What is a Virus Signature?

Line of code in green with Virus in read
David Gould / Photographer's Choice RF / Getty Images

In the antivirus world, a signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Depending on the type of scanner being used, it may be a static hash which, in its simplest form, is a calculated numerical value of a snippet of code unique to the virus. Or, less commonly, the algorithm may be behavior-based, i.e. if this file tries to do X,Y,Z, flag it as suspicious and prompt the user for a decision.

Depending on the antivirus vendor, a signature may be referred to as a signature, a definition file, or a DAT file.

A single signature may be consistent with a large number of viruses. This allows the scanner to detect a brand new virus it has never even seen before. This ability is commonly referred to as either heuristics or generic detection. A generic detection is less likely to be effective against completely new viruses and more effective at detecting new members of an already known virus 'family' (a collection of viruses that share many of the same characteristics and some of the same code). The ability to detect heuristically or generically is significant, given that most scanners now include in excess of 250k signatures and the number of new viruses being discovered continues to increase dramatically year after year.

The Reoccurring Need to Update

Each time a new virus is discovered that is not detectable by an existing signature, or may be detectable but cannot be properly removed because its behavior is not totally consistent with previously known threats, a new signature must be created.

After the new signature has been created and tested by the antivirus vendor, it is pushed out to the customer in the form of signature updates. These updates add the detection capability to the scan engine. In some cases, a previously provided signature might be removed or replaced with a new signature to offer better overall detection or disinfection capabilities.

Depending on the scanning vendor, updates may be offered hourly, or daily, or sometimes even weekly. Much of the need to provide signatures varies with the type of scanner it is, i.e. with what that scanner is charged with detecting. For example, adware and spyware are not nearly as prolific as viruses, thus typically an adware/spyware scanner may only provide weekly signature updates (or even less often). Conversely, a virus scanner must contend with thousands of new threats discovered each month and therefore, signature updates should be offered at least daily.

Of course, it's simply not practical to release an individual signature for each new virus discovered, thus antivirus vendors tend to release on a set schedule, covering all of the new malware they have encountered during that time frame. If a particularly prevalent or menacing threat is discovered between their regularly scheduled updates, the vendors will typically analyze the malware, create the signature, test it, and release it out-of-band (which means, release it outside of their normal update schedule).

To maintain the highest level of protection, configure your antivirus software to check for updates as often as it will allow.

Keeping the signatures up to date doesn't guarantee a new virus will never slip through, but it does make it far less likely.

Suggested Reading: