Antiviruses

Antivirus protection is the most common measure for security information security IT infrastructures in the corporate sector. However, only 74% of Russian companies use antivirus solutions for protection, a study conducted by Kaspersky Lab together with analytical company B2B International (autumn 2013) showed.

The report also said that amid the explosive growth of cyber threats, from which companies are protected by simple antiviruses, Russian business is increasingly using comprehensive security tools. Largely for this reason, the use of data encryption on removable media increased by 7% (24%). In addition, companies have become more willing to distinguish between security policies for removable devices. The distinction between the level of access to various sections of the IT infrastructure has also increased (49%). At the same time, small and medium-sized businesses pay more attention to monitoring removable devices (35%) and monitoring applications (31%).

The researchers also found that despite the constant discovery of new vulnerabilities in the software, Russian companies still do not pay due attention to regular software updates. Moreover, the number of organizations involved in installing fixes decreased compared to last year, and amounted to only 59%.

Modern antivirus programs are able to effectively detect malicious objects inside program files and documents. In some cases, the antivirus can remove the body of a malicious object from the infected file by restoring the file itself. In most cases, the antivirus is able to remove a malicious software object not only from the program file, but also from the office document file without violating its integrity. The use of antivirus programs does not require high qualifications and is available to almost any computer user .

Most antivirus programs combine permanent protection functions (antivirus monitor) and on-demand protection functions (antivirus scanner).

Antivirus rating

2019: Two-thirds of Android antiviruses proved useless

In March 2019 , the Austrian AV-Comparatives laboratory, specializing in testing antivirus software, published the results of a study that showed the uselessness of most such programs for Android.

Only 23 antiviruses posted in the official Google Play Store catalog accurately recognize malware in 100% of cases. The rest of the software either does not respond to mobile threats, or takes absolutely secure applications for them.

AV-Comparatives studied 250 popular security applications from the official Google Play catalog and concluded that almost two-thirds of Android antiviruses do not perform the functions announced in their advertising

Experts studied 250 antiviruses and reported that only 80% of them can detect more than 30% of malware. Thus, 170 applications failed the test. The products that coped with the tests included mainly solutions from large manufacturers, including Avast, Bitdefender, ESET, F-Secure, G-Data, Kaspersky Lab, McAfee, Sophos, Symantec, Tencent, Trend Micro and Trustwave.

As part of the experiment, the researchers installed each antivirus application on a separate device (without an emulator) and automated the devices to launch the browser, download and then install malware. Each device was tested on the example of 2 thousand of the most common Android viruses in 2018.

According to AV-Comparatives calculations, most antivirus solutions for Android are counterfeits. Dozens of applications have an almost identical interface, and their creators are clearly more interested in showing ads than in writing a working antivirus scanner.

Some antiviruses "see" a threat in any application that is not included in their "white list." Because of this, they, in a number of very anecdotal cases, raised the alarm over their own files, since the developers forgot to mention them  on the "white list."^[1]

2017: Microsoft Security Essentials ranked as one of the worst antiviruses

In October 2017 the German  , the AV-Test antivirus laboratory published the results of comprehensive testing of antiviruses. According to the study, the branded, software Microsoft designed to protect against malicious activity, almost the worst copes with its duties.

According to the results of tests conducted in July-August 2017, AV-Test experts called Kaspersky Internet Security the best antivirus for Windows 7, which received 18 points when assessing the level of protection, performance and usability.

The top three were Trend Micro Internet Security and Bitdefender Internet Security, which each earned 17.5 points. The position of the products of other antivirus companies that were included in the study can be found in the illustrations below:

Rating of the best antiviruses, AV-Test data

Rating of the best antiviruses, AV-Test data

Experts awarded Microsoft Security Essentials only 13.5 points. This is only more than Comodo Internet Security. The Microsoft product turned out to be the smallest indicator in terms of ease of work and one of the lowest in terms of protection.

Comodo received only 1.5 points for performance, which means the product has a serious impact on system performance and significantly slows down Windows 7.

In July 2017, AV-Test talked about Microsoft Security Essentials achieving a 99% result in protecting against zero-day vulnerabilities, including viruses by email. A month later, this value decreased to 97%. The level of detection of threats was 99.8%, false positives and site locks were not recorded. However, when scanning the system in Microsoft Security Essentials, there were 13 and 15 cases of malware being recognized as absolutely secure applications.

According to the study, Microsoft antivirus slows down the system when installing frequently used applications on a regular and powerful computer.

Computer Infection Prevention Rules

• Never open attachments in letters from strangers or organizations.
• In the operating system, enable the display of file extensions.
• Be sure to check the attached file extensions, even if the email came from a known sender. If the name of the attached file ends with "dangerous" extensions, in no case open them. Ask the sender to send files in a different format.
• Timely install updates to the operating system and application programs.
• Install a licensed antivirus program on your computer and ensure that virus signature databases are updated regularly.

The enterprise system administrator or the person responsible for the organization's IT environment is strongly encouraged to:

• Change antivirus settings in accordance with the recommendations of antivirus companies to protect against ransomware viruses. Do not rely entirely on antivirus, since antivirus software does not always respond quickly to the emergence of a new modification of the virus. Update antivirus databases in a timely manner.
• Regularly back up important data.

Classification of antiviruses

Currently, there is no single classification system for antivirus programs.

Classification of antiviruses by operating mode

Kaspersky Lab classifies antiviruses by operating mode:

Real-Time Scan

Real-time check, or continuous check, provides continuity operation of anti-virus protection. This is implemented by mandatory verification of all actions, committed by other programs and the user himself, for malware, outside dependencies on their original location - be it your hard drive, external media information, other network resources, or native RAM. Also checking all indirect actions are subjected through third programs.

On-Demand Inspection

In some cases, the presence of continuous real-time verification can being not enough. There may be a situation where an infected file has been copied to the computer, excluded from the constant check due to the large size and therefore the virus in it was not found. If this file does not run on the computer in question, then the virus can go unnoticed and prove itself only after sending it to another computer.

For this mode, it is usually assumed that the user will personally indicate which files, directories or the area of the disk needs to be checked and the time when it needs to be checked - in the form Schedule or manual one-time start.

Classification of antiviruses by type

Also, antivirus programs can be classified by type:

Scanners (other names: phages, polyphages)

The principle of operation of antivirus scanners is based on checking files, sectors and system memory and searching for known and new (unknown to the scanner) viruses in them. So-called masks are used to search for known viruses. The virus mask is some constant code sequence specific to this particular virus. If the virus does not contain a permanent mask, or the length of this mask is not large enough, then other methods are used. An example of such a method is an algorithmic language that describes all possible variants of the code that can occur when an infection of this type with a virus. This approach is used by some antiviruses to detect polymorphic viruses.

Many scanners also use heuristic scanning algorithms, that is, analyzing the sequence of commands in the object to be checked, a set of some statistics and making a decision for each object to be checked.

Scanners can also be divided into two categories - universal and specialized. Universal scanners are designed to catch and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to operate. Specialized scanners are designed to neutralize a limited number of viruses or only one class of viruses, such as macro viruses.

Scanners are also divided into resident (monitors), which produce scans on the fly, and non-resident, which provide system verification only on demand. As a rule, resident scanners provide more reliable protection for the system, since they immediately respond to the appearance of a virus, while a non-resident scanner is able to identify the virus only during its next launch.

CRC scanners

The principle of operation of CRC scanners is based on the calculation of CRC sums (checksums) for files/system sectors present on the disk. These CRC sums are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, etc. At the next start, CRC scanners compare the data contained in the database with the actually calculated values. If the information about the file recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus.

CRC scanners are not able to catch a virus at the time of its appearance in the system, but do so only after a while, after the virus has spread through the computer. CRC scanners cannot detect a virus in new files (in e-mail, on floppy disks, in files being restored from backup, or when unpacking files from an archive) because their databases do not contain information about these files. Moreover, viruses periodically appear that exploit this weakness of CRC scanners, infect only newly created files, and thus remain invisible to them.

Blockers

Antivirus blockers are resident programs that intercept virus-dangerous situations and inform the user about it. Virus-dangerous include calls to open for writing to executable files, writing to boot sectors of disks or MBR of the hard drive, attempts by programs to remain resident, etc., that is, calls that are characteristic of viruses at times from reproduction.

The advantages of blockers include their ability to detect and stop the virus at the earliest stage of its reproduction. Disadvantages include the existence of ways to bypass the protection of blockers and a large number of false positives.

Immunizers

Immunizers are divided into two types: infection-reporting immunizers and infection-blocking immunizers. The former are usually written to the end of files (according to the principle of a file virus) and when the file is started, it is checked for change every time. There is only one drawback in such immunizers, but it is lethal: an absolute inability to report infection with stealth virus. Therefore, immunizers such as blockers are practically not currently used.

The second type of immunization protects the system from being affected by a certain kind of virus. Files on disks are modified so that the virus takes them as already infected. To protect against a resident virus, a program that simulates a copy of the virus is entered into the computer's memory. When launched, the virus stumbles upon it and believes that the system is already infected.

This type of immunization cannot be universal because files cannot be immunized against all known viruses.

Classification of antiviruses by variability over time

According to Valery Konyavsky, antivirus tools can be divided into two large groups - analyzing data and analyzing processes.

Data analysis

Data analysis includes auditors and polyphages. Auditors analyze the consequences of computer viruses and other malicious programs. The consequences are manifested in a change in data that should not change. It is the fact of data changes that is a sign of malware activity from the point of view of the auditor. In other words, the auditors monitor the integrity of the data and, upon violation of integrity, decide on the presence of malicious programs in the computer environment.

Polyphages act differently. Based on data analysis, they select fragments of malicious code (for example, by its signature) and on this basis conclude that there are malicious programs. Deleting or treating data affected by a virus can prevent the negative consequences of malware execution. Thus, based on the analysis in static, the consequences arising in dynamics are prevented.

The scheme of work of both auditors and polyphages is almost the same - to compare the data (or their checksum) with one or more reference samples. The data is compared to the data. Thus, in order to find a virus in your computer, it is necessary that it already works, so that the consequences of its activities appear. In this way, only known viruses for which code fragments or signatures are previously described can be found. It is unlikely that such protection can be called reliable.

Process analysis

Antivirus tools based on process analysis work somewhat differently. Heuristic analyzers, as well as those described above, analyze data (on disk, in channel, in memory, etc.). The fundamental difference is that the analysis is carried out under the assumption that the analyzed code is not data, but commands (in computers with a Von Neumann architecture, data and commands are indistinguishable, therefore, when analyzing, one has to put forward this or that assumption.)

The heuristic analyzer selects the sequence of operations, assigns a certain hazard assessment to each of them, and decides on the aggregate of the danger whether this sequence of operations is part of the malicious code. The code itself is not executed.

Another type of antivirus tools based on process analysis are behavioral blockers. In this case, the suspicious code is executed in stages until the set of actions initiated by the code is assessed as dangerous (or safe) behavior. The code is partially executed, since the completion of malicious code can be detected by simpler methods of data analysis.

Virus Detection Technologies

The technologies used in antiviruses can be divided into two groups:

• Signature Analysis Technologies
• Probabilistic Analysis Technologies

Signature Analysis Technologies

Signature analysis is a method of detecting viruses, which consists in checking for the presence of virus signatures in files. Signature analysis is the most well-known method of detecting viruses and is used in almost all modern antiviruses. To check the antivirus, you need a set of virus signatures that are stored in the antivirus database.

Due to the fact that signature analysis involves checking files for virus signatures, the antivirus database needs to be updated periodically to keep the antivirus up to date. The very principle of signature analysis also determines the boundaries of its functionality - the ability to detect only already known viruses - against new viruses, the signature scanner is powerless.

On the other hand, the presence of virus signatures suggests the possibility of treating infected files detected by signature analysis. However, treatment is not acceptable for all viruses - Trojans and most worms do not respond to treatment in their design features, since they are integral modules created to cause damage.

Competent implementation of the virus signature allows you to detect known viruses with one hundred percent probability.

Probabilistic Analysis Technologies

Probabilistic analysis technologies, in turn, are divided into three categories:

• Heuristic analysis
• Behavioral analysis
• Checksum analysis

Heuristic analysis

Heuristic analysis is a technology based on probabilistic algorithms, the result of which is the detection of suspicious objects. The heuristic analysis process checks the structure of the file, its compliance with virus patterns. The most popular heuristic technology is to check the contents of the file for modifications to already known virus signatures and combinations thereof. This helps to identify hybrids and new versions of previously known viruses without additional updates to the antivirus database.

Heuristic analysis is used to detect unknown viruses, and, as a result, does not involve treatment. This technology is not able to 100% determine the virus in front of it or not, and how any probabilistic algorithm sins with false positives.

Behavioral analysis

Behavioral analysis is a technology in which a decision on the nature of the inspected object is made based on an analysis of the operations performed by it. Behavioral analysis is very narrowly applicable in practice, since most of the actions characteristic of viruses can be performed by ordinary applications. The most famous are behavioral analyzers of scripts and macros, since the corresponding viruses almost always perform a number of actions of the same type.

The protection tools lashed into the BIOS can also be attributed to behavioral analyzers. When you try to make changes to the MBR of the computer, the analyzer blocks the action and displays a corresponding notification to the user.

In addition, behavioral analyzers can track attempts to directly access files, make changes to the boot recording of floppy disks, format hard drives, etc.

Behavioral analyzers do not use additional objects like virus databases to work and, as a result, are unable to distinguish between known and unknown viruses - all suspicious programs are a priori considered unknown viruses. Similarly, the features of the tools implementing behavioral analysis technologies do not imply treatment.

Checksum analysis

Checksum analysis is a way to track changes in computer system objects. Based on the analysis of the nature of the changes - concurrency, mass, identical changes in file lengths - we can conclude that the system is infected. Checksum analyzers (the name change auditors is also used), like behavioral analyzers, do not use additional objects in their work and issue a verdict on the presence of a virus in the system exclusively by expert assessment. Similar technologies are used in on-access scanners - at the first check, the checksum is removed from the file and placed in the cache, before the next check of the same file, the amount is removed again, compared, and if there are no changes, the file is considered uninfected.

Anti-virus systems

Antivirus complex - a set of antiviruses using the same antivirus kernel or kernels designed to solve practical problems in ensuring antivirus security of computer systems. The antivirus complex also necessarily includes means of updating antivirus databases.

In addition, the antivirus complex can additionally include behavioral analyzers and change auditors that do not use the antivirus kernel.

The following types of antiviral complexes are distinguished:

• Workstation Security Antivirus Suite
• Antivirus suite to protect file servers
• Anti-virus system for protecting mail systems
• Antivirus system to protect gateways.

Cloud and traditional desktop antivirus: what to choose?

(Based on Webroot.com resource)

The modern antivirus market is primarily traditional desktop solutions, the protection mechanisms of which are based on signature methods. An alternative method of antivirus protection is the use of heuristic analysis.

Traditional Antivirus Software Issues

Recently, traditional antivirus technologies are becoming less and less effective, quickly becoming obsolete, due to a number of factors. The number of virus threats recognized by signatures is already so high that providing timely 100% update of signature databases on user computers is often an unrealistic task. Hackers and cybercriminals are increasingly using botnets and other technologies that accelerate the spread of zero-day virus threats. In addition, when targeted attacks are carried out, signatures of the corresponding viruses are not created. Finally, new technologies are used to counter anti-virus detection: enciphering malware, creating polymorphic viruses on the server side, preliminary testing of the quality of a virus attack.

Traditional antivirus protection is most often built in a "thick client" architecture. This means that volumetric code is installed on the client computer. It checks incoming data and detects the presence of virus threats.

This approach has a number of drawbacks. First, scanning for malware ON and comparing signatures requires a significant computational load that is "taken away" from the user. As a result, computer productivity decreases, and antivirus work sometimes interferes with parallel application tasks. Sometimes the load on the user system is so noticeable that users turn off antivirus programs, thereby removing the barrier before a potential virus attack.

Secondly, each update on the user's machine requires thousands of new signatures to be sent. The amount of data transmitted is usually about 5 MB per day per machine. Data transmission slows down the network, diverts additional system resources, requires the involvement of system administrators to control traffic.

Thirdly, users who are roaming in or at a distance from a stationary place of work are defenseless against zero-day attacks. To get an updated piece of signatures, they must connect to VPN a network that is not remotely available to them.

Anti-virus protection from the cloud

When you switch to anti-virus protection from the cloud, the architecture of the solution changes significantly. A "lightweight" client is installed on the user's computer, the main function of which is to search for new files, calculate hash values ​ ​ and send data to the cloud server. A full-scale comparison is carried out in the cloud, performed on a large base of collected signatures. This database is constantly and timely updated with data transmitted by antivirus companies. The customer receives a report with the results of the inspection.

Thus, the cloud architecture of anti-virus protection has a number of advantages:

• the amount of computing on a user computer is negligible compared to a thick client, therefore, user productivity is not reduced;
• there is no catastrophic impact of antivirus traffic on network throughput: a compact piece of data containing only a few dozen hash values ​ ​ is forwarded, the average volume of daily traffic does not exceed 120 KB;
• Cloud storage contains huge amounts of signatures, much larger than those stored on user computers
• The signature comparison algorithms used in the cloud are significantly more intelligent than the simplified models that are used at the local station level, and due to the higher performance, it takes less time to compare data.
• Cloud antivirus services work with real-world data from antivirus labs, security developers, corporate and private users; zero-day threats are blocked at the same time as they are recognized, without delay caused by the need to gain access to user computers;
• Users who are roaming or do not have access to their primary workplaces are protected from zero-day attacks while accessing the Internet;
• Reduces system administrators' workload by not spending time installing antivirus software on users' computers or updating signature databases.

Why traditional antiviruses can't cope

Modern malicious code can:

• Bypass antivirus traps by creating a special target virus for the company
• Before the antivirus creates a signature, it will evade using polymorphism, transcoding, using dynamic DNS and URL

• Target Company Creation
• Polymorphism
• Code unknown to anyone yet - no signature

It's hard to defend yourself

2011 high-speed antiviruses

The Russian independent information and analytical center Anti-Malware.ru published in May 2011 the results of the next comparative test of the 20 most popular antiviruses for performance and consumption of system resources.

The purpose of this test is to show which personal antiviruses have the least impact on the user's typical operations on the computer, slow down his work less and consume a minimum amount of system resources.

Among antivirus monitors (real-time scanners), a whole group of products demonstrated very high speed, among them: Avira, AVG, ZoneAlarm, Avast, Kaspersky Anti-Virus, Eset, Trend Micro and Dr.Web. With these antiviruses on board, the slowdown in copying the test collection was less than 20% compared to the benchmark. BitDefender, PC Tools, Outpost, F-Secure, Norton and Emsisoft anti-virus monitors also performed well in terms of performance, falling within the range of 30-50%. BitDefender, PC Tools, Outpost, F-Secure, Norton and Emsisoft anti-virus monitors also performed well in terms of performance, falling within the range of 30-50%.

At the same time, Avira, AVG, BitDefender, F-Secure, G Data, Kaspersky Anti-Virus, Norton, Outpost and PC Tools in real conditions can be much faster due to the optimization of their subsequent checks.

Avira antivirus showed the best on-demand scan speed. Kaspersky Anti-Virus, F-Secure, Norton, G Data, BitDefender, Kaspersky Anti-Virus and Outpost were slightly inferior to it. In terms of the speed of the first scan, these antiviruses are only slightly inferior to the leader, at the same time they all have powerful technologies for optimizing repeat checks in their arsenal.

