The basic job of an antivirus scanner is to sift through target files comparing found code against a database of known malicious code bytes. Early scanners were simple programs made to look for a particular type of malicious code, say, the Brain virus. The scanner would notify the user if it was found, and in some cases, a second program had to be run to remove Brain. To detect another type of virus, another program had to be downloaded and executed.

McAfee VirusScan™ was the first popular antivirus scanner to search for multiple rogue programs at once. To do this, a separate signature database was used. That way, only the database had to be updated when more rogue programs appeared. Today, most scanners have a separate database where scan strings and removal instructions are located (see Figure 14-2). The scanning engine does not need to be updated unless an entirely new type of code is found that the engine does not handle or detect. For example, NT Streams viruses caused all antivirus scanning engines to be updated, because none of them previously looked for NT secondary file streams. In another example, prior to the ability of email-embedded script virus, like KAK, antivirus software need only scan the file attachments of emails. Now, they have to scan the bodies and signatures of emails.

Figure 14-2. Typical antivirus scanner model