[ The PC Guide | System Care Guide | Data Loss and Virus Prevention | Virus Detection and Protection | Virus Scanning and Antivirus Software ]

Types of Scanners and Other Antivirus Software Protection

There are many different types of antivirus software that have been developed over the years. Originally, there was just the regular scanner, which searched through the hard disk looking for known viruses. As viruses have gotten more sophisticated, antivirus software has had to get more sophisticated as well. In addition to getting smarter about how they detect viruses, new software has been made available that detects and prevents virus infection in different ways.

The following are the general types of virus scanners that are usually used on PCs today:

• Conventional Disk Scanners: This is the standard virus check program. It is run when the user requests it, and it scans the contents of the disks, directories or files that the user wants, for any boot sectors and/or files that contain viruses that it recognizes, based on the virus description information in its virus definition files. Usually run manually by the user either as a preventive maintenance activity or when a virus is suspected, scanning can also be automated through the use of a program scheduler. This is the most common type of virus scanning program.
• Memory-Resident Scanners: Some antivirus software now comes with a special program that sits in the background while you use your PC and automatically scans for viruses based on different triggers. These programs typically can be configured to automatically scan programs as they are run or scan floppy disks when you issue a shutdown command to the operating system. This type of scanner offers increased protection and more chances of catching a virus before it does damage. The price is in performance and convenience; if you set it to scan every program as it is run you have to wait for it to do this before you execute any file, for example.
• Behavior-Based Detection: Some products offer an option where they will sit in memory and look for so-called "virus-like behavior" or "suspicious activities". In essence, these programs are looking for the types of actions taken on files or boot sectors that might be performed by a virus trying to spread. Commonly, this software will look for and trap: writes to hard disk boot sectors (like the "virus protection" setting common in many BIOSes), writes to floppy boot sectors, attempts to format the hard disk, or writes to existing program files. This type of virus protection can generically catch viruses "red-handed"; the problem is the annoyance of dealing with all the false positives, where the program catches "virus-like behavior" which is perfectly innocent. (It can happen a great deal.)
• Startup Scanners: Antivirus products often come with a special program that is designed to be run every time the PC is booted up. It does a quick scan of the disk's boot sectors and critical system files (instead of a full disk scan which takes a long time). The idea is to catch critical viruses, especially boot sector viruses, before the PC boots up (which can give the virus a chance to spread).
• Inoculation: This is a totally different approach to virus detection. Instead of looking for the viruses themselves, this technique looks for the changes that the viruses make to files and boot sectors. Starting with a clean system, the software "inoculates" each boot sector and program file by storing a snapshot of information about it based on its content and size. Then, periodically, it re-examines these files to see if anything has changed. If it has, then the utility will inform you; if you haven't made the change, a virus may have.

The main advantage of this type of virus detection is that since it is looking at the effects of the virus, it doesn't need to know what the virus itself is; this means it will detect even new viruses without requiring updated virus definition files all the time. The main drawback of this scheme (and why it is not that often used) is that it generates a lot of false positives. This happens because there are so many legitimate ways that a file can change without a virus being responsible. To use this method effectively you must reinoculate new files so they are protected, and be prepared to deal with a lot of potential virus "catches" that really are not viruses.

See this section for more discussion on virus scanning, and picking a protection method or methods that makes sense for you.

Warning: Make sure that the scanner you purchase will scan for macro viruses. They are relatively new, and some lower-quality, older programs, will not detect them, leaving you at risk.

Next: False Positives and False Negatives

Home  -  Search  -  Topics  -  Up