How does anti-malware work?

How does anti-malware work?

For the better part of 20 years, cybersecurity remained mostly under the public awareness radar. It was not exactly a topic for discussion at the Griswold family Christmas party.

Mom in 1995: You’re doing what, Timmy? Making antivirus? I thought you did something with computers, not medicine!

Fighting cybercrime fell squarely on the shoulders of computer scientist heroes.

Until now.

Now that cybersecurity is being covered in the news and talked about at the dinner table, people like you (and Timmy’s mom) are realizing they need to step up and join in the fight. They’re faced with important questions like: what’s a virus, what’s malware, what’s the difference between antivirus and anti-malware programs, and how does any of this work?

So let’s start at the beginning. How does anti-malware work? Before we can tell you that, we need to backtrack a little and explain about malware.

What is malware?

Malware is bad software, plain and simple. It’s code that was created for the purpose of doing something sinister to your computer. Most of the time, it infiltrates a person’s system without their knowledge.

There are many different types of malware, and here’s where it starts to get confusing. Types of malware were typically named not for what they do but how they attack the machine. This is because engineering nerds who were the first to encounter malware were more interested in the method of delivery instead of the end-goal—which is why one category of malware that “tricks” a system in order to invade it is called a Trojan horse and not, say, a data deleter.

Other types of malware include viruses, which infect legitimate files, backdoors, which can open programs and steal data from your computer, and rootkits, which can spy and collect passwords. One of the more dangerous forms of malware, aptly named ransomware, literally holds your files for ransom by encrypting them. If you pay up, you might get the decryption key to regain access to them. If you don’t, they’re unavailable forever.

Another form of malware that is perhaps a little less mal is called a Potentially Unwanted Program (PUP). “Potentially Unwanted Programs is a euphemism,” says Scott Wilson, Technical Product Manager at Malwarebytes. “These are programs you actually agree to install, but the agreement is generally obtained in a sneaky manner, such as having a pre-checked box on one of the many installation pages you need to click through. Many people find these programs to be annoying—interfering with your search behavior or displaying advertising on your computer are common behaviors—so anti-malware products help you deal with and remove such programs.”

So what, exactly, is anti-malware software?

Now that you know a little bit about malware, let’s discuss the programs that were designed to it fight off. Anti-malware is a piece of software that you knowingly install on your computer with the purpose of protecting your system from malware infiltration and infection. Anti-malware programs are able to do this in three ways: they detect malware on your computer, safely remove it, and clean up any of the damage to the computer that the malware may have caused.

In addition, some premium programs, like Malwarebytes Anti-Malware Premium, have malicious website blocking and real-time protection. In plain English, this means the programs block websites created with the intent of delivering malware as well as those that might be compromised by malware. It also means that the anti-malware runs continuously in the background so that if a piece of malware does try to install on your system, it steps in and shows the bad guys who’s boss.

How does anti-malware software do its job?


Many programs scan for malware using a database of known malware definitions (also called signatures). These definitions tell what the malware does and how to recognize it. If the anti-malware program detects a file that matches the definition, it’ll flag it as potential malware. This is a good way to remove known threats, but it does require regular updates to make sure the program doesn’t miss out on newly developed malware.


Another way anti-malware (AM) detects bad software is a form of analysis called heuristics. An alternative to database scanning, heuristic analysis allows anti-malware programs to detect threats that were not previously discovered. Heuristics identifies malware by behaviors and characteristics, instead of comparing against a list of known malware.

For example, if an application is programmed to remove important system files, the anti-malware software may flag it as malware (since applications should not be doing that). But, heuristic analysis can sometimes result in “false positives,” or programs flagged as malware that are actually legitimate.


A third way AM software can find malware is by running a program it suspects to be malicious in a sandbox, which is a protected space on the computer. The program believes it has full access to the computer when, in fact, it is running in an enclosed space while the anti-malware monitors its behavior. If it demonstrates malicious behavior, the anti-malware will terminate it. Otherwise, the program is allowed to execute outside the sandbox. However, some forms of malware are smart enough to know when they’re running in a sandbox and will stay on their best behavior…until they’re allowed free access to the computer. Sneaky little scoundrels.


Thankfully, anti-malware doesn’t just flag malware and be on its way. Once malware has been found on a system, it needs to be removed. Many threats can be deleted by the anti-malware program as soon as they are detected. However, some malware is designed to cause further damage to your computer if it is removed. If your anti-malware suspects this is the case, it will usually quarantine the file in a safe area of your computer’s storage. Basically, the anti-malware puts the malware in a timeout. Quarantining a malicious file prevents it from causing harm, and allows you to remove the file manually without damaging your computer.

So there you have it! That’s anti-malware in a nutshell. Now that you’re armed with this knowledge, you can calm your conspiracy theory uncle down when he worries about the hackers who are going to steal information from his online Christmas orders. The fact that he knows this is a possibility is a step in the right direction. And the fact that you can now educate him is a win in the fight against malware.


Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.