ne to antivirus programs. Antivirus looks for the

ne of the simplest tasks performed by antivirus software is file scanning. This process
compares the bytes in files with known signatures that are byte patterns indicative of a known
malware. It represents the general approach of signature-based detection. When new malware
is captured, it is analyzed for unique characteristics that can be described in a signature. The
new signature is distributed as updates to antivirus programs. Antivirus looks for the
signature during file scanning, and if a match is found, the signature identifies the malware
specifically. There are major drawbacks to this method, however: New signatures require
time to develop and test; users must keep their signature files up to date; and new malware
without a known signature may escape detection.
Behavior-based detection is a complementary approach. Instead of addressing what malware
is, behavior-based detection looks at what malware tries to do. In other words, anything
attempting a risky action will come under suspicion. This approach overcomes the limitations
of signature-based detection and could find new malware without a signature, just from its
behavior. However, the approach can be difficult in practice. First, we must define what is
suspicious behavior, or conversely, what is normal behavior. This definition often relies on
heuristic rules developed by security experts, because normal behavior is difficult to define
precisely. Second, it might be possible to discern suspicious behavior, but it is much more
difficult to determine malicious behavior, because malicious intention must be inferred.
When behavior-based detection flags suspicious behavior, more follow-up investigation is
usually needed to better understand the threat risk.
The ability of malware to change or disguise appearances can defeat file scanning. However,
regardless of its form, malware must ultimately perform its mission. Thus, an opportunity
will always arise to detect malware from its behavior if it is given a chance to execute.
Antivirus software will monitor system events, such as hard-disk access, to look for actions
that might pose a threat to the host. Events are monitored by intercepting calls to operating
system functions.