An antivirus program protects computers from malicious software. This can be, for example, Trojans, worms or spyware, and other malware. Antivirus software is able to detect, block and remove malicious software.
What are virus scanners?
Basically, virus scanners, often called malware scanners, can be divided into different types depending on their function. Commonly used is the subdivision into:
- Real-time scanners
- Manual scanners
- Online scanners
Real-time scanners are active on a computer in the background. They work as a system service under the Windows operating system and as a daemon under Unix. The antivirus software performs its work in real-time and constantly scans the executed programs, the computer’s traffic, and memory.
Whenever the computer accesses programs, memory, or online data, or saves and modifies files, the antivirus program searches for suspicious data. If the signature of malware is detected, the antivirus program blocks further access to the affected data. Users then usually have the choice of moving the file to a quarantine directory, deleting it, or repairing it.
Manual scanners start at the user’s manual request or automatically on a scheduled basis. Once started, the antivirus software scans the data on the computer for malicious software. If signatures are detected, manual scanners can delete, quarantine, or clean the affected files. Some manual scanners lack the virus removal function. They can only find malware, but not remove it.
Online scanners load virus signatures and their program code online over the Internet or another network. To check the data on the computer, they require an online connection. Often these scanners are run in addition to permanently installed virus programs in order to obtain a second independent opinion in the event of suspicious actions.
Important terms from the environment of virus scanners
In the environment of the anti-virus software often the term Scan engine falls. The scan engine is an elementary part of the antivirus program. The engine is responsible for the actual examination of the computer’s data and is largely responsible for the efficiency of the antivirus program.
In the way virus scanners work, a distinction can be made between reactive and proactive. Reactive programs can detect malware only after the manufacturer provides a signature for the corresponding malware. It is, therefore, necessary to keep the signatures constantly up to date. In the case of new malware, it may take some time before a signature is available. Until then, the reactive scanner cannot detect the malware.
Proactive virus scanners do not detect malware on the basis of signatures but examine programs according to certain characteristics (heuristics). They are theoretically able to detect new unknown viruses based on behavior alone. However, heuristic scanners may have an increased rate of false positives.
The EICAR file for testing antivirus software
The abbreviation EICAR stands for European Institute for Computer Anti-Virus Research e.V. It is a non-profit association that aims to improve anti-virus software and computer virus research. The association provides the self-developed EICAR test file for testing antivirus programs. The file does not cause any damage to a computer but is detected as a virus by virus scanners. The file can be used to quickly check whether the antivirus program installed on the computer is working properly.
