AntiVirus

Last revised by LocalRoot - 22 Jun 2026, 09:25

Revision history Page info Related changes

Antivirus software, often shortened to antivirus or AV, is security software that attempts to detect, block, quarantine, or remove malicious software from a device. It is more accurately understood as part of endpoint security, because modern protection normally deals with many forms of unwanted or hostile code, not only traditional computer viruses.

Antivirus software is used on personal computers, business laptops, servers, and managed fleets. It may be built into an operating system, installed as a third-party product, or supplied as part of a broader endpoint protection platform. Its usefulness depends on the device, the operating system, the user, and the surrounding security controls.

Purpose

The main purpose of antivirus software is to reduce the chance that malware can run, spread, or remain unnoticed. Malware can steal credentials, encrypt files for ransom, spy on users, damage systems, or use a device as a foothold for attacks against other machines.

Antivirus does not make a device secure by itself. It works best alongside software updates, sensible account permissions, application control, backups, web filtering, email filtering, and user awareness. The National Cyber Security Centre describes AV as one control that works with network defences, device settings, and application-store checks to help block malware before it causes harm.

Detection Methods

Older antivirus products relied heavily on signatures. A signature is a known pattern connected with a specific threat or family of threats. Signature detection remains useful, especially for known malware, but it is not enough against new or modified attacks.

Modern products normally combine several methods:

Signature checks against known malicious files.
Heuristic detection, where suspicious traits are scored even if the file is not already known.
Behaviour monitoring, where the product watches what a process is doing after it starts.
Reputation checks, where downloaded files, scripts, or URLs are compared with cloud-based threat intelligence.
Sandboxing or controlled execution, where suspicious activity is analysed away from ordinary user data.
Blocking of known attack techniques, such as unauthorised script execution, malicious macros, credential theft tools, or suspicious changes to startup locations.

These methods are imperfect. A product may miss a new threat, or it may incorrectly flag a harmless file. This is why layered security and recoverable backups matter.

Real-Time and On-Demand Protection

Real-time protection watches files, downloads, scripts, processes, memory activity, and sometimes network behaviour as the device is used. It is designed to stop a threat before the user has to notice it.

On-demand scanning is different. It scans selected files, folders, drives, or the whole system when started manually or by schedule. It can help find old threats, check removable media, or inspect a machine after a suspicious event.

Many products also include removable-drive scanning, browser integration, email attachment checks, exploit protection, ransomware behaviour rules, and warnings for suspicious downloads. In managed environments, administrators may control these settings centrally.

Quarantine and Remediation

When antivirus software detects a threat, it may block execution, remove the file, repair it, or place it in quarantine. Quarantine isolates the item so it cannot run normally. This allows a user or administrator to review it later, restore it if it was a false positive, or delete it permanently.

Remediation is not always complete. If malware has already run, it may have changed settings, stolen data, created new accounts, moved across a network, or installed other tools. In serious cases, rebuilding the device from trusted media can be safer than trying to clean it in place.

Updates

Antivirus protection depends on updates. These may include security intelligence, engine updates, product updates, cloud-detection changes, and policy changes. A product that is not updating can quickly become weak, especially against new malware campaigns.

For home users, automatic updates are usually the sensible default. For companies, updates may be staged and monitored so they do not break important systems, but delaying them for too long increases exposure.

Platform Differences

The need for antivirus differs by platform. Windows includes Microsoft Defender Antivirus. macOS includes built-in security features such as XProtect. Android includes Google Play Protect on ordinary consumer builds. iOS and ChromeOS restrict application execution in ways that make traditional antivirus less central.

The NCSC notes that on some locked-down platforms, antivirus may offer limited value if the device can only run trusted applications from controlled sources. On general-purpose desktops and many business endpoints, antivirus or endpoint security remains a common control.

Choosing and Using Antivirus

When choosing antivirus software, the practical questions are usually more important than brand recognition. Useful questions include:

Is the product still supported and updated?
Does it work properly on the operating system and device type?
Can it be managed centrally where a fleet is involved?
Does it conflict with existing security tools?
Does it create unacceptable performance problems?
Does it log useful information for incident response?
Does it protect against common threats without producing constant false alerts?

Running several antivirus products at the same time can cause instability and does not automatically improve protection. A better approach is to use one properly configured product alongside other controls.

Limitations

Antivirus software is a defensive layer, not a guarantee. It cannot stop every phishing attack, weak password, unpatched vulnerability, poor backup practice, or insider action. Attackers also test malware against common products before release.

Good security therefore includes prevention, detection, recovery, and response. A device should be patched, accounts should use sensible privileges, important files should be backed up, and suspicious activity should be investigated rather than dismissed simply because antivirus did not alert.

References

Discussion log

Use comments for sourcing notes, corrections, and disputed details.

No comments yet.