An antivirus program (or virus scanner) is a programme that detects malware using virus signatures, for example. The software scans every file stored on your computer (hard drive) and every new file that is uploaded to your computer (web, email, FTP, USB).
What is malware?
Malware is software that contains an unwanted function that the malware developer has deliberately included. An unwanted function is, for example, the deletion of all files on the hard drive, the modification of files or the encryption of files.
A Trojan monitors activities on your PC, e.g. the screen or keyboard.
Ransomware: After you have downloaded a seemingly harmless programme, the ransomware encrypts your data in the background. As soon as the programme is finished, it asks you to pay for decryption.
A computer virus spreads with human help, e.g. from a USB to your laptop and from your laptop to another USB. This can copy itself.
A worm is a self-propagating piece of software. The worm uses your mail programme and sends itself to all your contacts.
What is a virus signature?
A virus signature is a detection feature of malware. Malware can appear in various forms, but the antivirus algorithm recognises dangerous sections of code.
The antivirus programme scans your computer for these characteristics. The antivirus does not compare the known dangerous code sections with your data, but uses cryptographic hashes (the fingerprint of a file).
The antivirus compares the calculated hash values with those of the known hashesfrom the virus signature database. This allows the scanner to check whether there is a known virus in a new (large) software package.
Types of antivirus software
Antivirus programmes are a dime a dozen on the Internet. But what types are there?
Local installation: An antivirus programme can be installed locally on your computer. The programme scans other files as soon as you download or execute them. This is the most popular type of protection for private users.
Server scanning: Companies use a server application in addition to the local installation. The antivirus filters incoming data and immediately stops suspicious downloads. The server scans all email attachments and all files that an employee uploads to the internal cloud or storage infrastructure. If the content is encrypted, the scanner has no chance.
Scanning methods
Antivirus providers use different scanning strategies. Some providers divide each file into smaller data blocks and calculate the hash of the individual sections.
The programme can scan specifically, generically or heuristically, depending on which antivirus programme you use. The best-known variant is specific scanning.
Specific: The antivirus looks for known virus signatures that someone has previously classified as malicious and published. With a specific scan, the antivirus checks all incoming data streams:
Generic: The programme searches for similar virus signatures (modifications)
Heuristic: The antivirus monitors the behaviour of a program during execution. Depending on its behaviour, the program classifies it as harmful or harmless. This method enables the protection programme to detect new viruses. Based on artificial intelligence and a training data set, the antivirus program can correctly interpret the behaviour of the new program.
Scan strategies
Every manufacturer and user proceeds differently when scanning with such software. The best-known strategies are the real-time, manual and online strategies.
Real-time: A background service of the software scans any files immediately when they reach the computer via email, downloads, HTTPs, FTPs, etc.
Manual: The user starts a scan process for a file or directory. If found, a warning message appears, the malware is deleted, quarantined and cleaned from the computer.
Online: This strategy works in the same way as the manual strategy, except that it scans many different virus scanner software simultaneously (e.g. VirusTotal)
Scope of protection – still necessary?
Such software is not a free pass for all activities on the Internet. The following section explains which manufacturers’ promises are genuine
What an antivirus protects against
The antivirus primarily protects you against known malware. At least 1 computer in the world has been infected with malware. The affected computer has reported the incident to the manufacturer. All other computers with updated virus signatures are protected.
If you download an unreported malware, the malware can infect you despite having an antivirus programme. Some manufacturers issue a blanket warning if you download an unknown software package
The antivirus can analyse unknown software using“artificial intelligence“, heuristics or sandboxing. These methods can be successful (correctly recognise malware), but can also lead to false positives for harmless software.
An antivirus does NOT protect against this
Antivirus software only recognises around 45% of all attacks!
Symantec Vice President Brian Dye
Most antivirus programmes are based on virus signatures (real-time specific).
If you keep your antivirus up to date with the latest signatures, then the antivirus can only protect you from old malware. It is important that no third programme (intentionally / unintentionally) suppresses the update process of the antivirus programme or sends false information to the antivirus scanner.
