How Antivirus Software Works

Who I am
Aina Prat Blasi
Author and references

Antivirus programs are powerful software that is essential on Windows computers. If you've ever wondered how antivirus programs detect viruses, what they do on your computer, and if you need to run regular system scans, read on.

An antivirus program is an essential part of a multi-layered security strategy - even if you're a smart computer user, the constant stream of vulnerabilities to browsers, plug-ins, and the Windows operating system itself make antivirus protection important.

On-access scanning

Antivirus software runs in the background on your computer, check all the files you open. This is generally known as on-access scanning, background scanning, resident scanning, real-time protection, or something else, depending on the antivirus program.

When you double-click an EXE file, the program may appear to start immediately, but it doesn't. Your antivirus software first checks the program, comparing it to viruses, worms, and other known types of malware. Your antivirus software also performs "heuristic" checks, checking programs for types of bad behavior that could indicate a new, unknown virus.

Antivirus programs also scan for other types of files that may contain viruses. For example, a .zip archive file may contain compressed viruses or a Word document may contain a malicious macro. The files are scanned every time they are used, for example if you download an EXE file, it will be scanned immediately, even before opening it.

It is possible to use an antivirus without on-access scanning, but this is generally not a good idea: Viruses that exploit security holes in programs would not be detected by the scanner. After a virus has infected your system, it is much more difficult to remove. (It's also hard to be sure the malware was ever completely removed.)

Full system scans

Due to on-access scanning, there is usually no need to perform full system scans. If you download a virus to your computer, your antivirus program will notice it immediately - you don't have to manually start a scan first.

Full system scans can be useful for a few things, however. A full system scan is useful when you've just installed an antivirus program - it ensures there are no inactive viruses on your computer. Most antivirus programs set up scheduled full system scans, often once a week. This ensures that the latest virus definition files are used to scan the system for dormant viruses.

These full disk scans can also be helpful when repairing a computer. If you want to fix an already infected computer, it's helpful to insert its hard drive into another computer and run a full system scan for viruses (unless you do a full reinstall of Windows). However, there is usually no need to run full system scans when an antivirus program is already protecting you - it always scans in the background and runs its own regular, entire system scans.

Virus definitions

Antivirus software relies on virus definitions to detect malware. That's why it automatically downloads new updated definition files, once a day or even more often. Definition files contain signatures for viruses and other malware found in the wild. When an antivirus program scans a file and notices that the file matches known malware, the antivirus program stops executing the file, placing it in “quarantine”. Depending on the settings of your antivirus program, the antivirus program may automatically delete the file or you may be able to allow the file to run anyway, if you are sure that it is a false positive.

Antivirus companies need to be constantly updated with the latest malware, releasing definition updates that ensure that the malware is caught by their programs. Antivirus labs use a variety of tools to disassemble viruses, run them in sandboxes, and release timely updates that ensure users are protected against new malware.


Antivirus programs also use heuristics. Heuristics allows an antivirus program to identify new or changed types of malware, even without virus definition files. For example, if an antivirus program detects that a program running on your system is trying to open all EXE files on your system, infecting it by writing a copy of the original program into it, the antivirus program can detect this program as a new, unknown type. of viruses.

No antivirus program is perfect. The heuristics cannot be too aggressive or they will flag legitimate software as a virus.

False positives

Due to the large amount of software available, it's possible that antivirus programs may occasionally tell that a file is a virus when in fact it is a completely safe file. This is known as a "false positive". From time to time, antivirus companies even make mistakes like identifying Windows system files, popular third-party programs, or their antivirus program files as viruses. These false positives can harm users' systems - such errors generally end up in the news, such as when Microsoft Security Essentials identified Google Chrome as a virus, AVG damaged 64-bit versions of Windows 7, or Sophos identified itself as malware.

Heuristics can also increase the false positive rate. An antivirus may notice that a program behaves similarly to a malicious program and identifies it as a virus.

Despite this, false positives are quite rare in normal use. If your antivirus says a file is malicious, you should generally believe it. If you're not sure if a file is actually a virus, you can try uploading it to VirusTotal (which is now owned by Google). VirusTotal scans the file with a variety of different antivirus products and tells you what each of them say about it.

Detection rates

Different antivirus programs have different detection rates, in which both virus definitions and heuristics are involved. Some antivirus companies may have more effective heuristics and release more virus definitions than their competitors, resulting in a higher detection rate.

Some organizations regularly test antivirus programs against each other, comparing their detection rates in real use. AV-Comparitives regularly publishes studies that compare the current status of antivirus detection rates. Detection rates tend to fluctuate over time - there is no better product that is consistently on top. If you're really looking to see how effective an antivirus program is and which ones are the best out there, detection speed studies are the place.

Testing an Antivirus Program

If you want to check if an antivirus program is working correctly, you can use the EICAR test file. The EICAR file is a standard way to test antivirus programs - it's not actually dangerous, but antivirus programs behave as if they're dangerous, identifying it as a virus. This allows you to test the antivirus program's responses without using an active virus.

Antivirus programs are complicated software, and thick books may be written on this topic, but hopefully this article has made you quicker with the basics.

Further Reading:

  • How to uninstall Kaspersky Antivirus from Mac or PC
  • The best alternatives to Avast Antivirus
  • How to uninstall Norton Antivirus from any computer
  • How to uninstall Malwarebytes from any computer
  • Christmas sale: get Windows 10 Pro free and McAfee Antivirus and other anti-virus keys half price

add a comment of How Antivirus Software Works
Comment sent successfully! We will review it in the next few hours.