Antiviruses are rather complex pieces of software, and there are plenty of options. In this article, I’m going to go over the actual tasks antiviruses perform and how they go about performing those tasks. This article is not sponsored nor does it promote any antivirus software - The PC Security Channel covers the difference between Windows 10’s Windows Defender versus paid antivirus solutions.
One of the most basic tasks any antivirus can do is called Hash Detection. In this process, your antivirus creates a hash of every potentially infected file on your computer and compares it to a known database of malware.
For this purpose, a hash is simply a text representation of any input file. If the input is the same, the hash will be the same - if the input is even slightly different, the hash will be completely different.
By using Hashed Detection, antiviruses can detect known malware before they have a chance to even run on the computer. The databases of hashes are very easy to create, and thousands of samples can be hashed and stored in seconds - which makes Hashed Detection very easy to implement, and even easier to make at home. However, since hashes tend to be incredibly different between even a slight change in a file, Hashed Detection is not something that can be used by itself in an antivirus solution.
Enter Static Analysis. Static Analysis picks up where Hashed Detection fails. Almost all malware has a very limited set of goals. Usually, these goals include but are not limited to: stealing your data, encrypting your data, logging what you type, capturing input from your camera/microphone, copying data from your web browser, or manipulating the sites you see with fake copies.
Since most malware performs these particular tasks, Static Analysis allows antiviruses to look inside the code of a virus to see what it most likely will attempt to do. Static Analysis isn’t perfect - most software encrypt or obfuscate their source code, so the easiest way to guess what a particular executable is going to do is by looking at what libraries it imports. This is fairly easy data to access and can be done pretty quickly. You can even do this at home by using Python and PE Analyzer.
The most difficult thing an antivirus is going to do is run what it suspects to be malware inside a virual machine, sandbox, or otherwise controlled environment. This prevents your machine from being damaged (unless the malware it is trying to scan is a ZIP bomb). This is usually called Dynamic Analysis, and it usually requires running malware on your machine and poking at it to see what it does. Dynamic Analysis is the majority of what your antivirus does, and when Dynamic Analysis proves that a particular piece of software is malware, it can send the hash back to its developers and the hash can be added to the Hashed Detection database.
Another task your antivirus may perform is to look at files on your computer that have known hashes. You may have heard about System32 - it has over 20,000 files inside, all contributing to your computer’s functioning. Well, most of these files haven’t changed in a very long time, or are altered rarely. Since these files are pretty predictable, your antivirus may detect that those files have changed, and can alert you.
Additionally, some antivirus suites will alert you if a program tries accessing your webcam or microphone and offer to block access to those by default. These suites also offer a password manager, where they can encrypt your passwords and keep them outside of your web browser’s password storage - and out of the hands of some viruses. They may also offer to scan your emails for you, detecting potential phishing, scams, or otherwise harmful emails.
All in all, almost all antiviruses perform static, dynamic, and hash-based analysis on all of the files on your computer. To truly have security - you have to trust the antivirus that you select. An antivirus is only as trustworthy as the company behind it. If you choose an antivirus that is backed by a shady company, the antivirus may collect information on you and sell it to advertisers, or they may build profiles on you, or they could even target you with malware. When choosing an antivirus, you should choose one that can detect most forms of malware in addition to community trust. Luckily for you, we have some resources that can help.
First, find antiviruses with high detection rates. You can do that with AV-Test.org or AV Comparitives. At the time of writing, Avast and AVG both have the highest score on AV-Test.org. However, you also have to weigh in the community trust aspect - this requires a little bit of research, but here is the TrustPilot page for Avast and An article from the FTC about Avast selling user data. Additionally, Safety Detectives wrote an article on why they stopped recommending Avast.
There are also YouTube videos on the matter, such as ones by ChrisTitusTech, JayzTwoCents, PCSecurityChannel, and CyberNews.
In summary, antiviruses perform three major tasks to detect viruses, and finding a trustworthy antivirus is critical for your online security and privacy. Whether or not you use a particular antivirus is your choice, but you should always strive to make an informed choice.