Computer viruses are shifty little critters: they don’t run around with a sign around their neck that says, “I’m a virus!” Therefore, antivirus software has to collect virus signatures to know which files are malicious or infected. And that’s all well and good, but what is a virus signature?
What is a virus signature?
A virus signature, or a virus definition, is the information — a unique pattern or code — that allows your antivirus software to identify known types of viruses. The virus signature database is updated frequently as cybersecurity experts discover new viruses daily.
In the past, a virus signature was a snippet of malicious code that indicated a file was infected by a specific virus. A virus scanner would check the file’s code and see if it matched known virus signatures.
It’s like identifying a criminal by having a sample of their DNA.
However, hackers are not stupid — just evil — so they started altering and evolving virus codes. For example, polymorphic viruses are set to rewrite their code while keeping their core functions intact. This allows the virus to fool signature-based detection, as traditional antivirus programs aren’t smart enough to detect new permutations of virus signatures.
Today, what we call a virus signature also includes a virus definition derived via heuristic analysis, which focuses on how a file behaves, not how it looks. In this approach, an antivirus app doesn’t need to know whether the file is infected — it just needs to quarantine files that act shifty.
It’s like identifying a criminal because you can see them mugging an innocent bystander.
This explains why antivirus software often flags video game executables as false positives: it’s not an infected file but it’s acting suspiciously.
But that happens only when you have a virus signature database. So, let’s see how those signatures are created.
How are virus signatures created?
Virus signatures are created by security experts observing the viruses in a safe environment.
That is necessary because computers are stupid. Yes, they have a lot of processing power to think stuff faster than people but, thus far, their thinking is only as good as the human-set guidelines permit. Therefore, they don’t really know how to recognize viruses themselves.
Here’s how the process goes:
1. A new virus pops up that the software doesn’t know how to deal with
This is great news for cybersecurity experts since they get to keep their jobs. They’re the ones bravely investigating every new type of malicious software that hackers put out.
2. Security experts investigate the new virus
Once the researchers get their hands on a new virus, they run it in a safe environment – a virtual machine (a simulated computer run on a computer) or a secure computer. This allows them to observe what the infection does and develop countermeasures for the antivirus app.
3. Antivirus software updates virus signatures
That’s where you come in. Well, your device, actually. Antivirus signature updates are usually pushed once every 24 hours to keep you protected. However, sometimes an important-enough update may be released out of sequence or the developer may allow for beta versions of their databases to be downloaded.
Knowledge is power (to crush viruses)
A virus signature is an antiquated term that’s still applied to a concept that has gone beyond the simple technologies that were present at its inception. However, it works for us, people who aren’t drawing a paycheck by discovering vulnerabilities.
What it tells us is that software updates are very important to our security. It’s also a reminder that you need an antivirus program to protect your devices.
FAQ
Why is a signature of a virus necessary?
A virus signature is necessary for antivirus software to know what a virus looks like.
How is a worm different from a virus?
Viruses are activated by you, the user, messing up and running an infected file. Worms operate independently and start acting on their own when they enter a system.
