Usual Misconceptions about Antivirus Software

Most AntiVirus users believe that security products are secured and that just installing Antivirus software keeps their computers and network safe. This belief is not that sound, and it is not uncommon to read comments like, “My computer is infected with malware. How can it be? I have an Antivirus product installed!”

To illustrate why AntiVirus software is not fully secured you from viruses and malware, let’s take a look at the tasks performed by the latest AntiVirus products:

■ Malicious patterns and bad behaviors in programs

■ Malicious patterns in documents and web pages

■ Malicious patterns in network packets

■ Trying to discover new bad behaviors or patterns based on experience with previously known ones.

AntiVirus products are not fully secured solutions to combat malware because an AntiVirus product cannot identify what is hidden to them. Marketing material from various AntiVirus products may lead the average users to think and confirm themselves that they are protected from everything, but this is unfortunately far from reality. The AntiVirus organizations are working on the base of known security threats and malware patterns; an AntiVirus product cannot spot new unknown threats unless they are based on old known patterns (either behavioral or static), regardless of what the AntiVirus industry advertises and marketed too.

Also check: Antivirus and its Techniques

Antivirus Features

All antivirus products share a set of common Platform and features, and so studying one kind of AntiVirus system will help you understand another type of system. The following is a short list of common features found in every AntiVirus products:

■ The power to scan compressed files and packed executables and batch files

■ Tools for scanning on-demand or real-time file or directory.

■ A self-protection tools to guard against malware attacking the AntiVirus installed.

■ Firewall and network, router inspection functionality

■ Command-line and graphical interface tools

■ A daemon or service

■ A management console

The following sections briefly discuss some similar features shared by most AntiVirus products, as well as more advanced features that are available only in some products.

Basic Features

An antivirus product should have some common features and meet certain requirements in order to be usable. For example, a basic requirement is that the AntiVirus scanner tool and kernel should be fast on scanning and consume little memory.


Another general feature of AntiVirus products is the scanner, which may be a Graphical User Interface(GUI) or command-line on-demand scanner. Such tools are used to scan whenever the user wants to check a set of files, directories, or the system’s memory. There are also on-access scanners, more typically called residents or real-time scanners.

The resident scanner analyzes files that are accessed, created, modified, or executed by the operating system or other programs (like web browsers); it does this to avoid the infection of document and program files by viruses or to avoid known malware files from executing in the system.

The resident is one of the most attractive components to attack; for example, a virus in the parser of Microsoft Word documents can expose the resident to random code execution after a malicious Word document is downloaded (even if the user doesn’t open the file).

An assurance bug in the email message antivirus parser the code may likewise make pernicious code execution when another email touches base with a malignant connection arrives and the impermanent records are made on a plate under the framework documents and investigated by the on-get to the scanner. When these bugs are triggered, they can be used as a denial-of-service attack, which makes the AntiVirus program crash or loop forever, thus appealing the antivirus temporarily or permanently until the user restarts it.


The scanner of any Antivirus Product applications seeks documents, registries or bundles utilizing an arrangement of marks to choose if the records or parcels are vindictive; it additionally doles out a name to an example. The marks are the known examples of vindictive documents. Some regular, rather essential, marks are devoured by straightforward example coordinating methods (for instance, finding a particular string, similar to the EICAR string), CRCs (checksums), or MD5 hashes. Depending on cryptographic hashes, as MD5, works for just a correct document (as a cryptographic hash endeavor to recognize only that record), while other fluffy rationale based marks, similar to while applying the CRC calculation on particular pieces of information (instead of hashing the entire document), can distinguish different records.

Antivirus programs, software, and products usually have different kinds of signatures, as described in  earlier articles these signature types range from simple CRCs to rather complex and tough heuristics patterns based on many features of the PE header, the difficulty of the code at the start point of the executable and batch file, and the entropy of the whole file or some section or segment in the executable and batch file.

Sometimes signatures are also based on the basic blocks discovered while performing code analysis from the start point of the executable, batch files under scanning, and so on. Each kind of signature has advantages and disadvantages. For example, some signatures are very unique and less likely to be level to a false positive (when a good file is flagged as malware), while others are very dangerous and can generate a large list of false positives. Imagine, for example, a signature that finds the word Microsoft anywhere in a file that starts with the bytes Mx90. This would cause a large list of false positives, regardless of whether it was discovered in a malware file. Signatures must be created with great care to avoid false positives.


One thought on “Usual Misconceptions about Antivirus Software

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s