What is a malware detection engine?

A malware detection engine is the part of your antivirus software that actually identifies malware.

Early viruses were experiments created by researchers and hobbyists, some of whom also created targeted antivirus programs designed to search for a specific virus and remove it if found.

The first broad-spectrum virus detection tools that appeared in 1987 (made by G Data, John McAfee and the founders of Set respectively) looked for unique strings of code associated with particular viruses. They would also attempt to “immunize” a computer by modifying specific files to give viruses the impression that the system was already infected.

The number of viruses has rapidly increased in complexity, with many introducing countermeasures designed to disable anti-virus tools. The malware detection engine started looking for files’ cryptographic hash signatures instead of specific code strings.

If each binary file has a unique hash, it is possible to spot a malicious file, regardless of its name, as long as it contains the same data that you used to create the hash. In practice, especially with older hashing algorithms, you can get the same hash from two entirely different files by sheer coincidence, leading to files being misidentified as viruses – we call that a “false positive”.

Polymorphic viruses designed to mutate their code when they copied themselves, while retaining their malicious payload, have emerged to counter this. Detection engines have added “heuristic analysis” capabilities which, rather than a global file signature, decompile binaries and search for known code of existing malware and known malicious behavior, allowing further detection new variants of malware.

“Real-time protection”, rather than on-demand scanning, has become the norm, with antivirus tools on Windows in particular designed to automatically scan new files, installations, connected storage, and more. Since most PCs are now permanently connected to the Internet, real-time malware detection has become much more important.

Antivirus programs send potentially malicious files home for further analysis, thus contributing to the accuracy of the databases provided to their users – the more users, the more samples. This is one of the reasons for Microsoft Defender’s dramatically improved accuracy in the Windows 10 era.

“Cloud antivirus” is emerging thanks to the prevalence of high-speed Internet connections and the massive power of online servers. Malware scanning is done remotely, reducing the load on individual devices, although you’ll find a few different definitions of what exactly constitutes “cloud antivirus”, depending on who’s trying to sell you what.

Kaspersky Anti-Virus

Essential virus protection

Our 5-star rated antivirus blocks malware and viruses in real time and stops hackers, now 50% off for just £12.49

• Kaspersky
• Was £24.99
• £12.49 per year

See the offer

Currently, true cloud AV, with real-time scanning of suspicious files performed remotely, is most often a feature of commercial endpoint protection for enterprises, but Google-owned Virus Total provides a cloud-based on-demand scanning through many different detection engines, available both on its website and through browser plug-ins, designed to complement your computer’s regular antivirus setup.