Identification methods of anti-virus

Malwarebytes' Anti-Malware version 1.46 - a proprietary freeware antimalware product

One of the few solid theoretical results in the study of computer viruses is Frederick B. Cohen's 1987 demonstration that there is no algorithm that can perfectly detect all possible viruses. The proof relies on the "infect" and "spread" abilities of computer viruses. While common, the "infect" and "spread" abilities of a computer code, which create the "replicate" ability, are not necessarily contained in malware. "Computer virus", in its recent meaning, and "malware" are overlapping terms, but not synonymous. The difference is between a code with the ability to "infect" and "spread" and a code with malicious purpose.^{[citation needed]}
There are several methods which antivirus software can use to identify malware.
Signature based detection is the most common method. To identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.
Heuristic-based detection, like malicious activity detection, can be used to identify unknown viruses.
File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry out the appropriate disinfection actions.^[17]

Signature-based detection

Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses.
As new viruses are being created each day, the signature-based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary. Signatures are obtained by human experts using reverse engineering.^{[citation needed]} An example of software used in reversed engineering is Interactive Disassembler. Such a software does not implement antivirus protection, but facilitates human analysis.^{[citation needed]}
Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.

Heuristics

Some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of known malware.
Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition.
For example, the Vundo trojan has several family members, depending on the antivirus vendor's classification. Symantec classifies members of the Vundo family into two distinct categories, Trojan.Vundo and Trojan.Vundo.B.
While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be "heuristic detection."
Variants of viruses are referred to with terminology such as: "oligomorphic", "polymorphic" and "metamorphic", where the differences between specific variants of the same virus are significantly high.^{[citation needed]} In such cases, there are dedicated statistical analysis-based algorithms, implemented in the "real time" protection, which analyses software behaviour. This approach is not absolutely exact and results in higher resource usage on the computer. Since "oligomorphic", "polymorphic" and "metamorphic" engine development is difficult and the resulting computer code has a (relatively) high dimension (although such cases are very rare), this approach can be used with a relatively high success rate.^{[citation needed]} This approach may imply human ingeniousness for the design of the algorithm.^{[citation needed]}
If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. Due to the existence of the possibility of false positives and false negatives, the identification process is subject to human assistance which may include user decisions, but also analysis from an expert of the antivirus software company.^{[citation needed]}

Rootkit detection

Main article: Rootkit

Anti-virus software can attempt to scan for rootkits; a rootkit is a type of malware that is designed to gain administrative-level control over a computer system without being detected. Rootkits can change how the operating system functions and in some cases can tamper with the anti-virus program and render it ineffective. Rootkits are also difficult to remove, in some cases requiring a complete re-installation of the operating system.