The most important defense against viruses and malicious code is to use virus scanners. A virus scanner is essentially software that tries to prevent a virus from infecting your system. Usually, many antivirus applications scan incoming email or incoming network traffic. Of course, they also scan removable media devices such as USB drives and are produced to provide enhanced protection. In general, virus scanners work in two ways.

The first method starts with keeping a list of all known virus files. In general, one of the services offered by virus scanner vendors is periodic updating of this file. In other words, they discover viruses, keep a list of them and constantly update this list. This list is usually contained in a small file called a .dat file (data abbreviation). When you update your virus definitions, what actually happens is to update the antivirus on your system, replacing your current file with the newer one on the vendor's website.

The antivirus program (antivirus) then scans your computer, network, and incoming email for known virus files. It searches for any matches for any file on your computer or attached to the email and compares it with the virus definition file. Scanning by e-mail can be done by searching for specific subject lines and content. Known virus files usually have specific phrases in the subject line and in the body of the messages they are attached to.

Scanning against a list of known viruses alone will yield many undesirable results, which we call false positives. Therefore, the virus scanner focuses on attachments to see if they have a specific size and creation date that matches a known virus, or if they contain known viral code. File size, creation date, and location are telltale signs of a virus. Depending on your virus scanner's settings, you may be prompted to take certain actions, the file may be moved to a quarantined folder, or the file may be deleted directly. This type of virus scan only works when the .dat file of the virus scanner is updated and only for known viruses.

Another working principle of a virus scanner is to monitor your system for the typical behavior of a virus. It focuses on actions that attempt to write to the boot sector of a hard drive, modify system files, modify the system registry, automate e-mail software, or self-replicate. Another technique that virus scanners often use is to search for files that remain in memory after their execution. This is called the Terminate and Stay Resident (TSR) program. Some legitimate programs do this too, but it's usually a symptom of a virus.