What you need to know about ‘Virus Signatures’

In the antivirus world, a signature is an algorithm or hash (a number derived from a text string) that uniquely identifies a specific virus. Depending on the type of scanner used, this can be a static hash which, in its simplest form, is a numerical value calculated from a piece of code unique to the virus. Or, less commonly, the algorithm can be behavior based, ie if this file tries to do X,Y,Z, mark it as suspicious and ask the user to make a decision. Depending on the antivirus vendor, a signature may be referred to as a signature, a definition file, or a DAT file.

A single signature can be consistent with a large number of viruses. This allows the scanner to detect a new virus that it has never seen before. This capability is commonly known as heuristics or generic detection. A generic detection is less likely to be effective against entirely new viruses and more effective at detecting new members of an already known “family” of viruses (a collection of viruses that share many of the same characteristics and some of the same code). The ability to detect heuristically or generically is significant given that most scanners now include over 250,000 signatures and the number of new viruses being discovered continues to rise dramatically year after year.

The recurring need to update

Every time a new virus is discovered that is not detectable by an existing signature, or that may be detectable but cannot be successfully removed because its behavior is not entirely consistent with previously known threats, a new signature must be created. After the new signature has been created and tested by the antivirus vendor, it is sent to the client in the form of signature updates. These updates add detection capability to the scanning engine. In some cases, a previously provided signature may be removed or replaced with a new signature to provide better overall detection or disinfection capabilities.

Depending on the analytics provider, updates can be offered hourly, daily, or even weekly. Much of the need to provide signatures varies depending on the type of scanner it is, that is, depending on the type of scanner it is responsible for detecting. For example, adware and spyware are not as prolific as viruses, so typically an adware/spyware scanner can only provide weekly (or even less frequent) signature updates. In contrast, a virus scanner must deal with thousands of new threats discovered each month, and therefore signature updates must be offered at least once a day.

Of course, it’s just not practical to release an individual signature for every new virus discovered, so antivirus vendors tend to release on a set schedule, covering all new malware they’ve found during that time period. If a particularly prevalent or threatening threat is discovered between regularly scheduled updates, vendors typically scan for malware, create the signature, test it, and release it out-of-band (ie, outside of their normal update schedule).

To maintain the highest level of protection, set your antivirus software to check for updates as often as possible. Keeping signatures up to date doesn’t guarantee that a new virus will never escape, but it makes it much less likely.