1) Signature Detection - There are known patterns of viruses and the antivirus software looks for a match against one of these.
2) Behavior Detection - There are known patterns of normal behavior on the computer, and the antivirus software looks for deviations from this.
Each has certain weaknesses:
- With signature detection, if there is a zero-day exploit (i.e. a virus that is new and therefore which has no known signature) then it will not be caught by a blacklist of known viruses.
- While with behavior detection, some viruses that are designed to look like normal network or application behavior will not be caught by heuristic/algorithm-based detection methods.
For defense-in-depth then, we can see why employing a combination of both methods would work best to protect from malware.
It's interesting that these same techniques for recognizing bad computer actors can be used for identifying bad or dangerous people.
We can look for known signatures/patterns of evil, abusive, and violent behaviors and identify those people according to their bad actions.
Similarly, we generally know what "normal" looks like (within a range of standard deviations, of course) and people who behave outside those bounds could be considered as potentially dangerous to themselves or others.
Yes, we can't jump to conclusions with people -- we don't want to misjudge anyone or be overly harsh with them, but at the same time, we are human beings and we have a survival instinct.
So whether we're dealing with malware or malevolent individuals, looking at patterns of bad actors and significant deviations from the normal are helpful in protecting your data and your person. ;-)
(Source Photo: Andy Blumenthal)