What Is Signature Analysis in Antiviruses and How Does It Work?

The signature analysis implies identifying each virus’s features and malware by comparing files with a set of outlined characteristics.The virus’s signature will be a collection of features that allow you to uniquely identify the presence of the virus in the file (including cases when the entire file is a virus). Together, signatures of known viruses form an antivirus base. Thus, the best anti-malware software often uses an enhanced signature method, which also has its flaws. Let’s know more about the signatures.

Signature Essentials

The task of extracting signatures, as a rule, is solved by people – experts in the field of computer virology, who are able to isolate the virus code from the program code and formulate its characteristic features in the form that is most convenient for searching. As a rule – because in the simplest cases, special automated means of allocating signatures can be used. For example, in simple structure trojans or worms that do not infect other programs, they are completely malicious programs.

Almost every antivirus company has its own group of experts who analyze new viruses and replenish the antivirus database with new signatures. For this reason, antivirus databases in different antiviruses differ. Nevertheless, there is an agreement on the exchange of samples of viruses between antivirus companies, which means that sooner or later the signature of the new virus enters the antivirus databases of almost all antiviruses. The best antivirus will be the one for which the signature of the new virus was released before everyone else.

One common misconception about signatures is that each signature corresponds to exactly one virus or malware. And as a result, an antivirus database with a large number of signatures allows you to detect more viruses. That’s not really true. Very often, a single signature is used to detect a family of similar viruses. Therefore it is no longer possible to assume that the number of signatures is equal to the number of detected viruses.

The ratio of the number of signatures to the number of known viruses for each antivirus database may well be that a database with fewer signatures actually contains information about more viruses. If you recall that antivirus companies exchange samples of viruses, you can, with a high degree of confidence, consider that the most famous antivirus databases are equivalent.

Signature’s Properties

An important additional property of signatures is an accurate and guaranteed definition of the type of virus. This property allows you to put into the database the signatures themselves and methods of treating the virus. If the signature analysis gave only the answer to the question whether there is a virus or not, but did not give the answer what the virus is, obviously, treatment would not be possible – there would be too much risk of taking the wrong actions and getting additional information loss instead of treatment.

Another important, but already negative property – to obtain a signature, you must have a virus sample. Therefore, the signature method is unsuitable for protection against new viruses, because until experts have analyzed the virus, it is impossible to create its signature. That is why new viruses cause all the largest epidemics. From the moment the virus appears on the Internet to the release of the first signatures, it usually takes several hours. All this time, the virus can infect computers almost unhindered. Almost – because additional protections previously discussed, as well as heuristic methods used in antivirus programs, help protect against new viruses.