Antivirus software facts for kids

"Antivirus" redirects here. For the medication, see Antiviral drug.

ClamTk, a free antivirus program, was first made in 2001.

Antivirus software (often called AV software) is a computer program. It helps keep your computer safe by stopping, finding, and removing harmful software. This harmful software is known as malware.

Antivirus software was first made to find and remove computer viruses. That's how it got its name! But now, there are many other types of malware. So, antivirus programs also protect against threats like bad websites, unwanted emails (spam), and phishing (tricky messages trying to steal your info).

History of Antivirus

Early Computer Viruses (Before Antivirus)

The idea of computer viruses goes back to 1949. But the first known computer virus appeared in 1971. It was called the "Creeper virus". This virus infected big computers called DEC PDP-10 mainframes.

A program called "The Reaper" was made to delete the Creeper virus. Some people think "The Reaper" was the first antivirus software. But it was actually a virus itself, designed only to remove Creeper.

More viruses followed. The first one seen "in the wild" (meaning outside of labs) was "Elk Cloner" in 1981. It infected Apple II computers.

In 1983, the term "computer virus" was first used by Fred Cohen. He described programs that could change other programs to include a copy of themselves.

The "Brain" virus appeared in 1986. It was the first widespread virus for IBM PC compatible computers. After that, the number of viruses grew very fast. Early viruses mostly just copied themselves. But later, viruses started to damage or destroy data on computers.

Before the internet was common, viruses spread through infected floppy disks. Antivirus software existed but was not updated often. It mainly checked files and disk parts. When the internet became popular, viruses started spreading online.

The First Antivirus Programs (1980s)

Many people claim to have made the first antivirus product. Bernd Fix is believed to have removed a virus called "Vienna virus" in 1987.

In 1987, companies like G Data Software and McAfee released their first antivirus products. John McAfee started his company, McAfee, and released VirusScan. Also, NOD antivirus was created in Czechoslovakia.

In 1987, Fred Cohen said that no program could perfectly find all possible computer viruses.

Later in 1987, the first "heuristic" antivirus tools came out. These tools tried to find new, unknown viruses by looking for suspicious actions.

In 1988, more antivirus companies started. Avira released AntiVir. Avast! and AhnLab also launched their first antivirus programs. Alan Solomon created Dr. Solomon's Anti-Virus Toolkit.

A mailing list called VIRUS-L started in 1988. People discussed new viruses and how to find and remove them. Many future antivirus leaders were part of this group.

In 1989, F-PROT Anti-Virus was created. Symantec launched its first antivirus for Macintosh computers. Sophos also began making antivirus products.

Antivirus Industry Grows (1990s)

In 1990, Panda Security was founded in Spain. Other antivirus programs like Pasteur and VirIT eXplorer also appeared.

The Computer Antivirus Research Organization (CARO) was formed in 1990. They tried to create a standard way to name viruses.

In 1991, Symantec released Norton AntiVirus. AVG Technologies and F-Secure also launched their first antivirus products. F-Secure was one of the first antivirus companies to have a website.

The European Institute for Computer Antivirus Research (EICAR) was founded in 1991. Its goal was to help with antivirus research.

In 1992, Dr.Web was released in Russia. By 1994, there were almost 30,000 different types of malware.

Other companies like Bitdefender (1996) and Kaspersky Lab (1997) were founded. In 1996, the first Linux virus, "Staog", appeared. By 1999, the number of malware samples grew to almost 100,000.

New Challenges (2000-2014)

In 2001, ClamAV was released. It was the first open-source antivirus engine to be sold commercially.

By 2005, there were over 330,000 unique malware samples. In 2007, over 5 million new malware samples appeared in just one year! By 2012-2013, antivirus companies reported 300,000 to 500,000 new malware samples every day.

Antivirus software needed new ways to detect threats:

Harmful code could hide in macros within documents (like Word files).
Dangerous programs could be hidden inside files that didn't seem harmful.
Email programs like Outlook Express could get infected just by opening or previewing a message.

In 2005, F-Secure created the first Anti-Rootkit technology. Rootkits are very sneaky malware that hide deep in a computer system.

Because most people are always online, cloud-based antivirus started to appear. This means the antivirus program on your computer sends suspicious files to a powerful online server to be checked. McAfee and AVG were among the first to offer this.

Modern Antivirus (2014-Present)

After 2013, new types of attacks called "zero-day attacks" became a big problem. These attacks use brand new weaknesses that antivirus software doesn't know about yet.

This led to "next-generation" antivirus programs. These use new methods like looking at how programs behave, artificial intelligence, and machine learning. Companies like Carbon Black, Cylance, and Crowdstrike became popular. Traditional antivirus companies like Trend Micro and Symantec also started adding these new features.

Since Windows 8, Windows Defender (Microsoft's own antivirus) is included for free. It has gotten much better at detecting threats.

Recently, many antivirus companies have joined together. For example, Avast bought AVG in 2016. Then, Norton's owner, Gen Digital, bought Avira and later Avast. This means many big antivirus brands are now owned by the same company.

How Antivirus Finds Malware

Even though it's impossible to find every single virus, antivirus programs use different ways to find most malware.

Sandbox Detection: This method runs suspicious programs in a safe, fake computer environment (a virtual machine). It watches what the program does. If it acts badly, the antivirus knows it's malware. This method is very good but can be slow.
Data mining Techniques: This uses smart computer algorithms to learn about files. It looks at many features of a file to decide if it's good or bad.

Signature-Based Detection

Older antivirus software mainly uses signatures to find malware.

When an antivirus company finds a new piece of malware, their experts study it. They create a unique "signature" for it. This signature is like a digital fingerprint. The antivirus software then adds this signature to its huge database. When it scans your computer, it looks for files that match these signatures.

But malware creators try to trick this. They make "polymorphic" or "metamorphic" viruses. These viruses change their code slightly each time they copy themselves. This makes it harder for them to match a known signature.

Heuristics

Many viruses are part of a "family." They are slightly different versions of the same basic virus. Heuristic detection helps find these virus families.

Antivirus researchers find common parts that all viruses in a family share. They create a "generic signature" that can catch many versions of the same virus. This signature might use wildcard characters for parts that change. This way, the scanner can find viruses even if they have extra, meaningless code. This method is called "heuristic detection."

Rootkit Detection

Antivirus software also tries to find rootkits. A rootkit is a type of malware that hides itself very well. It tries to take full control of your computer without being seen. Rootkits can change how your computer works and can even try to stop your antivirus program. They are very hard to remove, sometimes needing a full reinstall of your computer's operating system.

Real-Time Protection

Most antivirus programs offer "real-time protection." This is also called on-access scanning or resident shield. It means the antivirus is always running in the background. It constantly watches your computer for suspicious activity.

Real-time protection checks files as you open them. It scans apps as you install them. When you insert a USB drive, open an email, or browse the web, it checks for threats. If a file already on your computer is opened or run, it also gets scanned.

Things to Know About Antivirus

Unexpected Renewal Costs

Some antivirus programs automatically renew your subscription. This means they will charge your credit card again when your subscription ends. Companies like McAfee and Norton AntiVirus do this by default. You often have to cancel many days before your subscription runs out if you don't want it to renew.

Fake Antivirus Programs

Be careful! Some programs that look like antivirus software are actually malware themselves. They are called "rogue security applications." Examples include WinFixer and MS Antivirus. They try to trick you into paying for fake protection.

Problems from False Alarms

A "false positive" or "false alarm" happens when antivirus software thinks a safe file is malware. This can cause big problems. If the antivirus automatically deletes or quarantines (isolates) the "infected" file, it can break important parts of your computer's operating system or other programs. Fixing this can be difficult and costly.

Here are some examples of serious false alarms:

May 2007: A mistake by Symantec caused their antivirus to delete important Windows files. This made thousands of computers unable to start.
April 2010: McAfee VirusScan mistakenly identified a normal Windows file (svchost.exe) as a virus. This caused computers to keep restarting and lose internet access.
October 2011: Microsoft Security Essentials (MSE) removed the Google Chrome web browser. MSE thought Chrome was a banking trojan.
September 2022: Microsoft Defender flagged many popular apps like WhatsApp, Discord, and Spotify as dangerous threats.

Computer Performance Issues

Running antivirus software can sometimes slow down your computer. This is because it's always working in the background, checking files and activities.

