How Does Antivirus Software Work? | 2021

Hackers and antivirus vendors are engaged in an endless cyclical battle. Hackers continually create new viruses and other ways to infect your computer or attack you online to steal your data, money, or identity. In turn, antivirus vendors create solutions to detect these threats and keep them from harming you.

Being smart about how you use email, what links you click on, websites you browse, and files you download is your first line of defense. But antivirus software can supplement these efforts, providing professional security monitoring to keep your electronic devices and information safe.

Antivirus software isn’t one thing, but rather a package of evolving defense mechanisms designed to protect your computer against the constant barrage of known, unknown, and ever-shifting malicious threats devised by hackers, trolls, and cybercriminals.

However, “antivirus” is a misnomer. Viruses are merely one type of malware, and malware is only one type of an exploding number of internet security threats. “It is like an elephant: Each elephant is gray, but not everything that’s gray is an elephant,” says Peter Stelzhammer, co-founder of independent security testing lab AV-Comparatives. “Malware is the generic term for every malicious threat. So you have worms, viruses, ransomware, and much more, and all of it is malware. ‘Virus is only used as a marketing term, and usually a threat is a combination of several techniques.” That said, for the sake of simplicity, all U.S. News guides use the term “antivirus software” to refer to software that addresses all types of online security threats.

Antivirus software constantly scans your computer for threats from emails, web surfing, and app and software downloads, to make sure everything you do and access online is free from potentially harmful code. Once a problem is detected, the software will warn you about it, block you from accessing a suspicious file or website, or eliminate the threat.

Different types of internet threats resulting from various online activities – email, link clicking, web surfing, file or app transfers or downloads, and webcam video recording and calling – require different antivirus solutions. These include, but aren’t limited to:

Signature Analysis: Signature-based analysis is similar to fingerprinting and is one of the most common types of antivirus threat detection. All antivirus software vendors compile and constantly update a database of identified threats, known as “virus definitions,” from files and suspicious websites. Antivirus programs compare the fingerprint, or “signature,” of a detected potential threat against the analyzed threats in this database and respond accordingly when there’s a match.

Heuristic Analysis: Many hackers understand signature-based tools and know how to disguise their malicious code. In response, some antivirus software also uses a so-called heuristic approach. Often described as a sophisticated trial-and-error method, heuristic-based analysis works to identify suspicious characteristics in an otherwise unrecognizable file that might match those of known malware.

Sandbox Detection: Some potentially malicious code is so well disguised or encrypted that it escapes signature and heuristic detection. Thus, if an encrypted file seems even vaguely suspicious, some antivirus software will open and run it in a “sandbox.” This sandbox is a secure area inside the software that the antivirus program uses to determine if the file is innocuous or malicious without damaging your computer.

Machine Learning/Artificial Intelligence: As hackers have learned to adapt, antivirus software vendors have developed more sophisticated machine learning and artificial intelligence technologies to identify new techniques hackers use to disguise their work. The software then adds information about these new threats to its detection database. As it collects more information, the software becomes better at detecting previously unknown malware.

Behavior Monitoring: “Generally speaking, behavior monitoring watches the traffic between your computer and various devices – external hard drives, USB thumb drives, networked computers, printers, etc. – to stop them when they do something suspicious,” says John Hawes, CEO of the international nonprofit Anti-Malware Testing Standards Organization (AMTSO). If necessary, antivirus software can undo any changes these external devices make.

Because antivirus software vendors are almost always playing defense against hackers, behaving judiciously online and using antivirus software will never protect you 100%. “[T]here are plenty of successful threats out there, and the industry isn’t winning,” admits Simon Edwards, CEO of security testing company SE Labs. He continues, “I…recently found myself tricked by one, so even the experts fall for them sometimes!”

Hackers’ primary point of attack – one that antivirus software is powerless against – is prompting careless user behavior. Instead of trying to stealthily plant a malicious file, more and more hackers try to get you to give up your information or provide a way into your computer. To do this, they send emails with malware-laden attachments or links to bogus websites to trick you into clicking on, downloading, or navigating to something harmful. This process is what H
awes describes as “obfuscation” – files or “hiding what they’re doing, pretending to be something else” and “trying to look harmless or even useful.” As a result, never open attachments or click on links in emails sent by people you don’t know.

There are other ways to stop hackers, as well. For instance, most legitimate websites employ TLS (transport layer security) encryption to prevent eavesdropping. “TLS is good for users’ privacy and bad for people wanting to snoop on web sessions,” according to Simon. “Some governments see encryption as being bad because they can’t monitor their citizens as easily. Hackers don’t like it for the same reason.” Secure website addresses (URLs) using TLS begin with “HTTPS” rather than “HTTP.” Avoid downloading files from or sending private information through sites that begin with “HTTP.”

In addition, most antivirus software includes a “firewall” designed, like a real wall, to keep your computer safe from malicious online intrusions. However, most operating systems and internet routers include their own firewalls, which makes antivirus software firewalls largely redundant.

