Antivirus program

from Wikipedia, the free encyclopedia

An antivirus program , virus scanner or virus protection program (abbreviation: AV) is software that creates malware such as B. detect, block and, if necessary, eliminate computer viruses , computer worms or Trojan horses .


Most of the computer viruses written in the early and mid-1980s were limited to pure self-reproduction and often did not necessarily have a specific malicious function. It was only when the virus programming technique became widely known that malicious programs began to appear that specifically manipulated or destroyed data on infected computers. This made it necessary to think about combating these harmful programs with special anti-virus programs.

There are competing claims as to who is the inventor of the first antivirus program. The first program to combat the Creeper worm in the ARPA-Net was developed in 1971. Probably the first publicly documented removal of a computer virus with a tool was performed by Bernd Fix in 1987. Fred Cohen , who had already made the topic of "computer viruses" public through his work in 1984, developed strategies for combating viruses from 1988 onwards, which were taken up and continued by later anti-virus programmers.

Also in 1988, a mailing list called VIRUS-L was created in the BITNET / EARN computer network, in which the emergence of new viruses and the options for combating viruses were discussed. Some of the participants on this list, such as John McAfee or Eugene Kaspersky , subsequently founded companies that developed and offered commercial antivirus programs. Four years earlier, in 1984, Arcen Data (now Norman ASA ) had already been founded, which also specialized in anti-virus programs at the end of the 1980s, with the appearance of the first computer viruses in Norway. Before an internet connection became common, viruses typically spread via floppy disks . Antivirus programs were sometimes used, but only updated irregularly. During this time, antivirus programs only checked executable programs and the boot sectors on floppy disks and hard drives. With the spread of the Internet, viruses began to infect new computers in this way and thus pose a more general threat.

Over time, it has become increasingly important for antivirus programs to scan various types of files (and not just executable programs) for hidden viruses. There were different reasons for this:

  • The use of macros in word processing programs such as Microsoft Word posed an additional virus risk. Virus programmers began to embed viruses as macros in documents. This meant that computers could be infected simply by running an embedded macro virus in a document.
  • Later e-mail programs, particularly Microsoft Outlook Express and Outlook , were vulnerable to viruses that were embedded in e-mails. This allowed a computer to be infected by opening and viewing an email.

With the increasing number of existing viruses, frequent updates of the anti-virus programs became necessary. But even under these circumstances, a new type of virus could spread rapidly in a short time before antivirus manufacturers could respond with an update.

Types of antivirus programs

Real-time scanner

The real-time scanner ( English on-access scanner, real-time protection, background guard ), also called on-access scanner or resident scanner is in the background as a system service ( Windows ) or daemon ( Unix active) and scans all files, programs, the memory and possibly . the HTTP - such as FTP traffic. In order to achieve this, so-called filter drivers are installed by the antivirus program, which provide the interface between the real-time scanner and the file system. If the real-time scanner finds something suspicious, it usually asks the user how to proceed. These are blocking access, deleting the file, moving it to quarantine or, if possible, attempting to repair it. In general, a distinction can be made between two strategies for real-time protection:

  1. Scan while opening files (reading)
  2. Scanning While Creating / Modifying Files (Write)

It can happen that a virus file was saved before a virus signature was available for it. After a signature update, however, it is possible to recognize it when it is opened. In this case, scanning when the file is opened is superior to scanning when the file is written. In order to reduce the load caused by the real-time scanner, some file formats , compressed files (archives) or the like are often only partially scanned or not at all.

Manual scanner

The manual scanner ( English on-demand scanner ), also known as a file scanner , must be started manually or time-controlled by the user (on-demand). If a scanner finds malicious software, a warning message appears and, as a rule, a query about the desired action: cleaning, quarantine or deletion of the infected file (s).

Online virus scanner

Online virus scanners are antivirus programs that load their program code and virus samples over a network (online). In contrast to permanently installed virus scanners, they only work in on-demand mode. This means that persistent protection through an on-access mode is not guaranteed. Online virus scanners are often also used as so-called second opinion scanners in order to obtain a “second opinion” on a possible infection in addition to the installed virus scanner.

There are also websites that make it possible to check individual files with various virus scanners. For this type of scan, the user has to actively upload the file himself, so it is a special form of on-demand scan.

Other scanners

  • In addition to the real-time and manual scanners, there are a number of other scanners.

Most of them work by analyzing network traffic. To do this, they scan the data stream and, in the event of an abnormality, carry out a defined operation, such as blocking the data traffic.

  • Another solution is to use proxy software . Some proxies allow the integration of antivirus software. If a file is downloaded in this way, it is first examined on the proxy and checked whether it is contaminated. Depending on the result, it is then either delivered to the client or blocked. A clear disadvantage, however, is the fact that this is virtually ineffective with end-to-end encryption. A variant of these proxy virus filters are mail relay servers with antivirus software, sometimes referred to as online virus filters (but see above). E-mails are first sent to the relay server, where they are scanned and rejected, quarantined or cleaned and then forwarded to the recipient's mail server.

Functionality and probability of success

Virus scanners can in principle only known malware (viruses, worms, Trojans, etc.) or malicious logic ( English Evil Intelligence seen) and therefore not against all viruses and worms protect. Virus scanners can therefore generally only be viewed as a supplement to general precautionary measures that do not make it unnecessary to be careful and act attentively when using the Internet. In an "international joint test" of 18 antivirus programs at the beginning of 2012 with 1,800 "current" pests used, Stiftung Warentest found values ​​of 36% to 96% detected signatures. Symantec Vice President Brian Dye admitted to the Wall Street Journal that antivirus software only recognizes around 45% of all attacks.

Basically, a distinction can be made between two techniques for detection. Due to the advantages and disadvantages of current virus scanners, both techniques are used to compensate for the weaknesses of the other.

  • Reactive: With this type of detection, malware is only detected when a corresponding signature (or known hash value in the cloud) has been made available by the manufacturer of the antivirus software. This is the classic type of virus detection that is used by practically all antivirus software.
    • Advantage: A signature can be created within a short time and therefore still forms the backbone of every scanner (with online connections also cloud-based recognition)
    • Disadvantage: Without updated signatures, no new malware will be detected.
  • Proactive : This refers to the detection of malware without a corresponding signature being available. With the rapid increase in new malware , such techniques are becoming increasingly important. Proactive processes are, for example, heuristics, behavior analysis or SandBox techniques.
    • Advantage: detection of unknown malware.
    • Disadvantage: The complex technology requires high development costs and long development cycles. In principle, proactive techniques have a higher false alarm rate than reactive ones.

Scan engines

A scan engine is the part of a virus scanner that is responsible for examining a computer or network for malware . A scan engine is therefore directly responsible for the efficiency of antivirus software. Scan engines are usually software modules that can be updated and used independently of the rest of a virus scanner. There is anti-virus software which, in addition to its own scan engine, also uses licensed scan engines from other AV manufacturers. Using multiple scan engines can theoretically increase the detection rate, but this always leads to drastic performance losses. It therefore remains questionable whether virus scanners with multiple scan engines make sense. That depends on the security requirement or the requirement for system performance and must be decided on a case-by-case basis.

The performance of a signature-based anti-virus scanner in detecting malicious files does not only depend on the virus signatures used. Often the executable files are packed in such a way before they are distributed that they can unpack themselves later (runtime compression). A known virus can escape detection by some scanners because they are not able to examine the content of the runtime-compressed archive. With these scanners, only the archive as such can be included in the signature. If the archive is repacked (without changing the content), this archive would also have to be included in the signature. A scanner with the ability to unpack as many formats as possible has an advantage here because it examines the content of the archive. Thus, the number of signatures used does not say anything about the recognition performance.

An engine contains several modules that are implemented and integrated differently depending on the manufacturer and interact with each other:

  • File format analysis (such as programs ( PE , ELF ), scripts ( VBS , JavaScript ), data files ( PDF , GIF ))
  • Pattern matcher (pattern recognition) for the classic signatures
  • Unpacking routines for
  • Code emulation (comparable to a kind of mini-sandbox or a sandbox uses it, useful for generic detection or for polymorphic malware)
  • Heuristics for different types (PE, scripts, macros )
  • Various filters (there is no need to search for PE signatures in ELF files or files blocked by access protection - either predefined rules or self-configured)

Also used or primarily for real-time protection:

  • Behavior analysis
  • Cloud technology
  • Sandbox


Some virus scanners also have the option of searching for general characteristics ( heuristics ) in order to detect unknown viruses, or they have a rudimentary intrusion detection system (IDS). The importance of this - preventive - type of detection is steadily increasing, as the periods in which new viruses and variants of a virus are brought into circulation (force onto the market) are becoming shorter and shorter. It is therefore becoming more and more complex and difficult for antivirus manufacturers to identify all malware in real time with a corresponding signature. Heuristics should only be seen as an additional function of the virus scanner. The actual detection of unknown malicious programs is rather low, since the malicious program authors mostly test their "works" with the most popular scanners and modify them so that they are no longer recognized.


In order to increase the detection of unknown viruses and worms, the Norwegian antivirus manufacturer Norman introduced a new technology in 2001 in which the programs are executed in a secure environment, the sandbox . Put simply, this system works like a computer within a computer. This is the environment in which the file is executed and analyzed to see what actions it is taking. If required, the sandbox can also provide network functions such as a mail or IRC server. When executing the file, the sandbox expects a behavior that is typical for this file. If the file deviates from this to a certain extent, the sandbox classifies it as a potential danger. It can differentiate between the following hazards:

As a result, it also provides output that shows what actions the file would have carried out on the system and what damage would have been caused. This information can also be useful for cleaning up an infected computer system. After testing by AV-Test, the sandbox technology enabled 39% of as yet unknown viruses and worms to be detected before a signature was available. Compared to a traditional heuristic, this is a real advance in proactive detection. The disadvantage of sandbox technology is that the code emulation makes it quite resource-intensive and slower than classic signature scanning. It is therefore primarily used in the laboratories of the antivirus manufacturers to improve the analysis and thus the reaction time.

Similar to online scanners, various providers provide web interfaces for their sandboxes for analyzing individual suspicious files (usually basic functions free of charge, extended functions for a fee).

Behavior analysis

The behavior analysis ( English Behavior Analysis / Blocking , often also referred to as host-based intrusion detection system , see NIDS ) is similar to SandBox and heuristics based on typical behavior to detect and block malicious programs. However, behavior analysis is only used for real-time monitoring, since the actions of a program - in contrast to the sandbox - are tracked on the real computer and can be obvious before a stimulus threshold (sum of suspicious actions) is exceeded or when certain rules are violated take destructive actions (format hard drive, delete system files). In behavior analysis, statistics ( Bayesian spam filter ), neural networks, genetic algorithms or other "trainable / adaptive" algorithms are often used.

Post detection

The Munich IT service provider Retarus is pursuing a new approach with its Patient Zero Detection solution. This forms hash values ​​for all attachments to e-mails that arrive via the IT service provider's infrastructure and writes them to a database. If an identical attachment is sorted out as virus-infected by a scanner at a later point in time, the messages that were previously sent with the malicious code can be subsequently identified using the checksum and the administrator and recipient can then be notified immediately. If the infected mails have not yet been opened, they can be deleted without being read; In any case, IT forensics is made easier.

Cloud technology

The fundamental difference between cloud technology and “normal” scanners is that the signatures are “in the cloud” (on the manufacturer's servers) and not on the local hard drive of your own computer or in the Type of signatures (hash values ​​instead of classic virus signatures such as byte sequence ABCD at position 123). The signatures are not cached locally for all products, so that without an internet connection only a reduced or no recognition performance is available. Some manufacturers offer a type of "cloud proxy" for companies that temporarily buffers hash values ​​locally. A great advantage of cloud technology is the response in almost real time. The manufacturers take different approaches. The programs Panda Cloud Antivirus (now works with a local cache), McAfee Global Threat Intelligence - GTI (formerly Artemis), F-Secure Realtime Protection Network, Microsoft Morro SpyNet and Immunet ClamAV for Windows as well as Symantec with Norton's SONAR 3 and that are known Kaspersky Security Network.

  1. The majority of manufacturers only transmit hash values. This means that if the file of a (malicious) program only changes by 1 bit, it will no longer be recognized. To date it is not known (although it can be assumed) whether manufacturers also use "fuzzy" hashes (e.g. ssdeep) that allow a certain tolerance.
  2. Incorrect identifications are minimized because the manufacturers' whitelists and blacklists are constantly updated with new hash values ​​for files.
  3. Resource saving: files that have already been analyzed are no longer laboriously re-analyzed in an emulator or sandbox at the end-user's computer.
  4. Statistical evaluation of the results at the manufacturer: Symantec is known that hash values ​​of new, unknown and less common files are classified as suspicious. This function has achieved inglorious notoriety, among other things, with Firefox updates.

Automatic update

The so-called auto, internet or live update function, with which current virus signatures are automatically downloaded from the manufacturer , is of particular importance with virus scanners. When enabled, the user will be regularly reminded to check for the latest updates or the software will check for them on its own. It is advisable to use this option to make sure that the program is really up to date.

Virus scanner problems

Since virus scanners intervene very deeply in the system, problems arise with some applications when they are scanned. Most of the time, these problems come into play with real-time scanning. In order to prevent complications with these applications, most virus scanners allow an exclusion list to be kept in which it can be defined which data should not be monitored by the real-time scanner. Common problems arise with:

  • Time-critical applications: Since the data is always scanned first, there is a certain delay. For some applications this is too big and they generate error messages or malfunctions. This behavior occurs particularly frequently when data is accessed via a network share and antivirus software is also running on this remote computer.
  • Databases (of any kind): Since databases are usually constantly accessed and they are often very large, the real-time scanner tries to scan them permanently. This can lead to timeout problems, increasing system load, damage to the database and even complete standstill of the respective computer system.
  • Mail server: Many mail servers store e-mails MIME or similarly encoded on the hard disk. Many real-time scanners can decode these files and remove viruses. However, since the e-mail server has no knowledge of this removal, it “misses” this file, which can also lead to malfunctions.
  • Parsing : Because anti-virus software examines many different, partly unknown file formats with the help of a parser, it can itself become the target of attackers.
  • Virus scanners often do not allow a second virus scanner to be run in parallel.
  • False positives, i.e. false alarms, which in some virus scanners lead to automatic deletion, renaming, etc. and are sometimes very difficult to turn off. After renaming it, the program “recognizes” this file again and renames it again.

Criticism of virus scanners

The reliability and effectiveness of virus scanners is often questioned. According to a survey from 2009, three quarters of the system administrators or network administrators questioned do not trust virus scanners. The main reason is the daily flood of the latest and most diverse variants of malware, which make the creation and distribution of signatures increasingly impractical. 40 percent of the administrators surveyed had already thought about removing the virus scanners because they had a negative impact on the system's performance. Virus scanners are often used because the company guidelines required this, according to the survey. However, this study was commissioned by a company that sold competing software that allowed programs to be run on the basis of positive lists . This "whitelisting" approach also has advantages and disadvantages depending on the area of ​​application. In 2008, said Eva Chen , CEO of Trend Micro that manufacturers of antivirus exaggerated the effectiveness of their products for 20 years and their clients have lied to them. Basically: no antivirus program can block all viruses, there are too many for that.

A security study in 2014 showed that almost all of the examined antivirus programs have a wide variety of errors and thus sometimes make the systems on which they are installed vulnerable.

Check the configuration of the virus scanner

The function of the virus scanner can be checked after installation and after major system updates. So that no “real” virus has to be used to test the virus scanner configuration, the European Institute of Computer Anti-virus Research has developed the so-called EICAR test file in conjunction with the virus scanner manufacturers . It is not a virus, but is recognized as a virus by every well-known virus scanner. This file can be used to test whether the anti-virus program is set up correctly and whether all the steps in the virus scanner are working properly.

Antivirus software

Antivirus software is available free of charge or as a paid offer. Commercial manufacturers often offer free versions with a reduced range of functions. In spring 2017, Stiftung Warentest came to the conclusion that there is good protection with security software free of charge. The following table provides an overview of the relevant manufacturers, products and brands.

Manufacturer Relevant products / brands Offers for the following platforms License German speaking including
free offers
GermanyGermany Avira Avira Antivirus Windows , macOS , Android , iOS Proprietary Yes Yes
United KingdomUnited Kingdom/ AvastCzech RepublicCzech Republic Avast antivirus Windows, macOS, Android, iOS Proprietary Yes Yes
AVG Antivirus Windows, macOS, Android Proprietary Yes Yes
RomaniaRomania Bitdefender Bitdefender Antivirus /

Bitdefender Internet Security

Windows, macOS, Android Proprietary Yes Yes
United KingdomUnited Kingdom BullGuard BullGuard AntiVirus Windows, macOS, Android Proprietary Yes yes (only mobile security)
United StatesUnited States Cisco
(acquired by Sourcefire )
ClamAV Windows, Unix-like (including Linux ) GPL No Yes
United StatesUnited States Comodo Group Comodo Internet Security Windows, macOS, Linux, Android Proprietary Yes Yes
New ZealandNew Zealand Emsisoft Emsisoft Anti-Malware Windows, Android Proprietary Yes No
SlovakiaSlovakia ESET ESET NOD32 Antivirus / Internet Security Windows, macOS, Linux, Android Proprietary Yes No
FinlandFinland F-Secure Corporation F-Secure Anti-Virus Windows, macOS, Android Proprietary Yes No
GermanyGermany G Data CyberDefense G Data Antivirus Windows, macOS, Android, iOS Proprietary Yes No
AustriaAustria IKARUS security software IKARUS Windows, Linux, Android Proprietary Yes No
RussiaRussia Kaspersky Lab Kaspersky Anti-Virus Windows, macOS, Android, iOS Proprietary Yes Yes
United StatesUnited States Malwarebytes Malwarebytes Anti-Malware Windows, macOS, Android proprietary Yes Yes
United StatesUnited States McAfee

(owned by TPG , Thoma Bravo and Intel )

McAfee VirusScan Windows, macOS, Android, iOS Proprietary Yes No
United StatesUnited States Microsoft Windows Defender Antivirus Windows Proprietary Yes Yes
United StatesUnited States NortonLifeLock (formerly Symantec ) Norton AntiVirus Windows, macOS, Android, iOS Proprietary Yes No
China People's RepublicPeople's Republic of China Qihoo 360 360 total security Windows, macOS, Android, iOS Proprietary Yes Yes
SpainSpain Panda Security Panda Security Windows, macOS, Android Proprietary Yes Yes
JapanJapan Trend Micro Trend Micro Windows, macOS, Android Proprietary Yes No
United KingdomUnited Kingdom Sophos Sophos Endpoint Security and Control Windows, macOS, Unix-like (including Linux) Proprietary Yes No
IsraelIsrael Check point ZoneAlarm Antivirus Windows, Android Proprietary Yes Yes

Web links

Wiktionary: Antivirus program  - explanations of meanings, word origins, synonyms, translations

Individual evidence

  1. A Brief History of Viruses.
  2. Kaspersky Lab Virus list ( Memento from July 13, 2009 in the Internet Archive )
  3. Joe Wells: Virus timeline . IBM . August 30, 1996. Retrieved June 6, 2008.
  4. Fred Cohen 1984 "Computer Viruses - Theory and Experiments"
  5. ^ Fred Cohen: On the implications of Computer Viruses and Methods of Defense ., 1988
  6. Archive of the VIRUS-L mailing list.
  7. (PDF) Timeline on the website of Norman ASA (English)
  8. ^ (II) Evolution of computer viruses . Panda Security. April 2004. Retrieved June 20, 2009.
  9. Peter Szor : The Art of Computer Virus Research and Defense . Addison-Wesley , 2005, ISBN 0-321-30454-3 , pp. 66-67.
  10. Protecting Microsoft Outlook against Viruses . Slipstick Systems. February 2009. Retrieved June 18, 2009.
  11. Antivirus manufacturer upset about Stiftung Warentest. April 4, 2012, Retrieved September 11, 2012 .
  12. The Antivirus Lexicon: What actually means ... In: heise Security. Retrieved March 6, 2018 .
  13. Attack from the Internet. April 13, 2012. Retrieved September 11, 2012 .
  14. Jörg Thoma: Symantec Vice President Brian Dye - Antivirus software only detects around 45% of all attacks .; Retrieved May 5, 2014
  15. The Antivirus Lexicon: What actually means ... In: heise Security. Retrieved March 6, 2018 .
  16. What is heuristic analysis? In: Netzsieger . September 1, 2017 ( [accessed March 6, 2018]).
  17. Test report from 2004 on, ZIP format ( Memento from February 6, 2006 in the Internet Archive )
  18. ISecLab
  19. Anubis ( Memento from June 21, 2012 in the Internet Archive )
  20. Wepawet ( Memento from March 17, 2009 in the Internet Archive ) (project of the Vienna University of Technology, Eurecom France and UC Santa Barbara)
  21. ZeroWINE (OpenSource)
  22. Norman Sandbox ( Memento from October 19, 2009 in the Internet Archive )
  23. CW sandbox
  24. ThreatExpert
  25. Joebox ( Memento from December 17, 2010 in the Internet Archive )
  26. Malte Jeschke: E-Mail Security: Identifying Patient Zero . TechTarget. February 1, 2017. Retrieved March 8, 2017.
  27. ^ Jürgen Schmidt: Protective claim . In: c't magazine . No. 2 , 2009, p. 77 ( ).
  29. ^ Pedro Bustamante: Arguments against cloud-based antivirus - A cloud-based antivirus needs to check everything against the cloud. Takes more time . Panda. December 1, 2009. Retrieved June 21, 2010.
  30. McAfee Global Threat Intelligence Technology ( Memento from December 23, 2010 in the Internet Archive )
  31. DeepGuard - The fastest protection in the online world ( Memento from April 6, 2010 in the Internet Archive )
  33. Clam AV: Windows Antivirus ( Memento from December 13, 2011 in the Internet Archive )
  35. ssdeep
  36. Norton false positive with Firefox update . Hot. June 28, 2010. Retrieved February 27, 2011.
  37. ( Memento of the original from November 22, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot /
  38. Anti-Virus Parsing Engines ( Memento from July 9, 2008 in the Internet Archive )
  39. Three quarters of admins do not trust the virus scanner
  42. Tom Espiner: Trend Micro: Antivirus industry song for 20 years . ZDNet . June 30, 2008. Retrieved December 25, 2018.
  43. Kim Rixecker: Security Study: Virus scanners make computers vulnerable ., July 30, 2014.
  44. Joxean Koret: Breaking antivirus software . (PDF; 2.9 MB) COSEINC, SYSCAN 360, 2014.
  45. Virus protection programs. Federal Office for Information Security , accessed on August 29, 2016 .
  46. Security software: which programs successfully ward off attacks. Stiftung Warentest, accessed on May 9, 2017 .