What is a virus signature, and how is it created?

Computer viruses are shifty little critters: they don’t run around with a sign around their neck that says, “I’m a virus!” Therefore, antivirus software has to collect virus signatures to know which files are malicious or infected. And that’s all well and good, but what is a virus signature? 

What is a virus signature file?

A virus signature file is where your antivirus software stores all the data on known types of viruses. That file is updated often as cybersecurity experts discover new viruses daily. 

In the olden days, a virus signature was a snippet of malicious code that indicated that a file was infected by a specific virus. A virus scanner would check the file’s code and see if it matched known virus signatures. 

It’s like identifying a criminal by having a sample of their DNA.

What is a virus signature file?

However, hackers are not stupid – just evil – so they started changing and evolving virus codes. For example, polymorphic viruses are set to rewrite their code while keeping their core functions intact. This allows the virus to fool signature-based detection as antivirus programs aren’t smart enough to notice new permutations of virus signatures by themselves.

That’s why what we call a virus signature today also includes a virus definition derived via heuristic analysis, which focuses on what a file does, not how it looks. In such a situation, an antivirus app doesn’t need to know whether the file is infected by something or not – it just needs to quarantine files that act shifty

It’s like identifying a criminal because you can see them mugging an innocent bystander. 

The last bit explains why antivirus software loves pinging video game executables as false positives: It’s not an infected file, it’s just acting suspiciously. 

But those are the things that happen once you have a virus signature database. What it doesn’t tell is how those are created. 

How are virus signatures created?

Virus signatures are created by security experts observing the viruses in a safe environment. 

That is necessary because computers are stupid. Yes, they have a lot of processing power to think stuff faster than people but, thus far, their thinking is only as good as the human-set guidelines permit. Therefore, they don’t really know how to recognize viruses themselves.

Here’s how the process goes: 

1. A new virus pops up that the software doesn’t know how to deal with

This is great news for cybersecurity experts since they get to keep their jobs. They’re the ones bravely investigating every new type of malicious software that hackers put out.

2. Security experts investigate the new virus 

Once the researchers get their hands on a new virus, they run it in a safe environment – a virtual machine (a simulated computer run on a computer) or a secure computer. This allows them to observe what the infection does and develop countermeasures for the antivirus app. 

3. Antivirus software updates virus signatures

That’s where you come in. Well, your device, actually. Antivirus signature updates are usually pushed once every 24 hours to keep you protected. However, sometimes an important-enough update may be released out of sequence or the developer may allow for beta versions of their databases to be downloaded. 

Knowledge is power (to crush viruses)

A virus signature is an antiquated term that’s still applied to a concept that has gone beyond the simple technologies that were present at its inception. However, it works for us, people who aren’t drawing a paycheck by discovering vulnerabilities.

What it tells us is that software updates are very important to our security. It’s also a reminder that you need an antivirus program to protect your devices. 

Go against the virus grain

Get Surfshark Antivirus


Why is a signature of a virus necessary?

A virus signature is necessary for antivirus software to know what a virus looks like. 

How is a worm different from a virus?

Viruses are activated by you, the user, messing up and running an infected file. Worms operate independently and start acting on their own when they enter a system.