[ The PC Guide | System Care Guide | Data Loss and Virus
Prevention | Virus Detection and Protection | Virus Scanning and Antivirus Software ]
Types of Scanners and Other Antivirus Software Protection
There are many different types of antivirus software that have been developed over the
years. Originally, there was just the regular scanner, which searched through the hard
disk looking for known viruses. As viruses have gotten more sophisticated, antivirus
software has had to get more sophisticated as well. In addition to getting smarter about
how they detect viruses, new software has been made available that detects and prevents
virus infection in different ways.
The following are the general types of virus scanners that are usually used on PCs
- Conventional Disk Scanners: This is the standard virus check program. It is run
when the user requests it, and it scans the contents of the disks, directories or files
that the user wants, for any boot sectors and/or files that contain viruses that it
recognizes, based on the virus description information in its virus definition files.
Usually run manually by the user either as a preventive maintenance activity or when a
virus is suspected, scanning can also be automated through the use of a program scheduler.
This is the most common type of virus scanning program.
- Memory-Resident Scanners: Some antivirus software now comes with a special
program that sits in the background while you use your PC and automatically scans for
viruses based on different triggers. These programs typically can be configured to
automatically scan programs as they are run or scan floppy disks when you issue a shutdown
command to the operating system. This type of scanner offers increased protection and more
chances of catching a virus before it does damage. The price is in performance and
convenience; if you set it to scan every program as it is run you have to wait for it to
do this before you execute any file, for example.
- Behavior-Based Detection: Some products offer an option where they will sit in
memory and look for so-called "virus-like behavior" or "suspicious
activities". In essence, these programs are looking for the types of actions taken on
files or boot sectors that might be performed by a virus trying to spread. Commonly, this
software will look for and trap: writes to hard disk boot sectors (like the "virus protection" setting
common in many BIOSes), writes to floppy boot sectors, attempts to format the hard disk,
or writes to existing program files. This type of virus protection can generically catch
viruses "red-handed"; the problem is the annoyance of dealing with all the false
positives, where the program catches "virus-like behavior" which is perfectly
innocent. (It can happen a great deal.)
- Startup Scanners: Antivirus products often come with a special program that is
designed to be run every time the PC is booted up. It does a quick scan of the disk's boot
sectors and critical system files (instead of a full disk scan which takes a long time).
The idea is to catch critical viruses, especially boot sector viruses, before the PC boots
up (which can give the virus a chance to spread).
- Inoculation: This is a totally different approach to virus detection. Instead of
looking for the viruses themselves, this technique looks for the changes that the viruses
make to files and boot sectors. Starting with a clean system, the software
"inoculates" each boot sector and program file by storing a snapshot of
information about it based on its content and size. Then, periodically, it re-examines
these files to see if anything has changed. If it has, then the utility will inform you;
if you haven't made the change, a virus may have.
The main advantage of this type of virus detection is that since it is looking at the effects
of the virus, it doesn't need to know what the virus itself is; this means it will detect
even new viruses without requiring updated virus definition files all the time. The main
drawback of this scheme (and why it is not that often used) is that it generates a lot
of false positives. This happens because there
are so many legitimate ways that a file can change without a virus being responsible. To
use this method effectively you must reinoculate new files so they are protected, and be
prepared to deal with a lot of potential virus "catches" that really are not
See this section for more discussion on
virus scanning, and picking a protection method or methods that makes sense for you.
Warning: Make sure that the
scanner you purchase will scan for macro viruses. They are relatively new, and some
lower-quality, older programs, will not detect them, leaving you at risk.
Next: False Positives and False Negatives
Home - Search
- Topics - Up