A variety of strategies are typically employed. Signature-based detection involves searching for known malicious patterns in executable code. However, it is possible for a user to be infected with new malware for which no signature exists yet. To counter such so-called zero-day threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses by looking for known malicious code (or slight variations of such code) in files. Some antivirus software can also predict what a file will do if opened/run by emulating it in a sandbox and analyzing what it does to see if it performs any malicious actions. If it does, this could mean the file is malicious.
However, no matter how useful antivirus software is, it can sometimes have drawbacks. Antivirus software can degrade computer performance. Inexperienced users may have trouble understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection (of any kind), success depends on achieving the right balance between false positives and false negatives. False positives can be as destructive as false negatives. Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack.
In addition to the drawbacks mentioned above, the effectiveness of antivirus software has also been researched and debated. One study found that the detection success of major antivirus software dropped over a one-year period.
History
See also: Timeline of notable computer viruses and worms
Most of the computer viruses that were written in the early and mid '80s were limited to self-reproduction and had no specific damage routine built into the code (research viruses. That changed when more and more programmers became acquainted with virus programming and released viruses that manipulated or even destroyed data on infected computers. It then became necessary to think about antivirus software to fight these malicious viruses.
There are competing claims for the innovator of the first antivirus product. Possibly the first publicly documented removal of a computer virus in the wild was performed by Bernd Fix in 1987.
Fred Cohen, who published one of the first academic papers on computer viruses in 1984, started to develop strategies for antivirus software in 1988 that were picked up and continued by later antivirus software developers.
Also in 1988 a mailing list named VIRUS-L was initiated on the BITNET/EARN network where new viruses and the possibilities of detecting and eliminating viruses were discussed. Some members of this mailing list like John McAfee or Eugene Kaspersky later founded software companies that developed and sold commercial antivirus software.
Before Internet connectivity was widespread, viruses were typically spread by infected floppy disks. Antivirus software came into use, but was updated relatively infrequently. During this time, virus checkers essentially had to check executable files and the boot sectors of floppy and hard disks. However, as internet usage became common, initially through the use of modems, viruses spread throughout the Internet.
Over the years antivirus software had to check many more types of files (and not only executable files) for several reasons:
* Powerful macros used in word processor applications, such as Microsoft Word, presented a further risk. Virus writers started using the macros to write viruses embedded within documents. This meant that computers could now also be at risk from infection by documents with hidden attached macros as programs.
* Later email programs, in particular Microsoft Outlook Express and Outlook, were vulnerable to viruses embedded in the email body itself. Now, a user's computer could be infected by just opening or previewing a message.
As always-on broadband connections became the norm and more and more viruses were released, it became essential to update virus checkers more and more frequently. Even then, a new zero-day virus could become widespread before antivirus companies released an update to protect against it.
