Antivirus is a very well known thing today and does not need any definition. We will look into the internals of an antivirus engine. We won't involve coding stuff here, but there will be some references to some readily available code so that people who are interested can research more about it. We will explain the concepts with respect to Windows.

Here is how an antivirus engine works. When a file arrives at a system, even before the file is written to the disk, the antivirus picks it up if real-time scanning is enabled. After that, the antivirus calls its file scanning engine to scan the file against the signatures it has. If the signature matches, then the file is deleted or quarantined. Sometimes the user can ask the antivirus to scan the system. The antivirus can scan the entire file system and process virtual memory. If it identifies malware, it takes action against it. This is called cleaning.

Antivirus software can have the following scanning engines:

• File scanner
• Memory scanner
• Unpacker
• Rootkit detector
• Cleaning engine

The engines can retrieve data which is passed through algorithms that can identify the pattern in the data. Common algorithms applied to this data are the following:

• Hashing algorithms: SHA1, SHA2, MD5
• Pattern matching algorithms

Signatures written for malware are passed through these algorithms. The signature can be unique to a file or can detect multiple files. A single signature that can identify multiple files with different contents is called a generic signature. Sometimes antivirus has signatures that say that a file is suspicious but can't confirm the maliciousness. These signatures are termed heuristics.

We can use both hash and pattern matching to write a generic signature.