Traditional antivirus packages are pattern matching. What does pattern matching antivirus mean? Well, when a virus file gets access to your computer, network or device, there will be certain characteristics to that file. Your antivirus looks at the first part of that file the first few bytes or MB, and compares that to a giant list of viruses. That way, it can flag that something might be wrong, quarantine the file, and protect your system from the attack. That’s great, that’ll catch maybe 95% of viruses.
Here comes the problem, viruses and antivirus have been around for a while now. Viruses first started popping up to consumers 40 years ago, so there’s been a lot of time for those viruses to develop. Hackers and those wanted to release malware have had a lot of time to grow smarter, experiment, and discover the best way to write these files to avoid antivirus. They do something called obfuscate themselves, meaning that they can mutate, they can change and rewrite themselves to hide from the antivirus, who only really cares about the first few bytes of the file.
So what how have modern antivirus and security companies solved this problem? Before running any file, the new antivirus will stick the file in a type of fortress. We call that fortress a sandbox. The antivirus will allow the possibly dangerous software to run itself in this fortress, and the antivirus will sit and watch what it tries to do. If it looks like it’s acting like a virus, the antivirus will quarantine it and disable the file. This is a much smarter way of stopping malware attacks, instead of looking at what a tiny part of the file contains, it looks at what the file is trying to do!