Back in the day, a definition-based antivirus was good enough to catch and get rid of any virus. Basically, the security application was analyzing all the files in the computer, one at a time, determining if their headers contained a specific string of bits or not. To give you an idea, if the header included the (just an example) "434234swwd32@!5$#" string, it meant that the file was infected with the XYZ virus, and the program knew that it had to strip several bits from the file to restore it to its clean state.
Virus creators have gotten smarter than this, though. This was the moment when polymorphic viruses were created; these malware applications know how to change their signature after each file infection. This mechanism rendered definition-based antiviruses useless for a while, but then security experts started to develop applications that were able to detect and eradicate these new security threats as well.
Today, antiviruses utilize several methods to scan for infected files. To begin with, we've got on-demand virus scans, which are run when the user wants to make sure that his computer is clean, or when a new storage device is connected to the PC. On-demand virus scans should be run whenever a memory stick is inserted into a USB port, for example.
With real-time protection, suspicious activities are monitored by a memory-resident component of your antivirus. Security researchers need to create applications that are powerful enough to catch all viruses, and yet use as few computer resources as possible. Some antiviruses miss the mark here, offering an effective protection, but slowing down the computer to a crawl.
Finally, we've gotten scheduled virus scans, which are triggered each day, each week or each month, according to the user's preferences. Full computer scans are often run this way, but you can also schedule system scans, which will only search for viruses inside the operating system and the user data folders.
Almost every computer is connected to the Internet these days, and this means that our devices can be infected at any time. No antivirus in the world can guarantee that your system will be kept clean from any type of infection, but having a security suite installed on your PC will significantly diminish the risks of downloading and running a piece of malware without knowing about it.
Modern antiviruses use several layers of protection. This way, even if a certain security layer is circumvented, chances are that the other layers will be effective, detecting and terminating the threat. At its core, your antivirus utilizes a huge database of known threats, comparing the signature of the scanned files with each database entry, with the goal of determining any potential threats. As soon as a potentially infected file is detected, it is moved to a different location on your computer and its extension is changed to a non-executable format. From now on, the infected file will not be able to interact with and damage other computer files.
The next layer of protection consists of code that monitors suspicious behaviors. Applications that try to add new registry entries or want to register themselves as startup items are carefully examined by the antivirus. This way, your security application is able to detect unknown viruses as well. Modern antiviruses utilize heuristics, techniques that help them detect viruses that have similar, but not identical signatures with the ones that are stored in their databases. Still, heuristics-based antiviruses may flag some of the clean applications as malware, because their signatures are similar with the ones that are used by certain families of viruses.
Malware creators try to hide their evil programs by employing several encrypting techniques, of course. Some people have even created viruses that try to shut down security suites and firewalls by terminating their processes, and then preventing their relaunch. Still, security experts know how to fighting back, and their products are getting better and better.
