large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

What is a malware detection engine?

A malware detection engine is the bit of your antivirus software that actually identifies malicious programs.

The first viruses were experiments created by researchers and hobbyists, some of whom also made targeted antivirus programs designed to look for a specific virus and remove it if found.

Kaspersky Home Security

Kaspersky Home Security

Keep your online activity safe and private across multiple devices – without compromising speed.

Check out Kaspersky’s new security plans from just £10.99 per year

  • Kaspersky
  • Money back guarantee
  • from £10.99
Buy now

The first broad-spectrum virus detection tools emerged in 1987 (respectively made by G Data, John McAfee and the founders of Set) looked for unique strings of code associated with particular viruses. They’d also attempt to “immunise” a computer by modifying specific files to give viruses the impression that the system was already infected.

Virus grew rapidly in number of complexity, with many introducing countermeasures designed to disable antivirus tools. Malware detection engine started looking for files’ cryptographic hash signatures instead of specific strings of code.

If every binary file has a unique hash, it’s possible to spot a malicious file, regardless of what it’s called, as long as it contains the same data as the one you used to create the hash. In practice, particularly with older hashing algorithms, you can get the same hash from two entirely different files by sheer coincidence, leading to files being incorrectly identified as viruses – we call this a “false positive”.

Polymorphic viruses designed to mutate their code when they copied themselves, while still retaining their malicious payload, emerged to counter this. Detection engines added “heuristic scanning” capabilities which, rather than an overall file signature, decompile binaries and look for for known code from existing malware and known-malicious behaviour, making it more like for new variants of malware to be detected.

“Real-time protection”, rather than on-demand scanning, became the norm, with antivirus tools on Windows, in particular, designed to automatically scan new files, installations, connected storage and more. As most PCs are now constantly connected to the internet, real-time malware detection has become much more important.

Antivirus programs send potentially malicious files back home for further analysis, contributing to the accuracy of the databases provided to their users – the more users, the more samples. This is one reason for the dramatic improvement in Microsoft Defender’s accuracy in the Windows 10 era.

“Cloud antivirus” is now emerging thanks to the prevalence of both high-speed internet connections and massive online server power. Malware analysis is carried out remotely, reducing the load on individual devices, although you’ll find a few different definitions knocking around of what exactly constitutes “cloud antivirus”, depending on who’s trying to sell you what.

Kaspersky Home Security

Kaspersky Home Security

Keep your online activity safe and private across multiple devices – without compromising speed.

Check out Kaspersky’s new security plans from just £10.99 per year

  • Kaspersky
  • Money back guarantee
  • from £10.99
Buy now

Right now, true cloud AV, with real-time analysis of suspect files carried out remotely, is most commonly a feature of commercial end-point protection for business, but Google-owned Virus Total provides cloud-based on-demand scanning through many different detection engines, available through both its website and its browser plug-ins, designed to supplement your computer’s usual antivirus setup.

FAQs

What engine is my antivirus software using?

Most antivirus software makers have their own detection engines, developed in house, although some combine their own detection tools with engines from other developers to improve accuracy. Antivirus firms that release both free and paid-for versions of their products almost invariably use the same malware engines in both.

F-Secure uses a combination of its own malware detection engine and one made by Avira (which continues to use and license its in-house engine since its acquisition by NortonLifeLock in 2021). However, the market is narrowing as larger developers buy each other out. For example, AVG and Avast use the same engine following the two companies’ merger in 2017 under the Avast name. BullGuard previously used the widely-licensed BitDefender engine along side its own protection modules, but now uses Avira’s engine.

How do I find out what engine my antivirus suite uses?

You can often find out which engine a particular antivirus suite uses either by reading its maker’s partnership and OEM contracts, looking through its files for identifying names, or through reviews where journalists have asked vendors to declare the engines in use.

Does it matter which engine my antivirus software uses?

Yes and no. You want the best possible malware detection, but you should pay attention to the antivirus suites’ overall performance rather than the components that go into it. See our reviews and my article on Understanding antivirus test results to help you identify the best AV suite for you.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.