Antivirus: Use and Operation

Antivirus: Use and Operation
Antivirus: Use and Operation

Antivirus is software that aims to detect and remove any malicious content (Trojan, Virus, Worm, Spyware, etc.) from a computer.
For the most frequently asked questions, refer to the antivirus FAQ

Little etymological reminder:

  • Free antivirus, we speak of antivirus not requiring any license to pay to be used, refer to the file: Free antivirus
  • Internet Security or “Security Suite”: These are complete versions that additionally, to ship an antivirus part, embed firewall (firewall)  and sometimes a parental control.

Here are some explanatory elements of the different protection modules found in most antiviruses.

All the answers to your questions about antivirus, about the antivirus FAQ

Detections of antivirus

In order to recognize malicious programs, antiviruses use different methods.
Here are some common methods found in most current antivirus.

The static detection, it consists in analyzing the code of a file without executing it:

  • Signature detection: this is detection that corresponds to significant code portions of a particular virus family. This type of signature is relatively easy to circumvent for malware authors especially through the use of packers / crypters  or code mutation.
  • Heuristic detection: more generalized pieces of code that aim to generate larger detections in order to more commonly detect malware and not a particular family. The difficulty with generic detection is to juggle an effective general code without generating too much false positive.

Behavioral detection: this consists in executing the file in a closed environment controlled by the antivirus (sandbox) in order to detect behaviors commonly used by malicious programs. (eg the copy in% APPDATA%, the creation of a Run key etc).
This detection is relatively effective even if malware/virus writers attempt of course to circumvent this particular through the detection of sandbox/sandbox.

Cloud Antivirus

Antivirus Clouds: The malicious campaigns
are aimed at pushing hundreds/thousands of different files through the use of packers / crypters ultimately pushing the same virus/malware. This is a real brute-force against antivirus protection.
Static signature and heuristic detections have become too weak and ineffective in the face of these malicious campaigns.
Antiviruses have consolidated and improved these protections through ”  the antivirus cloud”This is an extensive database powered by antivirus clients (yes, because antivirus clients provide various information about files running on the computer – this can cause privacy issues, but is not the subject of this article), conversely, antivirus clients can draw information from this database.
The antivirus Cloud, therefore, offers various improvements such as:

  • The ability to detect malicious items without the need to update the antivirus client. This protection is updated in real time on the Cloud, there is no longer this time 1h to 2h between the time the antivirus editor adds a new detection, created a new version of the database antivirus, put it online, to be ultimately downloaded by the antivirus client.
  • Antivirus vendors can perform data mining (data mining on large databases), cross-refer some data to provide broader and more accurate protection.
  • Antivirus vendors can also put various information online, for example, for a sound file “usage rate”, if a file is downloaded little, it is potentially malicious. This is one of the particular approaches of Symantec through its Suspicious. Insight detections
  • This finally makes it possible to detect, to follow more easily new attacks and campaign of viruses / malware in particular by country.
  • Finally, this can reduce the CPU / Memory usage of the antivirus client that embeds viral definitions more than in the form of cache.

The data collected can range from visited URLs to the subject of emails, the purpose is to use this information in the case of malicious elements.
Example of the Avast! :

WEB addresses also feed these Cloud databases, when the laboratories receive a new file, the latter is analyzed automatically, if the malware contacts specific WEB addresses, they are added in a blacklist.
In the same way, the antiviruses carry out  Web Reputation and thematically classified the sites visited to feed their parental control.

Think that antivirus clouds are uneven because building such an infrastructure requires significant resources, but the budgets of different antivirus vendors are uneven.

Antivirus protections

Real-time protection

Real-time protection is an important module of the antivirus that will scan the files and URLs (web address) that will pass on the computer.
When copying files from external resources (file sharing, removable disks, internet download), real-time protection analyzes new files arriving on the computer for viruses, files manipulated by the user, running processes etc.
The same thing happens with the URLs contacted by the processes ( web browsers, Windows process, and application installed).


FileRepMalware detection of Avast!! corresponds to the Cloud Antivirus (which is called CyberCapture):

The real-time protection will do the same with the WEB protection that will block any malicious address.
If the antivirus detects a connection to address known to be malicious, it will issue an alert and block it.
There are two scenarios:

  • You are surfing and the site you are connecting to is contacting a malicious address
    • either because it has been hacked or a malicious Ad is trying to redirect to a Web Exploit.
    • An advertising agency is blacklisted by the antivirus, including some advertising agencies on illegal streaming sites, P2P etc can be.

Note that Google does a bit of the same thing through its Google SafeBrowsing .

In addition, the antivirus cloud also allows WEB searches to note the sites and prevent if they are malicious and block access to malicious sites. Below are some Google searches with the notes on each result (green tick or green star)

WEB protection

WEB protection blocks access to malicious sites or pages and works like real-time file protection but at the level of internet connections.
More information on the page:  WEB protection of antivirus

Mail protection

This protection module aims to detect malicious emails, which most of the time ship malicious attachments.
Email viruses are still active and have resumed since the end of 2015 with ransomware campaigns.
Some mail protections may also incorporate an antispam (often in the security suites).

Antivirus: use and operation

This makes it possible to protect the computer upstream of the reception of the mails since the malicious emails will be intercepted by the antivirus.
Of course, if emails pass or if you use an antivirus without email protection, the real-time protection will block the malware/virus during the attempt to open the corrupted attachment.

Also Read:WEB protection of antivirus 2019

Quarantine antivirus

When a malicious element is detected, several choices are available, in general to you.

  • Delete file: The file is deleted from the computer. This option is less and less present so as not to cause problems in case of false positive.
  • Access denied: this option is not present on all antivirus, Antivirus offers this particular. The malicious file remains in its original location but the antivirus prevents access.
  • Quarantine: The malicious file is moved to a control zone by the antivirus, which can no longer interact with the system. The big advantage of this solution is that it allows restoring the file in case false positive.

All antivirus offers a Quarantine menu that allows you to restore a malicious file.
Some other options are suggested as the possibility of submitting the file to the lab analysis of the antivirus vendor.
In the case of a file detected as malicious, you can place it in quarantine, if you have a doubt about the veracity of the threat, you can send the sample to the security editor that will give you the status of the file.
If the file is healthy, you can restore it.

Antivirus scan or antivirus scan

Antivirus scanning or antivirus scanning consists of analyzing the computer to detect the presence of malware and clean it.
The antivirus will:

  • analyze running processes and their dependencies
  • analyze the elements that load when starting Windows (Run Key, Windows Services etc.)
  • the files contained on the disk, two cases are then presented:
    • you have requested a full scan: all files on the disk will be scanned
    • you have requested an “intelligent” scan: the antivirus will scan the files or folders that may contain malware (user profile, Program files, and the Windows folder).

The antivirus scan may be interesting after a protection alert in real time or in case of doubt to control the latter.
Also, think that a malware/virus can get into the computer because not detected by the antivirus at the time of the attack.
It is therefore recommended that you update the virus definition before performing a full scan of the computer.

Firewalls or Firewall

English firewalls or firewalls are network elements which make it possible to authorize or refuse the establishment of a connection from predefined rules.
Firewalls are usually present in the antivirus security suite.
For more information on how a firewall works and how important, read our folder:  Firewalls on Windows

and the tutorial to secure your computer: How to secure Windows and Virus: Monitor Windows.