From what I understand, AVs usually check a file’s hash in their database. This seems logical for viruses that spread from computer to computer, as multiple people having the same file would report the same effect.
But how about legitimate software used maliciously? Like a backup program that regularly uploads your file? Keyloggers? Or a virus that changes its own hash? Now that I think about it, I’ve written several codes that could’ve easily turned into a virus and weren’t detected.
Do AVs actually do a good job at keeping your computers safe or do they just stop the commonly found viruses?
In: 2
They make a tradeoff of detecting the suspicious code segments or behaviors while also allowing the users to do what they want with a system. Generally they err on the side of false positives, flagging too many things as viruses and allowing the user to override it if they are confident that the software is legitimate.
They do not just detect whole file hashes, but can also analyze parts of files (e.g. contents of archives, large code blocks) or behavior. A very common false positive is in fact keyloggers, or e.g. cracking software that modifies registry keys in an unusual way to activate pirated software.
AVs do indeed do a better job on more commonly found things, but they’re not limited to some common set of files – they can stop entire categories of exploit chains, or large virus families with only minor changes from each other. They’re never 100%, but they work for most people most of the time.
Latest Answers