Conflicts with Other Software

Running many antivirus programs at once can slow down your computer even more and cause problems. Sometimes, you need to turn off your antivirus when installing big updates for your computer or other programs. This helps avoid conflicts. For example, Microsoft suggests turning off antivirus when upgrading Windows.

Antivirus software can also interfere with some programs. For instance, TrueCrypt, a program for encrypting disks, warns that antivirus can make it work slowly or incorrectly. Games on platforms like Steam can also have performance issues.

How Effective is Antivirus?

Studies have shown that antivirus software is not always 100% effective, especially against new or "zero-day" attacks. In 2007, detection rates for new threats were only 20-30%.

The problem is that malware creators are getting smarter. They are often professionals working for criminal groups. Their goal is to steal money or information, not just to cause obvious damage. This makes their malware harder to spot.

No antivirus program can detect 100% of all viruses. The best ones might catch 99.9% in real-world tests. But they can also have false alarms, marking safe files as malware.

Many independent groups test antivirus software to see how well it works. These include AV-Comparatives, ICSA Labs, and AV-TEST.

New Viruses

Antivirus programs are not always good at catching brand new viruses. Malware designers often test their new viruses against popular antivirus software. They make sure their virus isn't detected before releasing it.

Some new viruses, especially ransomware, use "polymorphic code" to avoid detection. This means they change their code to look different each time. A security expert once said that these viruses can "get by well-known antivirus products very easily."

Researchers have even found viruses that use your computer's Graphics Processing Unit (GPU) to hide. This makes them much harder for antivirus software to find.

Rootkits

Finding rootkits is a big challenge. Rootkits have full control over your computer and can hide from users and even from the list of running programs. They can change how your computer works and even try to stop your antivirus program.

Damaged Files

If a file gets infected by a virus, antivirus software tries to remove the virus code. But it can't always fix the file perfectly. Sometimes, the file is too damaged to be repaired. In these cases, you might need to restore the file from a backup or reinstall the program.

Firmware Infections

Your computer's firmware (like the BIOS) can also get infected. This is a serious problem because antivirus software usually can't protect firmware. If your BIOS is infected, you might need to replace the chip to remove the malicious code. In 2014, researchers found that USB devices could also have infected firmware. This "BadUSB" malware can run on your computer before the operating system even starts, making it very hard to detect.

Other Ways to Stay Safe

While antivirus software is common, there are other ways to protect your computer.

Firewalls

Firewalls are like a security guard for your computer's network connection. They stop unknown programs from accessing your system. Firewalls don't find or remove malware, but they can block harmful software from getting in or sending information out. They protect against broader network threats.

Cloud Antivirus

Cloud antivirus uses a small program on your computer. Most of the heavy work of checking files is done by powerful servers online.

One way this works is by sending suspicious files to a "cloud" where many different antivirus programs check them at once. This can help find more threats. Cloud antivirus can also re-check old files if a new threat is found. This is great for devices that aren't powerful enough to do all the scanning themselves. Panda Cloud Antivirus and Immunet are examples.

Online Scanners

Some antivirus companies offer free online scanning tools on their websites. You can use these to scan your whole computer, specific folders, or single files. It's a good idea to do an online scan regularly, even if you have antivirus software. This is because malware sometimes tries to disable your installed antivirus. An online scanner can help you find threats that your regular antivirus might have missed.

Special Tools

There are also special tools to help remove stubborn infections. Examples include Windows Malicious Software Removal Tool and Kaspersky Virus Removal Tool.

A "rescue disk" is a special CD or USB drive that you can use to start your computer. It runs antivirus software outside of your normal operating system. This is useful if your computer won't start or if malware is stopping your regular antivirus from working. Examples include Trend Micro Rescue Disk and Kaspersky Rescue Disk.

Usage and Risks

A survey in 2009 found that about one-third of small businesses didn't use antivirus protection. But over 80% of home users had some kind of antivirus installed. Another survey in 2010 found that almost half of women didn't use any antivirus program.

Images for kids

The command-line virus scanner of Clam AV 0.95.2 updating its virus definitions and scanning a file.
The command-line rkhunter scanner looking for Linux rootkits on Ubuntu.