If a hacker is after your person and sends you malware “especially for you”, then the chances are very slim (spear phishing). Question every email attachment that reaches you! The criminals often use a double extension Invoice.pdf.exe or Invoice.docx.sh. Linux systems prohibit the execution of new scripts and Windows systems warn. You must first set the flag for script execution before the programme will run
Signatures are not a magic bullet
Problem: A normal virus does not detect new viruses and worms.
Signature crap
Polymorphic viruses do not have a unique signature / hash value. The criminals have developed a virus that can change itself.
The antivirus can determine signatures, but these vary from device to device and from time to time. The manufacturers try to work with fuzzy hashes that are not sensitive to small changes.
Effective 7-step protection against malware
How can you as an ordinary person protect yourself from hacker attacks by malware?
#1 Activate basic protection
Although an antivirus programme will not find all malware, you should still use one. This applies to Windows, Linux or Mac. This way you will find the majority of computer viruses that are already known. If you are fixated on open source, then use ClamAV. Alternatively, you can use a commercial antivirus, e.g. from different countries and world views. If the manufacturer comes from country X, then the state Trojans from country X are “permitted”. If you also use another one from country Y, it may recognise the state Trojans from country X and vice versa. VirusTotal, for example, is an online virus scanner from Google that uses 60 different scanners. Not all scanners raise the alarm when a virus is detected. This may be for organisational, political or technical reasons.
#2 Update old software
Remember to keep all the programmes on your PC up to date. The easiest way to keep your computer up to date is to use an automatic internal software updater like in Firefox or you can use a package manager Windows(Chocolatey), Debian (apt-get) and Linux (Homebrew).
Many IT companies have to update their programmes so that the new release can close the errors and security gaps in the old version.
#3 Operating system gateway
Update your operating system: Many criminals try to find vulnerabilities in Windows, Mac and Linux because this is where they can cause the most damage. If you find a vulnerability on Windows, you have gained access to 1.5 billion computers.
#4 No “exceptions”
Even on Linux or macOS you are not protected for hackers. Linux / IoT malware is on the rise, and you can also run other apps on macOS that do not come from the App Store.
Only install programmes and apps from trustworthy sources. An official app marketplace or high costs are no guarantee of freedom from malware. The store sells malware to the user without the manufacturer being aware of it.
Ideally, you should use popular open source software that has been checked by many eyes for security. Other companies publish open source software and also offer a maintenance contract with patching, which ideally works.
#5 Use new software securely
If you need a new programme, only download the files from the known download platforms. Prefer the version in an official repo or App Store and do not use forks etc.
#6 Mails
Scrutinise every email attachment – no matter from whom. An Excel macro, an encrypted zip or a jar file can infect your computer faster than you think.
Remove the cable of the backup hard drive from your computer after the backup, otherwise you have also “backed up” the virus on the backup hard drive.
Antivirus for advanced users – sandboxing
A sandbox is an isolated operating system in a virtual machine. The file storage and main memory are separated so that the malware only destroys the virtual machine and not the host machine.
You can open and test untrusted software in a sandbox. The sandbox checks and monitors the behaviour of the malware. You can safely open attachments in a sandbox.
Modern antivirus programmes use sandboxing to filter malicious email attachments before the mail can load in the email inbox. The software runs the application in the virtual machine or opens the document. The program then waits and logs the behaviour of the program.
In the event of unusual and unwanted activities, the analyst can classify the new programme as malware. “Strange” activities are, for example …
Changes to the Windows registry
Calls from remote IPs directly after startup
Changes to system files
Encryption algorithms
Changes to the settings (in general)
File operations
… the antivirus rates as dangerous or harmless. The more activities are strange, the more likely the antivirus is to classify the software as malware.
Recruiters receive emails with attachments from many strangers. In order for them to view the application documents, they have to open the attachments. Not every applicant is an applicant, but a criminal who causes damage.
Let us know what you think! Was this tutorial/post helpful, or do you still have burning questions? Write a comment and become part of our growing community. Share your successes, challenges and tips - together we can achieve great things in security and coding!