Another important characteristic of the speed of the antivirus is its impact on the operation of applications with which the user often works. Five were chosen as such for the test: Internet Explorer, Microsoft Office Word, Microsoft Outlook, Adobe Acrobat Reader and Adobe Photoshop. The smallest slowdown in the launch of these office programs was shown by antiviruses Eset, Microsoft, Avast, VBA32, Comodo, Norton, Trend Micro, Outpost and G Data.

Market estimates

2024: The volume of the global antivirus market for the year reached $4.13 billion

In 2024, spending on the global antivirus software market amounted to $4.13 billion. Demand for such protective solutions is showing steady growth, according to a review by The Business Research Company, which TAdviser reviewed in early October 2025.

One of the main drivers of the industry is the deteriorating information security situation. The complexity and intensity of cyber attacks are constantly increasing. Attackers are improving their tactics by implementing personalized phishing campaigns and large-scale attacks aimed at stealing personal or confidential corporate data. Organizations around the world are increasingly becoming victims of ransomware groups that demand huge sums for recovering encrypted information and not disclosing it. In 2024, the number of cyber attacks on enterprises increased significantly. At the same time, a number of major leaks were recorded, including biometric data and trade secrets.

Artificial intelligence has a stimulating effect on the market. On the one hand, neural networks significantly increase the efficiency of antiviruses. AI algorithms are able to analyze huge streams of heterogeneous information at high speed, identifying suspicious activity, vulnerabilities and hidden threats. AI processes network traffic in real time and monitors anomalies that may indicate intrusion attempts. AI systems are able to adapt to changes and learn, which allows them to detect previously unknown threats. Neural networks also help automate many routine operations. But, on the other hand, AI technologies are actively adopted by cybercriminals: using neural networks, attackers generate malicious software code, create deepfakes, scan the IT systems of potential victims for vulnerabilities, conduct deeply personalized attacks, etc.

Another driver of the industry is the rapid expansion of the ecosystem Internet of things (). IoT As the number of devices connected to the WAN grows, the need for security solutions increases. An increase in demand for antivirus products is also facilitated by increased penetration: according smartphones to Exploding Topics, released in mid-June 2025, there are 7.21 billion such gadgets worldwide. These devices account for 94.2% of all devices used for Internet access. Realizing the need to protect their data, smartphone owners are increasingly installing antivirus. ON

From a geographical point of view, North America was the leader in antivirus sales in 2024. The highest growth rates are demonstrated by the European region. Significant industry players on a global scale are:

• Tencent Holdings;
• Fortinet;
• Symantec;
• McAfee;
• Trend Micro Incorporated;
• Qihoo 360 Technology;
• Bitdefender;
• CrowdStrike;
• Avira Operations GmbH & Co. KG;
• Avast Software;
• Kaspersky Lab;
• ESET;
• Trustwave Holdings;
• Quick Heal Technologies Limited;
• ConnectWise;
• Webroot;
• SentinelOne;
• Microsoft;
• Comodo Cybersecurity;
• Cheetah Mobile;
• Panda Security;
• F-Secure;
• AVG Technologies;
• Sophos;
• OneLogin;
• Lavasoft;
• Rising Antivirus International;
• Jigsaw Security Enterprise.

In 2025, the market size is expected to reach $4.19 billion. Analysts at The Business Research Company believe that in the future, the CAGR will be 6.5%. Thus, by 2029, costs may increase to $5.4 billion.^[2]

Anti-virus developers and implementers

• ttop Vendors
• ttop Antiviruses
• ttop Contractors and Projects

See also

• Information Security Software (Russian Market)
• Information Security Software (Global Market)
• Worms
• Classic file viruses
• Trojans
• Rootkits
• Malware

Links

• Valery Konyavsky. On the classification of anti-virus protection tools
• Antivirus program
• Viruses and Their Control Tools
• What is antivirus?
• Viruses and antiviruses