Malicious software comes in many different forms. Viruses, worms, trojans, and advertising-related spyware and adware are the most common categories. But each category is also composed of many different types of threats. For example, within worms there are autorun worms, network worms, Internet worms and email worms. There are equally as many different methods of combating malware. Most of today's anti-malware scanners combine several of these techniques. Following are four of the more commonly encountered approaches used in consumer-focused malware protection.
1. Signature Scanning
In the antivirus world, a signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Signature scanners look for known threats, that is, malware that has previously been analyzed and identified. They also offer some limited protection against unknown threats, by looking for generic signatures that are typical of previously seen malware.
2. Behavior Blocking
In its simplest form, a behavior blocking tool monitors file activities and prevents certain modifications to the operating system or related files. For example, behavior blockers may monitor the system registry, and warn users accordingly if a file being executed is attempting to modify it. Some programs, of course, do this legitimately, i.e. a SETUP program. Other files, however, may have been created with malicious intent. The key benefit of a behavior blocker is that it questions whether the action was expected and whether the user wants to allow it.
3. Whitelisting
Signature scanners work from a blacklist approach, i.e. blocking any known bad code. Whitelisting does the opposite -- identifying all known good items and allowing only those to run on a system. Whitelisting is seldom seen as a standalone solution. Most view the practice as too expensive and time consuming in standalone form to be practical. However, when a whitelist is used as an exception list (for example, to exclude known good files from signature scanning), it can streamline performance.
4. Host Intrusion Prevention System (HIPS)
A host intrusion prevention system (HIPS) monitors each activity a program attempts and (depending on configuration) prompts the user for action or responds based on pre-defined criteria. HIPS offers very granular control over the system, and it is best suited for experienced users who have both the knowledge and the patience to answer the prompts and make the proper configuration choices.