Antivirus Identification Methods 

1. Signature Based Detection

Traditionally, antivirus software heavily relied upon signatures to identify malware. Signature based detection is the most common method. This can be very effective, to identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces. But cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature based approaches are not effective against new, unknown viruses.

As new viruses are being created each day, the signature based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary. Signatures are obtained by human experts using reverse engineering. An example of software used in reversed engineering is Interactive Disassembler. Such software does not implement antivirus protection, but facilitates human analysis. Although the signature based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of them or otherwise modify them as a method of disguise, so as to not match virus signatures in the dictionary.

2. Heuristics detection

This is effective way to locate unknown threats for the most up to date real time protection. Obviously this sort of scanning and analysis can take some time, which may slow down system performance. The main concern with heuristic detection is that it often increases false positives. False positives are when the antivirus software determines a file is malicious (and quarantines or deletes it) when in reality it is perfectly fine and desired. Because some files may look like viruses but really aren’t, they are restricted and stopped from working on your computer.

Heuristic virus detection is a fancy way of a scanner saying, "I'm guessing that is a virus". Heuristic scanning engines work on the principle that viruses will usually use certain tricks or methods of infecting, and therefore if a program looks like it might be using those tricks; there is a possibility that the program is a virus. The more aggressive heuristic scanner may well detect large numbers of so called "False Positives" i.e. files that are really totally innocent but look like they might alter other files, the less aggressive ones might miss files that really are viruses. In reality heuristics works are quite well for some types of viruses, such as Macro Viruses, but not so well for other types. However, they are a reasonable attempt at providing protection against currently unknown viruses.

Variants of viruses are referred to with terminology such as: "oligomorphic", "polymorphic" and "metamorphic", where the differences between specific variants of the same virus are significantly high. In such cases, there are dedicated statistical analysis based algorithms, implemented in the "real time" protection, which analyses software behaviour. This approach is not absolutely exact and results in higher resource usage on the computer. Since "oligomorphic", "polymorphic" and "metamorphic" engine development is difficult and the resulting computer code has a (relatively) high dimension (although such cases are very rare), this approach can be used with a relatively high success rate. This approach may imply human ingeniousness for the design of the algorithm. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. Due to the existence of the possibility of false positives and false negatives, the identification process is subject to human assistance which may include user decisions, but also analysis from an expert of the antivirus software company.