Signature Based Detection

Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses.
When antivirus software scans a file for viruses, it checks the contents of a file against a dictionary of virus signatures. A virus signature is the viral code. If a virus signature is found in a file the antivirus software can resort to some combination of quarantine, repair or deletion. Quarantining a file will make it inaccessible, and is usually the first action antivirus software will take if a malicious file is found. Encrypting the file is a good quarantining technique because it renders the file useless without the encryption key.
Sometimes a user wants to save the content of an infected file because viruses can sometimes embed themselves in files, called code injection, and the file may be essential to normal operation. To do this, antivirus software will attempt to repair the file. To do this, the software will try to remove the viral code from the file. Unfortunately, some viruses might damage the file upon injection.
If a file repair operation fails, usually the best thing to do is to just delete the file. Deleting the file is necessary if the entire file is infected. This may be necessary in the case of infected ZIP files, or similar "packed" files.
Because new viruses are being created each day, the signature-based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary.
Signature-based antivirus software typically examines files when the computer's operating system creates, opens, closes, or e-mails them. In this way it can detect a known virus immediately upon receipt. System administrators can schedule antivirus software to scan all files on the computer's hard disk at a set time and date.
Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.
An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this "default deny" approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since organizations often have large quantities of trusted applications, the limitations of adopting this technique rests with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. Viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes.