Antivirus software, explained

Antivirus software isn’t enough to protect our devices and accounts any longer, but it still provides a key layer of defense.

Over the past few years, consumers and enterprises alike have become more aware of the importance of adequate cybersecurity hygiene and the need to be able to recognize common threats online

Cyberattackers, scam artists, and malware developers have all moved on from the days that a computer infection simply meant an unresponsive PC, advertising pop-ups, and, in the worst-case scenario, the blue screen of death.

Instead, consumers are faced with complex scams and convincing phishing attempts designed to load covert Trojans onto a victim's device for the purpose of data theft, fake mobile applications that masquerade as cryptocurrency trading apps but will, instead, allow operators to take your money and run, and spyware that will track your every move and action without your knowledge.

Cyberattacks are not just about potentially wreaking havoc on a machine; they may be focused on data theft, surveillance, and sabotage, instead.

As threats have evolved, the defenses required to mitigate the risk of a successful attack have also had to improve. 

Technology vendors are constantly working to update their software and tackle vulnerabilities before they are exploited in the wild, governments and non-profits take out television ads to warn us of what to look for in online scams, and companies now offer advanced protection solutions for everything from consumer devices to enterprise networks. 

A baseline layer of defense for home systems, however, is antivirus software -- and it is recommended you have this software not just on your home PC, but now your mobile device, too. 

What is antivirus software?

Antivirus (AV) software is a software package designed to detect, isolate, and remove malicious code (otherwise known as malware) from a computer system.

When active, antivirus software will monitor traffic to and from a device, as well as scan files, applications, and other content.

Many forms of antivirus software will use databases of malicious signatures, built up over time by cybersecurity vendors, to detect suspicious code. 

Malware signatures linked to today's threats are added to a database and provide a digital fingerprint for AV software to check. However, signature-based databases need to be constantly updated as new malware strains are discovered and developers tamper with their creations to avoid detection (or as they release polymorphic malware strains that change their own code signatures over time).

Modern AV software will often also employ heuristic analysis methods to catch as of yet unknown, new, and altered malware strains in the wild. 

If a file is matched with or detected as similar to a database entry, the file will be deemed malicious and users will be alerted to a potential infection. Files can then be quarantined for further investigation or deleted entirely. 

Applications built with specific behaviors in mind, such as an illegal crack for software built to avoid licensing requirements, are also usually flagged the same way. It should be noted, however, that AV products may sometimes generate false positives.

The terms antivirus and anti-malware are often interchangeable, although antivirus software generally focuses on preventing infections from occurring on your PC or mobile device in the first place, whereas anti-malware solutions may be more geared toward deep scans and malware removal. Both categories, however, are designed to protect computer systems.

AV software may also prevent you from opening and executing suspect files and it may alert you when you visit compromised websites.

Overall, you should consider antivirus software as an active layer of defense against malware and other threats, but an AV solution should not be the only barrier you have in place. 

Popular AV software includes products offered by Kaspersky, ESET, Norton, McAfee, Malwarebytes, Bitdefender, and Avast. 

Consumers can select free or paid versions -- the latter usually including extra, premium features -- whereas businesses usually need to pay for a subscription covering the number of devices they need to protect.

Free options may be on a trial basis only or offer basic antivirus protection without advanced features or support. 

See also: Best antivirus software in 2021

Do I need antivirus software?

Microsoft Defender is an anti-malware component of modern Windows operating systems, and Apple's macOS also includes built-in antivirus protection. 

However, these solutions on their own are not enough to protect you from modern threats. In addition, our mobile devices are also now at risk of compromise by malware operators, and most AV product vendors offer software to protect not just your PC, but your handset, too. 

What can antivirus software do?

Functionality varies depending on what kind of software you choose to use. However, features often include:

  • Scanning: Users can perform scans of their devices manually, or set up a schedule for system checks to launch automatically. Alternatively, AV products often offer real-time background scanning capabilities that will check new files, archives, and browser activities for potential threats. Users can select individual files, drives, or full systems that need to be scanned, as well as perform quick scans -- which normally take no more than a few minutes -- for general 'health' checks. 
  • Web browsing: Real-time monitoring for internet-based threats can be enabled to protect users from phishing attempts, malicious websites, suspicious executable file downloads or execution, unintentional drive-by downloads, and more. 
  • Firewalls: Modern operating systems will include a firewall, which is a network monitoring system that will block traffic -- incoming and outgoing -- based on set rules. Unauthorized or suspicious connections can be stopped to prevent intrusion. 
  • Virtual Private Network (VPN) connections: Some AV products now offer an optional, inbuilt VPN connection. A VPN is not a replacement for an AV product, but rather should be considered a useful addition to hide your IP address, encrypt the communication between you and online services, and prevent both monitoring and tracking by third parties.
  • Password managers: Password managers lock up, manage, and generate the passwords used to access online services, and may also auto-fill forms on a user's behalf. Some AV products now even include a password manager.
  • Parental controls: These may include website blocks on adult content and keyword monitoring.  
  • Junk clean-up, system optimization: Bolt-on AV software features can include cleaning up junk and unnecessary files, therefore freeing up space on your PC or mobile device.  
  • Payment protection: AV products may include a feature to monitor visits to suspected fake banking or payment provider websites and warn you if you may be about to input your details on a malicious website. In addition, AV products may provide a custom browser window that is isolated and hardened, providing a more secure environment to make online purchases. 
  • Automatic updates: AV software will automatically upgrade to new versions, and these updates will include changes to signature databases. 
  • Multiple device protection: Depending on the terms of an AV software license, you may be able to use the same subscription to protect more than one PC or mobile device. This is usually a paid-only option for users.  
  • Wi-Fi monitoring: An AV product may also watch what Wi-Fi access point your device connects to in order to warn you if it is not secure, such as an open hotspot in public areas or in hotels.

How do machines become infected with malware? 

Fraudulent emails, SMS messages, fake websites, and shared resources -- such as storage drives or files -- can all be used as avenues for malware deployment. 

One of the most common avenues for attack is phishing or spam emails that may appear to be from your bank, tax offices, or well-known brands such as Amazon, PayPal, or Facebook. 

Fraudsters will often use social engineering tactics to lure victims into clicking suspicious links or falling for these fake emails by trying to generate fear, panic, or greed. For example, they may contain:

  • Threats from a tax office demanding payment on pain of a criminal prosecution
  • Delivery notices sent from Amazon or PayPal alerts concerning a transaction
  • Promises that you have won a prize, money from the lottery, or free cryptocurrency
  • Threats to let all of your contacts know what adult websites you have been visiting
  • Get rich quick schemes

In the business world, business email compromise (BEC) attacks will often be tailored to relate to HR departments, invoices, and quote inquiries. 

If a target falls for a phishing email -- which may be sent during a "spray and pray" mass spam campaign or through a tailored, spear-phishing exercise -- they may be asked to click a link to a compromised or malicious website containing a payload, or alternatively, the email may contain a malicious attachment such as a Microsoft Word document, in which macros will fetch malware. 

Other common infection vectors include: 

  • Malvertising via internet pop-ups: While technology vendors are clamping down on the older methods to deploy malware -- such as pop-ups that claim your PC has been infected with malware -- malvertising, the use of fake and malicious ads to drive malware, is still common. Victims may be asked to visit a website and download a file, such as a fake browser plugin or AV solution, that actually executes malware instead. 
  • Malicious, compromised websites: Malvertising, when served by third-party ad networks, can turn a legitimate domain into a springboard for malware distribution. In the same way, websites that have been compromised -- such as through a back-end vulnerability in a content management system (CMS) -- may serve visitors malicious packages or may reroute them to other domains owned by attackers. 
  • Malicious software updates: Cyberattackers are constantly evolving their tactics and techniques for infecting systems, and one relatively new way to do so is by performing a supply-chain attack. Threat actors compromise a central entity, such as a company that develops popular software, and tampers with software updates that are automatically pushed to users. The SolarWinds incident is a recent example of how much havoc this kind of cyberattack can cause. This attack vector is more commonly used to break into company networks.
  • Software bundles: Some software may come bundled with malware or unwanted software, such as adware or spyware. 
  • Shared resources: There are malware variants in the wild that contain wormable functionality, allowing the programs to spread through shared resources including individual files, external storage, and USB drives. 

Common online threats and malware to watch out for

The threats that can land on your PC are extensive, ranging from destructive malware to spyware that covertly monitors your activities, adware that constantly serves you adverts during browser sessions, and Potentially Unwanted Programs (PUP), also known as junk or nuisanceware. PUPs may serve ads, slow your PC, or download additional software without your explicit consent. 

Malware is a blanket term for different kinds of malicious software, as explained below:

  • Virus: A computer virus is designed to latch onto a legitimate file, corrupt it, and self-propagate through devices and emails. They may steal data, damage systems, and maintain persistence on an infected machine by executing every time the legitimate, compromised application runs. Viruses may be polymorphic and change their code to avoid AV programs. 
  • Worm: Many malware variants now contain "worm" capabilities as part of a wider toolset. However, worms may also be standalone programs that spread through system networks or via email as malicious attachments. A worm is able to propagate once it lands on a vulnerable system and may also be designed to steal data, corrupt files, or degrade PC performance. 
  • Trojan: A Trojan, or Trojan horse, is a malware variant that is often disguised as a legitimate program. Once installed on a victim's system, Trojans may establish a backdoor for persistent access, perform surveillance, download and execute additional malware, and steal information. Many Trojans today are focused on the theft of financial data. 
  • Ransomware: Ransomware has become one of the most potentially damaging types of malware to land on both consumer and enterprise systems. This malware variant will encrypt an infected system, prevent users from accessing their files and services, and will throw up a ransom note, demanding payment in cryptocurrency in return for a decryption key. Some of the worst ransomware incidents impacting businesses to date are the global WannaCry attack, the outbreak at Ireland's health service, and the closure of Colonial Pipeline's operations across the United States.
  • Spyware: Spyware, also known in its worst forms as stalkerware, is unethical, privacy-invading software that spies on device users, collecting data including -- but not limited to -- browser activities and logs, email records, contact lists, social media activity, images, video, and VoIP logs. When installed on a mobile device, GPS data, location, and SMS/MMS messages may also be monitored.
  • Adware: Legitimate adware may be installed with consent -- for example, in return for a copy of otherwise paid-for software. However, abusive variants of adware unscrupulously push adverts to a user's system in order for its operators to be paid.
  • Rootkits: Rootkit malware can be injected into applications, hypervisors, firmware, or the kernel level of an operating system. These bundles of tools may be used to hide the activity of other malware payloads, operate with high privileges, and can often be very difficult to detect. A recent example of rootkit use has been described by Kaspersky under Operation Tunnelsnake
  • Botnets: Botnet-based malware is designed to enslave PCs, mobile devices, and Internet of Things (IoT) devices into a broader network that may have further payloads deployed to 'slave' systems, forcing them to become payers in distributed denial-of-service (DDoS) attacks, send spam, and more. 
  • Hybrid: Today's malware strains cannot always be cleanly categorized, and they may include modules for different purposes, such as ransomware functionality, backdoors, spyware functions, or the ability to perform fileless attacks
  • Cryptocurrency miners: While not inherently malicious, cybercriminals may deploy cryptocurrency mining software such as XMRig on vulnerable servers and PCs in order to leverage stolen computer resources to covertly mine for coins. These coins are then sent to a wallet controlled by the attacker. 

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

What are the symptoms of a malware infection?

There are a number of changes to your device's typical behavior that can indicate the existence of malware. These include:

  • Poor performance: One of the first indicators that something isn't quite right on your PC is changes to typical performance levels, such as a high CPU load, freezes, crashing, and lags during browser sessions. If processing speed or performance suddenly changes, this may be an indicator of a malware infection. When it comes to your handset, similar symptoms may occur, such as plummeting battery life, extra heat generation, lags, and crashes. However, you can't rely purely on CPU or resource usage alone as a sign that you're infected. Some malware, including cryptocurrency miner strains, will boot out competing malware and manage their resource usage to prevent performance issues -- and, therefore, potentially detection. 
  • Pop-up windows and browser redirection: If you experience unexpected advert bombardment or browser redirection, this may be a sign your sessions are being manipulated. 
  • PC and device changes: If you find programs suddenly appearing and executing that you are not familiar with, changes to a browser's home page or search engine, or settings tweaks that you did not make, this could also be an indicator of infection. 
  • Loss of storage space: If your hard drives are filling up without any known reason, this could mean you have been compromised. This symptom is more common with adware and nuisanceware programs. 
  • Reports of unusual communication: If friends, colleagues, or associates ask you about emails or messages you have allegedly sent that appear to be suspicious, this could indicate that either your device is compromised or an account belonging to you has been hijacked.
  • Locked screens: A typical sign of ransomware, in particular, is the inability to access your system beyond the home screen -- on which a ransom note, demanding payment, will be loaded. In these cases, it is likely that your files have been encrypted and cannot be recovered without a ransomware decryptor.
  • Existing antivirus solutions: If your existing antivirus software or firewalls have been disabled without warning, this is a common indicator of malware infection.

Do mobile devices need antivirus protection?

Mobile malware is nowhere near as common as PC-based strains, but mobile threats should be treated just as seriously. If allowed access to your handset, mobile malware variants may be able to conduct surveillance (such as in the case of stalkerware apps), download nuisanceware and adware, steal your personal data, harvest credentials used to access mobile banking services, or fleece your bank account by automatically calling or sending messages to premium numbers. 

Mobile app repositories including Apple's App Store and Google Play do have protections in place to stop developers from using them as hosts for malicious apps, but there are cases when either malware slips through the net or benign apps are suddenly updated to push malware. Therefore, a mobile AV product can be invaluable in preventing infections from taking root.

See also: The ultimate guide to finding and killing spyware and stalkerware on your smartphone 

Do I have to pay?

Most antivirus products are either free or based on six-monthly/yearly subscriptions following a trial period, with discounts on offer if you pay for the full term upfront. 

Free AV software offered by reputable vendors has all -- or most -- of the core, basic functionality required for adequate protection of a home PC or mobile device. As with most kinds of free software, however, you will have to endure the occasional pop-up asking you to upgrade and pay. 

The most impressive features of modern AV products are kept behind a paywall, but free solutions provided by cybersecurity vendors are not designed to be detrimental to user security -- after all, some form of antivirus is better than none. If there are some features that you absolutely must have (such as a VPN, parental controls, multiple device coverage, or payment protection), then most AV solutions are affordable and you should consider signing up.

Businesses, no matter how small, should seriously consider the extra features usually provided by premium, paid-for AV software as an investment rather than a luxury. 

What should I look for in an antivirus product?

You should first consider what type of antivirus product suits your needs. Real-time scanners are one of the most useful features of an AV product and you should certainly select one that offers this form of protection. However, adequate security cannot just be based on scans and malware signature databases -- they must be constantly updated to remain effective and current, considering that new malware strains are found on a daily basis. 

Usability and the potential impact on PC or mobile performance should also be considered. For example, if you are running an older machine, a lightweight AV product may be more suitable than robust, business-grade software. 

If you are looking to subscribe to a premium option, it is also important to decide how many devices you need protection for, whether this is just for one PC or a mobile device, or whether or not you need a family plan. You may also want to consider the vendor's reviews when it comes not just to protection, but also to customer support. 

Antivirus products that offer parental controls should be among the top choices for parents who want to manage the content their children are allowed to view online. 

What else can I do to protect my computer and mobile device?

No AV product is a catch-all security solution, and so they should be considered an important aspect of protecting your devices alongside general awareness, caution, and in tandem with other security solutions.

  • Stay wary: If an email looks suspicious, trust your gut. If you receive a message from what appears to be a trusted source containing a link, for example, visit the organization's domain directly rather than clicking through. 
  • Website downloads: Downloading files from dubious websites -- such as crack, warez, or pirate domains, is usually asking for trouble. 
  • Third-party apps: It is generally recommended to only download apps from sources that have their own security mechanisms in place, such as Google Play or the Apple App Store.
  • Firewalls: You should keep your operating system's firewall software enabled at all times. 
  • Wi-Fi: Public, unsecured Wi-Fi hotspots should be avoided as they may be honeypots or allow threat actors to monitor your activity -- and potentially redirect you to malicious websites. Instead, stick to secure spots or mobile connectivity. 
  • Backups: You should make sure you backup valuable content on your devices frequently. While this won't protect your system, this practice can help you recover, should the worst happen.