In this blog we will be discussing the two main types of anti-virus software that are available on the market.
Signature based anti-virus software will examine the file to create a signature. When a scan is performed this will compare the malware signature against a list of known malicious files, included within the anti-virus software’s definition database.
A drawback to signature-based detection is that it can only detect malware with a signature that has already been calculated and defined within the database. Due to this, malware can encrypt specific segments making it harder to identify, as any change made to the file will produce a different signature to the original. As such, the same malware can be created with different signatures, increasing the likelihood of the malware bypassing this type of anti-virus software.
The other type of anti-virus software is known as Heuristic or behaviour based. This monitors code on the computer and blocks any that would behave maliciously prior to it being executed. Rules are used to identify viruses based on encounters with and knowledge of existing viruses. Heuristics detection might execute a program which looks suspicious and then analyse the problem for operations which are typical in malware. If the code attempts to perform actions that are considered ‘abnormal’ the antivirus software would indicate that it is malicious or suspicious. The biggest drawback to this type of detection is that it can flag legitimate files as malicious.
Behaviour based malware detection is beneficial for reducing the risk of Zero-day attacks. This is where malware is released but has not yet been identified and indexed, and is therefore not present in in anti-virus definition databases, making it impossible to detect using signature-based detection. Making it only detectable if it exhibits behaviour deemed suspicious via heuristic detection.