There are many different flavors of anti-virus software out there, but they can be broken down into several distinct kinds: signature scanners, heuristic scanners, integrity checkers, and activity blockers.
Signature scanning is what started off the anti-virus industry. It involves looking through, or “scanning” executable files and finding a series of bytes that are also found in a particular virus. For example, if a known virus has the series of bytes: “00 11 22 33″, also known as a “signature”, and this same series of bytes is found in a program, that program will be listed as infected. While this sounds prone to error, most of the signature scanning out there does a very good job at catching programs which are infected while avoiding “false positives”, or falsely stating that a program is infected when it is not.
The disadvantages of signature scanning is that new, indentified viruses will not be caught, however if an existing one is caught, you will know exactly what you are dealing with and if it has a nasty payload.
Heuristic scanning is similar to signature scanning, except that instead of looking for specific signatures, heuristic scanning involves looking for certain instructions within a program, most of which aren’t found in typical application programs. For example, if it finds code in a program to write to the boot sector of a hard drive, it will likely alert the user that this program could be infected.
This method is more prone to error than signature scanning since legitimate programs (such as utilities or other anti-virus programs) could perform these actions, but it also has the advantage of being able to catch an unknown virus.
An integrity checker works by checking the integrity, or state, or the system. Essentially, integrity checking involves running the program across every file, both programs and data files, on the disk. Then it stores checksums for all of those files so that you can again run the integrity checker on a later date and see what has changed. Often, you will notice that datafiles change frequently. However, if you see that several executables have changed, then that’s something to be wary of. It is very rare for an executable to change its contents, and is something that warrants further investigation.
Integrity checkers don’t necessarily cause false alarms, but they can cause a lot of confusion, especially if you see that a program has been modified, but can’t figure out why. Nevertheless, they are incredibly useful in that if you are recovering from a virus attack, you can tell if datafiles have been corrupted as well as programs.
The purpose of activity blockers is to intercept a virus currently being run, before it can infect another program or overwrite some data. They are generally loaded when your system starts up and stay in memory until you shut down your system.
The obvious advantage of an activity blocker is that it can catch a virus “in the act”, in case you forgot to scan that new game you bought before you ran it. The disadvantage of this however, is that it can give people a false sense of security and lull them into not scanning new programs before they run them.
So, which one of the above technoligies is the best? There is no one answer, as you can see, they all have their advantages and drawbacks. The best way to make use of these methods is to combine them. That’s why using more than 1 anti-virus product is recommended, as different products may make use of different (and multiple) methods of virus detection.