ne of the simplest tasks performed by antivirus software is file scanning. This processcompares the bytes in files with known signatures that are byte patterns indicative of a knownmalware. It represents the general approach of signature-based detection. When new malwareis captured, it is analyzed for unique characteristics that can be described in a signature.
Thenew signature is distributed as updates to antivirus programs. Antivirus looks for thesignature during file scanning, and if a match is found, the signature identifies the malwarespecifically. There are major drawbacks to this method, however: New signatures requiretime to develop and test; users must keep their signature files up to date; and new malwarewithout a known signature may escape detection.Behavior-based detection is a complementary approach. Instead of addressing what malwareis, behavior-based detection looks at what malware tries to do. In other words, anythingattempting a risky action will come under suspicion. This approach overcomes the limitationsof signature-based detection and could find new malware without a signature, just from itsbehavior.
However, the approach can be difficult in practice. First, we must define what issuspicious behavior, or conversely, what is normal behavior. This definition often relies onheuristic rules developed by security experts, because normal behavior is difficult to defineprecisely. Second, it might be possible to discern suspicious behavior, but it is much moredifficult to determine malicious behavior, because malicious intention must be inferred.When behavior-based detection flags suspicious behavior, more follow-up investigation isusually needed to better understand the threat risk.The ability of malware to change or disguise appearances can defeat file scanning. However,regardless of its form, malware must ultimately perform its mission.
Thus, an opportunitywill always arise to detect malware from its behavior if it is given a chance to execute.Antivirus software will monitor system events, such as hard-disk access, to look for actionsthat might pose a threat to the host. Events are monitored by intercepting calls to operatingsystem functions.