Antivirus software

Antivirus software, often called AV software or anti-malware, is a type of software that helps keep computers safe. Its main job is to stop, find, and get rid of harmful programs called malware.

At first, antivirus software was made just to fight computer viruses, which is why it is called “antivirus.” But as more kinds of harmful programs appeared, these tools grew to protect computers from many different threats. Some antivirus programs also guard against dangerous URLs, unwanted spam, and tricky messages that try to steal information, known as phishing.

Having antivirus software is important because it helps keep personal information safe and makes sure computers run smoothly by removing anything that could cause problems or slow things down.

History

Further information: History of computer viruses

1971–1980: Pre-antivirus

The first known computer virus appeared in 1971 and was called the "Creeper virus". This virus infected Digital Equipment Corporation's (DEC) PDP-10 mainframe computers.

The Creeper virus was removed by a program called "The Reaper", created by Ray Tomlinson. Some consider The Reaper to be the first antivirus software. It was designed to delete the Creeper virus.

Other viruses followed, like "Elk Cloner" in 1981, which infected Apple II computers.

1980–1990: Early days

Different people and companies started creating antivirus programs. In 1985, Sophos was founded in the United Kingdom. In 1987, John McAfee founded McAfee and released the first version of VirusScan.

In 1987, the idea that no perfect way to detect all viruses existed was written down.

The first two special programs to find and remove viruses were released at the end of 1987.

Many companies started making antivirus software in the late 1980s, including Avira in Germany, Avast Software in Czechoslovakia, and AhnLab in South Korea.

1990–2000: Emergence of the antivirus industry

More companies began making antivirus programs. In 1991, Symantec released the first version of Norton AntiVirus. In the same year, AVG Technologies was founded in the Czech Republic.

In 1996, Bitdefender was founded in Romania. In 1997, Kaspersky Lab was founded in Russia by Eugene Kaspersky and Natalya Kaspersky.

2000–2005

Open source antivirus projects began. In 2001, the first version of ClamAV was released.

2005–2014

Antivirus companies started using new methods to detect threats, including checking emails and using online services.

In 2008, McAfee added a new online feature to its VirusScan.

2014–present: Rise of next-gen, market consolidation

New ways to protect computers appeared, using learning and behavior detection. Traditional companies added these new methods to their products.

Since 2016, many companies have bought others. In 2024, Pango Group merged with Total Security to form Point Wild.

Today, many people use built-in antivirus protection, but some still use separate programs. Most users are between 35 and 45 years old, while younger people often use other tools for safety.

Identification methods

In 1987, a computer expert showed that it's impossible to create a program that can find every possible virus. But by using different ways to protect computers, we can still catch most viruses.

There are several ways that antivirus programs can find harmful software. One way is called sandbox detection. This method runs programs in a special fake environment to see what they do. If the program seems safe, it is then allowed to run on the real computer. Another method uses data mining and machine learning to look at features of a file and decide if it looks harmful.

Traditional antivirus software looks for known patterns, called signatures, of viruses. When a new virus is found, experts study it and add its pattern to the antivirus's list. However, some viruses change their appearance to avoid being caught.

Some antivirus programs also look for rootkits, which are a type of harmful software that tries to control a computer without being noticed. These can be hard to remove.

Most antivirus programs offer real-time protection, which watches for suspicious activity as you use your computer. This includes checking files when you open them and scanning new apps as they are installed.

Modern antivirus software also uses machine learning, where the program learns from lots of examples to tell if something is harmful. This helps catch new viruses, but it can sometimes struggle with viruses that change their appearance.

Issues of concern

Unexpected renewal costs

Some commercial antivirus software includes a clause that the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the renewal time without explicit approval. For example, McAfee requires users to unsubscribe at least 60 days before the expiration of the present subscription, while Bitdefender sends notifications to unsubscribe 30 days before the renewal. Norton AntiVirus also renews subscriptions automatically by default.

Rogue security applications

Main article: Rogue security software

Some apparent antivirus programs are actually malware masquerading as legitimate software, such as WinFixer, MS Antivirus, and Mac Defender.

Problems caused by false positives

A "false positive" or "false alarm" is when antivirus software identifies a non-malicious file as malware. When this happens, it can cause serious problems. For example, if an antivirus program is configured to immediately delete or quarantine infected files, as is common on Microsoft Windows antivirus applications, a false positive in an essential file can render the Windows operating system or some applications unusable. Recovering from such damage to critical software infrastructure incurs technical support costs and businesses can be forced to close whilst remedial action is undertaken.

Examples of serious false-positives:

May 2007: a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot.
May 2007: the executable file required by Pegasus Mail on Windows was falsely detected by Norton AntiVirus as being a Trojan and it was automatically removed, preventing Pegasus Mail from running. Norton AntiVirus had falsely identified three releases of Pegasus Mail as malware, and would delete the Pegasus Mail installer file when that happened. In response to this Pegasus Mail stated:

On the basis that Norton/Symantec has done this for every one of the last three releases of Pegasus Mail, we can only condemn this product as too flawed to use, and recommend in the strongest terms that our users cease using it in favour of alternative, less buggy anti-virus packages.

April 2010: McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.
December 2010: a faulty update on the AVG anti-virus suite damaged 64-bit versions of Windows 7, rendering it unable to boot, due to an endless boot loop created.
October 2011: Microsoft Security Essentials (MSE) removed the Google Chrome web browser, rival to Microsoft's own Internet Explorer. MSE flagged Chrome as a Zbot banking trojan.
September 2012: Sophos' anti-virus suite identified various update-mechanisms, including its own, as malware. If it was configured to automatically delete detected files, Sophos Antivirus could render itself unable to update and required manual intervention to fix the problem.
September 2017: the Google Play Protect anti-virus started identifying Motorola's Moto G4 Bluetooth application as malware, causing Bluetooth functionality to become disabled.
September 2022: Microsoft Defender flagged all Chromium based web browsers and Electron based apps like WhatsApp, Discord, Spotify as a severe threat.

System and interoperability related issues

Running (the real-time protection of) multiple antivirus programs concurrently can degrade performance and create conflicts. However, using a concept called multiscanning, several companies (including G Data Software and Microsoft) have created applications which can run multiple engines concurrently.

It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers. Active antivirus protection may partially or completely prevent the installation of a major update. Anti-virus software can cause problems during the installation of an operating system upgrade, e.g. when upgrading to a newer version of Windows "in place"—without erasing the previous version of Windows. Microsoft recommends that anti-virus software be disabled to avoid conflicts with the upgrade installation process. Active anti-virus software can also interfere with a firmware update process.

The functionality of a few computer programs can be hampered by active anti-virus software. For example, TrueCrypt, a disk encryption program, states on its troubleshooting page that anti-virus programs can conflict with TrueCrypt and cause it to malfunction or operate very slowly. Anti-virus software can impair the performance and stability of games running in the Steam platform.

Support issues also exist around antivirus application interoperability with common solutions like SSL VPN remote access and network access control products. These technology solutions often have policy assessment applications that require an up-to-date antivirus to be installed and running. If the antivirus application is not recognized by the policy assessment, whether because the antivirus application has been updated or because it is not part of the policy assessment library, the user will be unable to connect.

Effectiveness

Studies in December 2007 showed that the effectiveness of antivirus software had decreased in the previous year, particularly against unknown or zero day attacks. The computer magazine c't found that detection rates for these threats had dropped from 40 to 50% in 2006 to 20–30% in 2007. At that time, the only exception was the NOD32 antivirus, which managed a detection rate of 68%. According to the ZeuS tracker website the average detection rate for all variants of the ZeuS trojan is as low as 40%.^{[independent source needed]}

The problem is magnified by the changing intent of virus authors. Some years ago it was obvious when a virus infection was present. At the time, viruses were written by amateurs and exhibited destructive behavior or pop-ups. Modern viruses are often written by professionals, financed by criminal organizations.

In 2008, Eva Chen, CEO of Trend Micro, stated that the anti-virus industry has over-hyped how effective its products are—and so has been misleading customers—for years.

Independent testing on all the major virus scanners consistently shows that none provides 100% virus detection. The best ones provided as high as 99.9% detection for simulated real-world situations, while the lowest provided 91.1% in tests conducted in August 2013. Many virus scanners produce false positive results as well, identifying benign files as malware.

Although methods may differ, some notable independent quality testing agencies include AV-Comparatives, ICSA Labs, SE Labs, West Coast Labs, Virus Bulletin, AV-TEST and other members of the Anti-Malware Testing Standards Organization.

New viruses

Anti-virus programs are not always effective against new viruses, even those that use non-signature-based methods that should detect new viruses. The reason for this is that the virus designers test their new viruses on the major anti-virus applications to make sure that they are not detected before releasing them into the wild.

Some new viruses, particularly ransomware, use polymorphic code to avoid detection by virus scanners. Jerome Segura, a security analyst with ParetoLogic, explained:

It's something that they miss a lot of the time because this type of [ransomware virus] comes from sites that use a polymorphism, which means they basically randomize the file they send you and it gets by well-known antivirus products very easily. I've seen people firsthand getting infected, having all the pop-ups and yet they have antivirus software running and it's not detecting anything. It actually can be pretty hard to get rid of, as well, and you're never really sure if it's really gone. When we see something like that usually we advise to reinstall the operating system or reinstall backups.

A proof of concept virus has used the Graphics Processing Unit (GPU) to avoid detection from anti-virus software. The potential success of this involves bypassing the CPU in order to make it much harder for security researchers to analyse the inner workings of such malware.

Rootkits

Detecting rootkits is a major challenge for anti-virus programs. Rootkits have full administrative access to the computer and are invisible to users and hidden from the list of running processes in the task manager. Rootkits can modify the inner workings of the operating system and tamper with antivirus programs.

Damaged files

If a file has been infected by a computer virus, anti-virus software will attempt to remove the virus code from the file during disinfection, but it is not always able to restore the file to its undamaged state. In such circumstances, damaged files can only be restored from existing backups or shadow copies (this is also true for ransomware); installed software that is damaged requires re-installation (however, see System File Checker).

Firmware infections

Any writeable firmware in the computer can be infected by malicious code. This is a major concern, as an infected BIOS could require the actual BIOS chip to be replaced to ensure the malicious code is completely removed. Anti-virus software is not effective at protecting firmware and the motherboard BIOS from infection. In 2014, security researchers discovered that USB devices contain writeable firmware which can be modified with malicious code (dubbed "BadUSB"), which anti-virus software cannot detect or prevent. The malicious code can run undetected on the computer and could even infect the operating system prior to it booting up.

Performance and other drawbacks

Antivirus software can sometimes slow down a computer because it uses a lot of the computer's power to work.

It can also make users feel too safe, thinking their computer can't get any problems. This might cause them to make mistakes when they see alerts from the software. Sometimes, the software might think something safe is dangerous (false positive), which can be confusing.

Because antivirus software works very closely with the operating system, it can sometimes be a weak spot that others might try to use to cause trouble. Experts have noted that other programs like web browsers or document readers are often harder to attack than many antivirus products.

Alternative solutions

While antivirus software on individual computers is the most common way to protect against harmful programs, there are other methods too. These include using Unified Threat Management (UTM), hardware and network firewalls, Cloud-based antivirus, online scanners, and Content Disarm & Reconstruction (CDR).

Network firewalls help by stopping unknown programs from accessing your computer. They can block harmful requests but do not remove harmful programs already on your computer.

Cloud antivirus uses a small program on your computer and does most of its work online. It can check files using many different methods at once to find threats faster. Some examples include Panda Cloud Antivirus and Immunet.

Online scanning lets you check your computer using websites provided by antivirus companies. This can help find threats that your regular antivirus might miss.

CDR protects networks by rebuilding files to remove any parts that don’t follow the usual rules. This helps stop new and unknown threats.

Special tools can help remove tough infections. Examples include the Windows Malicious Software Removal Tool, Kaspersky Virus Removal Tool, and Sophos Scan & Clean. Sometimes, antivirus software can mistakenly say there is an infection when there isn’t.

A rescue disk, like a CD or USB, can run antivirus software when your computer can’t start normally or when harmful programs won’t let regular antivirus work. Examples include the Kaspersky Rescue Disk, Trend Micro Rescue Disk, and Comodo Rescue Disk.

Usage and risks

Big businesses lose a lot of money each year because of virus problems. In 2009, a study showed that many smaller businesses did not have antivirus software to protect their computers. However, most people at home had some kind of antivirus installed on their devices. Another study in 2010 found that almost half of all women did not use any antivirus program at all.