dark mode light mode Search Menu

How Antivirus Software Works

kathryn on Flickr

If you have antivirus software installed on your computer (and you should!) you’ll know that it stops viruses from doing damage to your computer. But how does an antivirus know what’s bad and what’s good? Let’s take a peek inside how an antivirus works and how they keep your PC safe.

If you’ve watched your antivirus update, you’ll see a part where it downloads and installs “virus definitions.” These are special rules that tell the antivirus what viruses are making the rounds on the internet. If the antivirus spots one of these programs arrive on the computer, it knows to get rid of it immediately!

You can imagine the antivirus as a saloon owner in the Wild West. Every day, the owner gets a few WANTED posters from the local sheriff, which shows some of the local bandits that have appeared.

When someone enters the saloon, the owner checks the newcomer’s face with all the WANTED posters he has. If they’re not on any of the posters, they’re free to stay; if they are wanted, they get kicked out before they can cause any trouble!

This is how an antivirus keeps known viruses out; but how about changed viruses? The people who create viruses know that an antivirus will spot the program in the wild and will create a rule that blocks it.

To combat this, they make a new version of the virus that’s only slightly different from the one they made. That way, when the antivirus scans it, it doesn’t perfectly match the records that the software has. The creator of the virus hopes this slight difference is enough to fool the antivirus into allowing it.

In our Wild West saloon, this is like the bandits wearing funny hats, eye patches, or fake mustaches to trick the owner into believing they’re a different person from the people on the WANTED posters. Fortunately, the owner can use a little common sense here; if the newcomer looks similar, but not identical to, one of the wanted bandits, they can investigate further to see if they’re really a bad guy.

Antiviruses can also do this. They look at software coming in and compare it to viruses that it already knows. If it shares similarities with an existing virus, the antivirus will stop it from running. This kind of detection has a funny name: it’s called “heuristics” (hew-riss-ticks).

An antivirus can also use heuristics to catch a brand new virus that doesn’t have a definition yet. For example, if a brand new software tries to delete everything on the computer, the antivirus can detect this and stop it, even if it doesn’t have a rule dictating that it should.

This is like our saloon owner keeping an eye out for trouble. They don’t need a WANTED poster to spot someone trying to start a fight or rob someone. They can identify this person as bad and promptly kick them out of the saloon. They can even report the person to the sheriff, so the whole town knows to watch out for that person!

However, an antivirus can’t be too strict with its rules. If it’s a little too forceful, it will identify totally innocent programs as viruses, much to the annoyance of the user. It’s important for the antivirus to be cautious, but not overly so.

The next time you update your antivirus, just imagine all the WANTED posters it’s downloading for you. Who knows; in the future, it may use one of them to save your PC!

Learn More

Comodo’s guide on how an antivirus works


Detection method


How Anti-virus software works


How do different types of antiviruses work?


Antivirus software


Antivirus software facts for kids


2020 Top Ten Antivirus software


Advantages of using an antivirus


Explaining computer viruses




Importance of antivirus software


Best Cybersecurity Analogies