A quick guide to detections – what they are, how they work and how to read them.

What is a detection?

A detection (also known as a signature) is an identifier used by antivirus programs to identify a specific program – whether it's malicious, unwanted, riskware or just adware.

How are detections used?

Detections are used by antivirus programs to identify threats; when a user scans their PC or mobile device with an antivirus program, it compares all the files on the system against its own database of detections, If any of the files matches a detection in the database, it gets flagged for further attention.

Most antivirus programs use different types of detections to improve performance and effectiveness. These include generics, which identify families of malware that share the same broad file characteristics; and heuristics, which are much like to generics but also identify files that perform similar routines or actions.

Most antivirus companies use their own naming scheme to name their detections, which can be rather confusing. For example, the infamous worm that caused the 2008 epidemic is known to F-Secure as Worm:W32/Downadup, but it is also known as Kido and Conficker. Despite the different names, they all refer to the exact same worm.

What's in a detection name?

The detection name can tell you a lot about the kind of threat is identified. Let's take the following example:


Worm W32 Conficker B
The kind of threat the program poses. You can read more about the various Types here.

The operating system or application framework the program needs to run properly.  You can read more about the various Platforms here.

The unique name for this program, or group of programs. If more than one program has the same characteristics, it is considered a variant of the family and listed in chronological order.