The basic job of an antivirus scanner is to sift through target files comparing found code against a database of known malicious code bytes. Early scanners were simple programs made to look for a particular type of malicious code, say, the Brain virus. The scanner would notify the user if it was found, and in some cases, a second program had to be run to remove Brain. To detect another type of virus, another program had to be downloaded and executed.
the first popular
scanner to search for multiple rogue programs at once. To do this, a
separate signature database was used. That way, only the database had
to be updated when more rogue programs appeared. Today, most scanners
have a separate database where scan strings and removal instructions
are located (see Figure 14-2). The scanning engine
does not need to be updated unless an entirely new type of code is
found that the engine does not handle or detect. For example, NT
Streams viruses caused all antivirus scanning engines to be updated,
because none of them previously looked for NT secondary file streams.
In another example, prior to the ability of email-embedded script
virus, like KAK, antivirus software need only scan the file
attachments of emails. Now, they have to scan the bodies and
signatures of emails.
Figure 14-2. Typical antivirus scanner model
Some antivirus ...