Write a short note on different methods of malware identification used by antivirus software.

Q. Write a short note on different methods of malware identification used by antivirus software.

Answer: -

Methods of Malware Identification used by Antivirus:-

(A) Signature-based detection:-
In this method, an antivirus works with the help of a signature database known as “Virus Definition File (VDF)”. This file consists of virus signatures and is updated continuously on a real-time basis. This makes the regular update of the antivirus software a must. If there is an antivirus software with an outdated VDF, it is as good as having no antivirus software installed, as the new malware will infect the system without getting detected. This method also fails to detect malware that has an ability to change its signature (polymorphic) and the malware that has some portion of its code encrypted.

(B) Sandbox detection:-
In this method, a new application or file is executed in a virtual environment (sandbox) and its behavioural fingerprint is observed for a possible malware. Depending on its behaviour, the antivirus engine determines if it is a potential threat or not and proceeds accordingly. Although this method is a little slow, it is very safe as the new unknown application is not given access to actual resources of the system.

(C) Data mining techniques:-
This method employs various data mining and machine learning techniques to classify the behaviour of a file as either benign or malicious.

(D) Heuristics:-
Often, a malware infection follows a certain pattern. Here, the source code of a suspected program is compared to viruses that are already known and are in the heuristic database. If the majority of the source code matches with any code in the heuristic database, the code is flagged as a possible threat.

(E) Real-time protection:-
Some malware remains dormant or gets activated after some time. Such malware needs to be checked on a real-time basis. In this technique, the anti-malware software keeps running in the background and observes the behaviour of an application or file for any suspicious activity while it is being executed i.e. when it resides in the active (main) memory of the computer system.