Internet, Networking, & Security Antivirus What Is a Virus Signature? by Mary Landesman Writer Mary Landesman is a former freelance contributor to Lifewire and a security expert. She was named as one of the women to watch in IT security. our editorial process LinkedIn Mary Landesman Updated on September 25, 2019 David Gould / Photographer's Choice RF / Getty Images Antivirus Browsers Cloud Services Error Messages Family Tech Home Networking 5G Antivirus VPN Web Development Around the Web View More Tweet Share Email In the antivirus world, a virus signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. How Do Virus Signatures Appear? Depending on the type of scanner being used, it may be a static hash, which is a calculated numerical value of a snippet of code unique to the virus. Or, less commonly, the algorithm may be behavior-based; if, for example, this file tries to do something questionable, it's flagged as suspicious and the user is prompted for a decision. Depending on the antivirus vendor, a signature may be referred to as a signature, a definition file, or a DAT file. A single signature may be consistent with a large number of viruses. This allows the scanner to detect a brand new virus it has never even seen before. This ability is commonly referred to as either heuristics or generic detection. A generic detection is less likely to be effective against completely new viruses and more effective at detecting new members of an already known virus 'family' (a collection of viruses that share many of the same characteristics and some of the same code). The ability to detect heuristically or generically is significant, given that most scanners now include in excess of 250k signatures and the number of new viruses being discovered continues to increase dramatically year after year. The Reoccurring Need to Update Each time a new virus is discovered that is not detectable by an existing signature, or might detectable but cannot be properly removed because its behavior is not totally consistent with previously known threats, a new signature must be created. After the new signature has been created and tested by the antivirus vendor, it is pushed out to the customer in the form of signature updates. These updates add the detection capability to the scan engine. In some cases, a previously provided signature might be removed or replaced with a new signature to offer better overall detection or disinfection capabilities. Depending on the scanning vendor, updates may be offered hourly, or daily, or sometimes even weekly. Much of the need to provide signatures vary with the type of scanner it is, i.e. with what that scanner is charged with detecting. For example, adware and spyware are not nearly as prolific as viruses, thus typically an adware/spyware scanner may only provide weekly signature updates (or even less often). Conversely, a virus scanner must contend with thousands of new threats discovered each month and therefore, signature updates should be offered at least daily. Of course, it's simply not practical to release an individual signature for each new virus discovered, thus antivirus vendors tend to release on a set schedule, covering all of the new malware they have encountered during that time frame. If a particularly prevalent or menacing threat is discovered between their regularly scheduled updates, the vendors will typically analyze the malware, create the signature, test it, and release it out-of-band (which means, release it outside of their normal update schedule). To maintain the highest level of protection, configure your antivirus software to check for updates as often as it will allow. Keeping the signatures up to date doesn't guarantee a new virus will never slip through, but it does make it far less likely.