closes, or e-mails them. System administrators can also schedule periodic virus scans that examine all files in directories specified by the administrator.

If a piece of code in the suspect software matches any virus identified in the dictionary, the antivirus software can respond in one of a few ways:

1. Attempt to repair the file by extracting the virus component
2. Quarantine the file (retain it, but make it inaccessible to other programs)
3. Delete the file

The specific response executed by the software may be automated or manually enacted at the software administrator's discretion.

Because virus definitions constantly evolve, the dictionary approach requires users to periodic update (generally via online downloads) their antivirus dictionaries.

Dictionary-based antivirus software can effectively contain some virus outbreaks. However, their effectiveness is somewhat mitigated by their reactive, rather than preventative, approach. They can also be circumvented by oligomorphic, polymorphic, and metamorphic” viruses, which contain encrypted or polymorphous components that actively defy dictionary comparison.

Suspicious Behavior

The suspicious behavior approach examines the activities of all programs, rather than the virus itself, and flags behaviors it perceives as being dangerous or indicative of virus activity. The suspicious behavior approach is somewhat more preventative thanthe dictionary approach; however, overly broad definitions of suspect program activites can produce many false positives. Repetitive warnings desensitize users, effectively negating the benefits of the warnings.

Other Approaches

In another type of heuristic approach, antivirus software attempts to emulate the beginning of the code for each new executable invoked on the system before transferring control to that executable. If the emulation reveals suspect code characteristics or activities, the antivirus software generates an alert. This method can also result in many false positives.

Sandboxes are yet another method of virus detection in which the antivirus software executes suspect programs in an emulation of the operating environment, then analyzes the sandbox for changes that might indicate viral activity. Because sandboxes are resource intensive, their practicality is somewhat limited. They may also fail to detect viruses that produce variable changes, conditional changes, or no changes at all in a single instance.[1]

Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type.

Whitelisting vs. Blacklisting

The conventional blacklist approach to virus prevention seeks to selectively block malicious software from infecting otherwise trustworthy systems. More recently, some antivirus vendors are also offering more severe whitelisting functionality, in which only explicitly allowed programs may be run on a system.

This default-deny approach avoids the task of keeping virus definitions up to date. Within corporate or network environments, it also offers an additional benefit of limiting user software installations that, while not viral in themselves, might open new security holes.

Since modern organizations have large quantities of trusted applications, the limitations of adopting this technique rest with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. As such, viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes.

Requirements and Related Standards

Antivirus protection is indicated or required by several authorities, including:

• The Payment Card Industry Data Security Standard (PCI DSS), Section 5
• Health Insurance Portability and Accountability Act (HIPAA), §164.308(a) (5) (i)
• NERC Cybersecurity Standard (CIP–007–1), §R4 (PDF)
• FISMA/FISCAM/NIST 800-53 (PDF), “Recommended Security Controls for Federal Information Systems”

References

• AV-Comparatives, AV-Test, VirusBulletin: independent comparatives of several antivirus software
• NIST National Vulnerability Database
• AntivirusWorld