What is a malware detection engine?

A malware detection engine is the bit of your antivirus software that actually identifies malicious programs.

The first viruses were experiments created by researchers and hobbyists, some of whom also made targeted antivirus programs designed to look for a specific virus and remove it if found.

The first broad-spectrum virus detection tools emerged in 1987 (respectively made by G Data, John McAfee and the founders of Set) looked for unique strings of code associated with particular viruses. They’d also attempt to “immunise” a computer by modifying specific files to give viruses the impression that the system was already infected.

Virus grew rapidly in number of complexity, with many introducing countermeasures designed to disable antivirus tools. Malware detection engine started looking for files’ cryptographic hash signatures instead of specific strings of code.

If every binary file has a unique hash, it’s possible to spot a malicious file, regardless of what it’s called, as long as it contains the same data as the one you used to create the hash. In practice, particularly with older hashing algorithms, you can get the same hash from two entirely different files by sheer coincidence, leading to files being incorrectly identified as viruses – we call this a “false positive”.

Polymorphic viruses designed to mutate their code when they copied themselves, while still retaining their malicious payload, emerged to counter this. Detection engines added “heuristic scanning” capabilities which, rather than an overall file signature, decompile binaries and look for for known code from existing malware and known-malicious behaviour, making it more like for new variants of malware to be detected.

“Real-time protection”, rather than on-demand scanning, became the norm, with antivirus tools on Windows, in particular, designed to automatically scan new files, installations, connected storage and more. As most PCs are now constantly connected to the internet, real-time malware detection has become much more important.

Antivirus programs send potentially malicious files back home for further analysis, contributing to the accuracy of the databases provided to their users – the more users, the more samples. This is one reason for the dramatic improvement in Microsoft Defender’s accuracy in the Windows 10 era.

“Cloud antivirus” is now emerging thanks to the prevalence of both high-speed internet connections and massive online server power. Malware analysis is carried out remotely, reducing the load on individual devices, although you’ll find a few different definitions knocking around of what exactly constitutes “cloud antivirus”, depending on who’s trying to sell you what.

Right now, true cloud AV, with real-time analysis of suspect files carried out remotely, is most commonly a feature of commercial end-point protection for business, but Google-owned Virus Total provides cloud-based on-demand scanning through many different detection engines, available through both its website and its browser plug-ins, designed to supplement your computer’s usual antivirus setup.