How does Antivirus software works or detects virus ?

We have already know that what is antivirus, but have you ever tried to understand how it works and why it requires updates regularly? How antivirus searches for viruses and detects the virus in the file and eliminates it or heal it. Working of antivirus involves two basic technologies namely:

1. Dictionary based continuous and fragmented string search

2. Suspicious activity detection (process manipulation)


Dictionary based continuous and fragmented string Search:

As the technique's name suggest, as dictionary signifies virus definitions database that is regularly updated as soon as new virus is being found (that is found by second technique). In dictionary based search technique, antivirus software searches a string by comparing the file with strings existing in virus definition's or database.

Now consider an hypothetical example for better understanding, suppose you have a file whose code is something like below:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Now when a virus infects a file what it does it manipulates the original file and adds some extra code or functionality to it so that the behaviour of file changes that means that defers from its normal functioning. So after virus infection file becomes something like this:

ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

where 0123456789 is the string that virus has attached to the file after infection.

Now what does antivirus database contains is that 012345 string . It matches the string in database with string in program or code and if it matches it identifies it as a virus.

Note: This all processing is done on binary format of codes and sometimes executable.

Only if you manipulate the virus string that is 0123456789 and add some dead code between that something like below:

0a1a2a3a4a5a6a7a8a9a that means what we have done is added a between virus string but attached it in such a way that a does not affects the processing of string(virus). That means we have made new virus as this string is not there in the antivirus database so it is not detected by antivirus.

How can you add dead code, consider this string only 0a1a2a3a5a6a7a8a9a , read the character one by one and whenever character 'a' is found just skip the processing else concatenate the string and store that in new variable and use that variable in further processing of the code. This is how we makes any virus undetectable.

Note: But suspicious activity technique might detect this way as functionality of virus string is same.

That's the main reason why antivirus needs updates regularly. Antivirus companies daily adds new detected strings to their database so that the user can remain secure.