If you’re thinking about buying a particular brand of antivirus software, first check the company’s privacy policies and terms of service or end-user licensing agreement. Make sure you’re comfortable with whatever data the software collects and access permissions it requires.

Second, viruses and other threats are designed to attack specific platforms and operating systems. Because you likely own multiple devices running different operating systems, such as a Windows computer and an Android phone or an iPhone, look for antivirus software that offers multiple platform protections for multiple devices.

Finally, choose antivirus software that provides comprehensive protection, regardless of a threat’s type, source, or purpose. Choosing free antivirus software such as Windows Defender or free stripped-down software from other vendors could come back to bite you. “Some free products have fewer features like [cloud] backup, a password manager, etc., and some free products even have fewer security features,” says AV-Comparatives’ Stelzhammer.

Although some people believe Apple’s Mac operating system (OS) is more secure than Windows, this is a myth. Mac OS X isn’t better designed from a security standpoint, according to experts. Windows is simply more popular, and “cybercriminals want to hit the larger group,” Stelzhammer says. “Designing a piece of malware for Windows gives you more victims.” According to StatCounter, the various Windows operating system versions comprised 77.1% of worldwide computer users as of March 2020, with Mac OS X representing just 18.3% of users.

In Stelzhammer’s opinion, Mac users tend to have an unfounded belief that their computers protect them better than those running Windows. “Macs are just as vulnerable as Windows machines,” he says. Online attacks “can hit Windows, Mac, Android, iOS, and everything with a browser on it,” he continues, “even your internet-connected fridge.”

The design of Chrome OS makes it much less vulnerable to threats than other operating systems, according to Edwards. In addition, he says Chrome OS devices are less vulnerable to malware and other attacks because Chrome OS is used by only about 1% of computer owners worldwide.

“The bad guys are concentrating on the low-hanging fruits first,” says Andreas Marx, a managing director at independent antivirus and security testing lab AV-TEST. “They are also bound to budget restrictions. Malware costs money to develop, test, and distribute, and they would like to get their money back somehow.” But he adds that because Chromebooks often run Android apps, “arguably the same risk exists for Chromebooks as it does for Android devices.” Thus, although there aren’t many security products available for Chrome OS, the handful that exist are worth downloading, Hawes argues, especially if you regularly download and install apps.

Like all devices, Android phones and tablets are vulnerable to attacks resulting from poor cyber hygiene and lack of virtual private network (VPN) protection. However, Android devices present two additional security problems: the popularity and open nature of the Android OS, and the lack of consistent Android updates.

While both Apple and Google vet apps before allowing them to be sold in their respective app stores, you’re more likely to find malicious Android apps. For instance, “Last year we found a lot of bogus antivirus products in the Google Play Store,” Stelzhammer says.

“Android has a lot of malware, as these days it’s the biggest target,” Hawes says. All security experts recommend you not only check app reviews before downloading, but that you avoid downloading apps from Android app stores other than the Google Play Store.

The latest versions of Android include Google’s Play Protect anti-malware technology, but “we cannot recommend it at the moment,” Marx says. AV-TEST discovered that Google Play Protect identified slightly more than one-third of the malware samples during testing, while a third-party Android antivirus program had a 98.9% app malware detection rate. “Android users are much safer with [third-party] security apps than if they rely on Google [Play Protect],” AV-TEST concluded.

Then there’s the issue of updating. Although Google releases monthly Android security patches, Android phone makers don’t regularly release these updates or alert users that updates are available. Users should regularly check for updates to make sure they have the most current antivirus protection. (Apple, by contrast, does send out regular updates.)

In early April 2020, a “white hatter” – an ethical hacker who tries to find online security flaws so they can be fixed – managed to locate seven weaknesses in Apple’s Safari web browser. The hacker then used three of these weaknesses to take over an iPhone’s camera. This example isn’t the first time security holes have been identified in iOS or Mac OS, and Apple offers financial rewards to white hatters who discover vulnerabilities in the company’s products. Apple is quite public about these discoveries and says it tries to resolve the problems as quickly as possible.

“The risk is much the same whether you use Android or iOS,” Hawes says. “If you stick to the official Google and Apple app stores, your risk is reduced, but not completely to zero.” He continues, “Bad guys can and do manage to publish their apps in official stores. And that’s the main risk for mobile users: being tricked into installing an app that claims to do one thing but does something bad instead.”

All antivirus software should contain a basic set of features, but the best software has additional features. Here’s a rundown of which features you should look for in antivirus software.

1. Known Brand. Stick with antivirus software vendors that have a proven reputation or are members of AMTSO. A reputable vendor’s website should clearly state what features its software has and how much it costs.

2. Device/OS Coverage. Choose antivirus software that protects at least three devices running Windows, Mac, iOS, or Android, depending on the operating systems your devices run. Most antivirus software licenses can cover up to 10 devices running different operating systems.

3. Malware Protection. Look for malware detection of and protection against a variety of malicious software, such as spyware, which can monitor your computer activities; adware, which displays or downloads unwanted ads; viruses; worms, which can modify or delete files and spreads between computers; and ransomware, which can prevent access to your computer until you pay someone to unlock it.

4. Valuable Extras. In addition to basic malware detection, consider software that includes a VPN and protection against phony emails (phishing and spam), web browsing protection, webcam security, firewalls, parental controls, a password manager, file backup, and protection for your financial accounts. Many of these features may come with premium antivirus software packages and are usually worth the extra cost.

5. Definition Updates. Find out how often the company updates its antivirus software virus definitions and collects information on new threats. Some vendors update their threat lists more frequently and completely than others. Ask a customer service representative, as this information is usually not on company websites.

6. Free Trial. To make sure antivirus software doesn’t slow down your computer and is easy to use, take advantage of free trials. Be sure to completely uninstall the trial software if you don’t like it. Free trials should be unconditional; if you’re asked to create an account or provide a credit card number before you can download the free trial software, move on.

7. Price. Don’t focus too much on the often discounted price that antivirus software vendors emphasize in big, bold type. It’s the crossed out, “original” price that you’ll be paying annually after the first discounted year, so that’s the real price of the computer protection you choose.

All antivirus software, including free trials, is available to download from the vendors’ websites. Software boxes you can purchase online or in stores usually contain only a license key that you use to activate downloaded software. If the box does contain physical media such as a CD or DVD, and your computer doesn’t include an optical disc drive, you can still use the included license key to download and install the software.

Generally speaking, Windows antivirus software is downloaded as a Windows “.exe” file, a common type of file that launches a program. In Windows Explorer’s Program folder, click on the .exe file to open and run the software’s installer. The .exe file should include the long license key or serial number so you can avoid having to type it in during installation, but keep the license key handy just in case.

You will usually be asked to create an account, which will allow you to more easily adjust privacy, subscription, and payment settings, configure different features and devices that you install the software on, permit updates, and otherwise manage your subscription and account. Finally, you’ll have to agree to the user agreement and/or license agreement.

While most antivirus installations don’t require you to restart your computer, you’ll want (and may be prompted) to run an initial scan of the full system to check for threats. This scan could take more than an hour, depending on how many files and disk drives you have. Your antivirus software will let you know how much time the scan will take and if you can use your computer in the meantime. Subsequent scans usually take only a couple of minutes. Once the software is installed and the initial scan completed, the software will immediately go to work and keep you and your system protected.

Antivirus software is sold in annual renewable license subscriptions, usually in two or three good-better-best levels. Most basic packages include real-time virus protection from and on-demand scanning for malware, adware, spyware, and ransomware threats. Premium packages usually add a variety of extras such as a VPN, cloud storage, password manager, system optimization, enhanced customer support, and specialized virus protection for web browsing, email, financial accounts, and mobile devices.

Nearly all antivirus software licenses are deeply discounted the first year. Basic annual licenses usually cost less than $50 initially, then increase to their standard price – usually less than $100 – when you renew. Premium packages typically cost between $50-$100 the first year, then about $150 annually thereafter.

Some vendors offer renewal discoun
ts and/or multiyear deals. You also can pay more to install the software on additional devices if you wish.

Higher-priced antivirus software isn’t necessarily better. “I’m not sure price would be a reliable guide to quality, because there are too many other factors involved,” Hawes says. “Vendors will charge what they think people will pay, which may be a better reflection of their marketing budget than the level of protection provided.”

Without an antivirus program, it’s virtually impossible to identify and remove infected files – even for experts. “These days, malware is usually trying to hide itself, so it’s hard to detect for an average user,” Marx says. This means that to remove a virus, you’re almost certainly going to need antivirus software. Another option is to take your machine to a computer repair professional who can remove the virus for you. However, this will probably cost at least the equivalent of a year’s subscription to an antivirus software program.

If you’ve chosen the right antivirus software, you’re unlikely to be faced with a detected but untreated virus. “In Windows, most antivirus software should be able to remove anything it wants to,” Hawes says. “I’ve never heard of a user being asked to intervene manually.”

If your antivirus software does detect but can’t remove a malicious item, the software may tell you where to find it for you to manually delete it. However, manual removal may not solve the problem because most malware spreads undetectable tendrils deep into your system. To be sure you remove the entire threat, many antivirus software vendors offer dedicated malware removal tools, which security software sites also test and grade.

An “expired” message merely indicates that your antivirus software subscription term is up and it’s time to renew. Most antivirus software programs will continually alert you weeks before it is due to expire.

If you don’t want to renew, uninstall the software and find another antivirus software solution. Try to spend as little time as possible unprotected.

Still looking for more information about antivirus software or trying to find the best antivirus software for you? Explore the directory below to learn more.

We explain what matters most to consumers, experts, and professional reviewers when it comes to antivirus software. Then we provide an unbiased evaluation of antivirus software available at the time of review. Our goal is to empower consumers with the information and tools they need to make informed decisions. More information about our 360 Reviews methodology for evaluating antivirus software companies is here.