Summary

Scanners are extremely effective at detecting known viruses. Scanners are not intended to detect new viruses (i.e., any virus discovered after the program was released) and any such detection will result in misidentification. Scanners enjoy an especially high level of user acceptance because they name the virus or virus family. However, this can be undermined by the occurrence of false positives.

The strength of a scanner is highly dependent upon the quality and timeliness of the signature database. For viruses requiring algorithmic methods, the quality of the algorithms used will be crucial.

The major strengths of scanners are:

• Up-to-date scanners can be used to reliably detect more than 95 percent of all virus infections at any given time.
• Scanners identify both the infected executable and the virus that has infected it. This can speed the recovery process.
• Scanners are an established technology, utilizing highly efficient algorithms.
• Effective use of scanners usually does not require any special knowledge of the computer system.

The major limitations of scanners are:

• A scanners only looks for viruses that were known at the time its database of signatures was developed. As a result, scanners are prone to false negatives. The user interprets ``No virus detected'' as ``No virus exists.'' These are not equivalent statements.
• Scanners must be updated regularly to remain effective. Distribution of updates can be a difficult and time-consuming process.
• Scanners do not perform precise identification. As a result, they are prone to false positives and misidentification.