Antivirus (or anti-virus) software is used to prevent, detect, and remove malware, including computer viruses, worms, and trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware.
A variety of strategies are typically employed. Signature-based detection involves searching for known malicious patterns inexecutable code. However, it is possible for a user to be infected with new malware for which no signature exists yet. To counter such so-called zero-day threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses by looking for known malicious code (or slight variations of such code) in files. Some antivirus software can also predict what a file will do if opened/run by emulating it in a sandbox and analyzing what it does to see if it performs any malicious actions. If it does, this could mean the file is malicious.
However, no matter how useful antivirus software is, it can sometimes have drawbacks. Antivirus software can degradecomputer performance if it is not designed efficiently. Inexperienced users may have trouble understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection (of any kind), success depends on achieving the right balance between false positivesand false negatives. False positives can be as destructive as false negatives. Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack.
In addition to the drawbacks mentioned above, the effectiveness of antivirus software has also been researched and debated. One study found that the detection success of major antivirus software dropped over a one-year period.