Just as there are many variants and forms of electronic malware and Internet-based threats around the globe, so there are many forms of protection against these threats. Signature-based detection is one of the multifarious forms of defense that have been developed in order to keep us safe from malicious content.

Although signature-based detection can be argued to have been overshadowed by more sophisticated methods of protection in some environments, it remains as a core ‘technique’ featuring in the anti-virus controls of packages and suites that work to protect a user’s system today.

How does signature-based detection work?

Signature-based detection works by scanning the contents of computer files and cross-referencing their contents with the “code signatures” belonging to known viruses. A library of known code signatures is updated and refreshed constantly by the anti-virus software vendor.

If a viral signature is detected, the software acts to protect the user’s system from damage. Suspected files are typically quarantined and/or encrypted in order to render them inoperable and useless.

Clearly there will always be new and emerging viruses with their own unique code signatures. So once again, the anti-virus software vendor works constantly to assess and assimilate new signature-based detection data as it becomes available, often in real time so that updates can be pushed out to users immediately and zero-day vulnerabilities can be avoided.

Next-generation signature-based detection

New variants of computer virus are of course developed every day and security companies now work to also protect users from malware that attempts to disguise itself from traditional signature-based detection. Virus authors have tried to avoid their malicious code being detected by writing “oligomorphic“, “polymorphic” and more recently “metamorphic” viruses with signatures that are either disguised or changed from those that might be held in a signature directory.

Despite these developments, the Internet at large does of course still function on a daily basis. Populated as it is by users who not only have up to date security software installed, but also by those who have educated themselves as to the type of risks discussed here.