Functionality

Scanners are limited intrinsically to the detection of known viruses. However, as a side effect of the basic technique, some new variants may also be detected. They are also identification tools, although the methodology is imprecise.

Scanners examine executables (e.g., .EXE or .COM files on a DOS system) for indications of infection by known viruses. Detection of a virus produces a warning message. The warning message will identify the executable and name the virus or virus family with which it is infected. Detection is usually performed by signature matching; special cases may be checked by algorithmic methods.

In signature scanning an executable is searched for selected binary code sequences, called a virus signature, which are unique to a particular virus, or a family of viruses. The virus signatures are generated by examining samples of the virus. Additionally, signature strings often contain wild cards to allow for maximum flexibility.

Single-point scanners add the concept of relative position to the virus signature. Here the code sequence is expected at a particular position within the file. It may not even be detected if the position is wrong. By combining relative position with the signature string, the chances of false positives is greatly reduced. As a result, these scanners can be more accurate than blind scanning without position.

Polymorphic viruses, such as those derived from the MtE (mutation engine) [], do not have fixed signatures. These viruses are self-modifying or variably encrypted. While some scanners use multiple signatures to describe possible infections by these viruses, algorithmic detection is a more powerful and more comprehensive approach for these difficult viruses.