What Is a Virus Signature?

In the antivirus world, a virus signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus.

How Do Virus Signatures Appear?

Depending on the type of scanner being used, it may be a static hash, which is a calculated numerical value of a snippet of code unique to the virus. Or, less commonly, the algorithm may be behavior-based; if, for example, this file tries to do something questionable, it's flagged as suspicious and the user is prompted for a decision. Depending on the antivirus vendor, a signature may be referred to as a signature, a definition file, or a DAT file.

A single signature may be consistent with a large number of viruses. This allows the scanner to detect a brand new virus it has never even seen before. This ability is commonly referred to as either heuristics or generic detection.

A generic detection is less likely to be effective against completely new viruses and more effective at detecting new members of an already known virus 'family' (a collection of viruses that share many of the same characteristics and some of the same code).

The ability to detect heuristically or generically is significant, given that most scanners now include in excess of 250k signatures and the number of new viruses being discovered continues to increase dramatically year after year.

The Reoccurring Need to Update

Each time a new virus is discovered that is not detectable by an existing signature, or might detectable but cannot be properly removed because its behavior is not totally consistent with previously known threats, a new signature must be created. After the new signature has been created and tested by the antivirus vendor, it is pushed out to the customer in the form of signature updates. These updates add the detection capability to the scan engine. In some cases, a previously provided signature might be removed or replaced with a new signature to offer better overall detection or disinfection capabilities.

Depending on the scanning vendor, updates may be offered hourly, or daily, or sometimes even weekly. Much of the need to provide signatures vary with the type of scanner it is, i.e. with what that scanner is charged with detecting. For example, adware and spyware are not nearly as prolific as viruses, thus typically an adware/spyware scanner may only provide weekly signature updates (or even less often). Conversely, a virus scanner must contend with thousands of new threats discovered each month and therefore, signature updates should be offered at least daily.

Of course, it's simply not practical to release an individual signature for each new virus discovered, thus antivirus vendors tend to release on a set schedule, covering all of the new malware they have encountered during that time frame. If a particularly prevalent or menacing threat is discovered between their regularly scheduled updates, the vendors will typically analyze the malware, create the signature, test it, and release it out-of-band (which means, release it outside of their normal update schedule).

To maintain the highest level of protection, configure your antivirus software to check for updates as often as it will allow. Keeping the signatures up to date doesn't guarantee a new virus will never slip through, but it does make it far less likely.

FAQ
  • What type of virus attempts to change its signature to prevent detection by antivirus programs?

    A polymorphic virus uses mutation engines to create modified versions of itself and avoid detection. It encrypts its codes with every infection, and it changes the encryption key each time. Since they don't use a static code, they can be difficult to spot and remove.

  • Where does a virus scanner download new virus signatures?

    Generally, new virus signatures are created and distributed by the makers of antivirus software. So if you're running Avast, for example, the Avast company releases new signatures in patches your software downloads and installs.

  • How do you get rid of Avast's virus email signature?

    If you use Avast's free antivirus software, you may see a "Virus-free" message at the bottom of your outgoing emails. If you want to disable this feature, open Avast and go to Menu > Settings > Protection > Core Shields > Configure shield settings > Mail Shield. Uncheck the box next to Add a signature to the end of sent emails.

Was this page helpful?