How antivirus programs work

Preview:

Antivirus programs use 4 basic approaches to protecting us from viruses, Fingerprints, Allow lists, Action-based protection and Code scanning. Here is a short explanation.

There were simpler times, but both the miscreant attackers and the white-hat heroes have made huge strides in their effectiveness. Now, most antivirus programs require four levels of protection, not just one.

Fingerprints

There was a time when exploits were fingerprinted, and new programs were scanned for the fingerprints. They fingerprint each program by running it through a formula that shrinks it down to one of just 2 raised to the 256th. This would be a 78-digit decimal number, like this.
115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,935

However, sadly, criminals learned to change their code a little. Add something here or there so it generates a different number. These codes work really well if you want to prove the code is what you think it is, but not that it doesn't contain bad code somewhere within it.

Allow lists

Because miscreants could change their code, many antivirus programs, as well as the Windows installer, have allow lists instead. They have paid certificates from Microsoft and can also work their way onto the allow list. These programs are initially flagged as possible malware, but given the reputation of the author and possible certificates, and an examination of code, and people running it without problems, allow these programs it get an accepted code.

Action-based protection

So, anti-virus programs added action-based protection. They looked at how viruses act, the sorts of things they do, and watch for those things. If spotted, they quickly jump in and prevent further action. There are two problems with this approach. They may be too late, and they may falsely identify benign programs as dangerous. But that is simply inevitable. This is still a necessary approach.

Code scanning

Waiting for an action to be done and then trying to stop it is too dangerous. So, good antivirus programs add another layer to their defense. They scan new code they aren't familiar with and see if it seems like virus code, has virus fingerprints, or has code calling for suspicious actions.

Summary

There are other things a good anti-virus program might do, but these four are essential.

Fingerprinting
Allow lists
Action protection
Code scanning.

Date: August 2025

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		How antivirus programs work Preview: Antivirus programs use 4 basic approaches to protecting us from viruses, Fingerprints, Allow lists, Action-based protection and Code scanning. Here is a short explanation. There were simpler times, but both the miscreant attackers and the white-hat heroes have made huge strides in their effectiveness. Now, most antivirus programs require four levels of protection, not just one. Fingerprints There was a time when exploits were fingerprinted, and new programs were scanned for the fingerprints. They fingerprint each program by running it through a formula that shrinks it down to one of just 2 raised to the 256th. This would be a 78-digit decimal number, like this. 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,935 However, sadly, criminals learned to change their code a little. Add something here or there so it generates a different number. These codes work really well if you want to prove the code is what you think it is, but not that it doesn't contain bad code somewhere within it. Allow lists Because miscreants could change their code, many antivirus programs, as well as the Windows installer, have allow lists instead. They have paid certificates from Microsoft and can also work their way onto the allow list. These programs are initially flagged as possible malware, but given the reputation of the author and possible certificates, and an examination of code, and people running it without problems, allow these programs it get an accepted code. Action-based protection So, anti-virus programs added action-based protection. They looked at how viruses act, the sorts of things they do, and watch for those things. If spotted, they quickly jump in and prevent further action. There are two problems with this approach. They may be too late, and they may falsely identify benign programs as dangerous. But that is simply inevitable. This is still a necessary approach. Code scanning Waiting for an action to be done and then trying to stop it is too dangerous. So, good antivirus programs add another layer to their defense. They scan new code they aren't familiar with and see if it seems like virus code, has virus fingerprints, or has code calling for suspicious actions. Summary There are other things a good anti-virus program might do, but these four are essential. Fingerprinting Allow lists Action protection Code scanning. Date: August 2025 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk