Detection

A quick guide to detections - what they are, how they work and how to read them

A detection (also known as a signature) is an identifier used by antivirus programs to identify a specific file or program.

A detection name can tell you a lot about the file or program:

  • The type of threat it poses
  • The platform (i.e., operating system or application framework) it runs on
  • The unique name for this family of files or programs
  • If it closely resembles a known file or program, it is considered a member or variant of the same family and given an additional identifier.

Breakdown of a detection name

Worm:W32/Conficker.B

Worm W32 Conficker B
This file or program makes copies of itself and spreads the copies. This file or program runs on the Windows 32-bit operating system. The name given to this particular file or program. This is the B variant, which came out after the first variant (A) appeared.

How are detections used?

Detections are used by security programs to identify threats; when a user scans their PC or mobile device with an antimalware program, it compares all the files stored on the device against a database of detections. If any of the files matches a detection, it gets flagged for further attention.

When a suspect file triggers a detection, the security program will usually take action, either as a precaution or to handle the file directly. The specific action taken depends on the type of file, and the settings of your security program. For example, a trojan may be deleted while a monitoring-tool may be blocked.

More information about the actions the F-Secure security product can take can be found in the Help Center.

Types of detections

Years ago, a signature detection could only detect an individual file or program. Nowadays though, modern security programs use sophisticated detections that can accurately identify dozens, if not hundreds, of files and programs, to improve performance and effectiveness.

The most common type of detection used today are generic detections, which can identify whole families of files or programs that share broadly similar features or characteristics.

Security products can also use heuristic detections, which are similar to generics but focus more on behavior — they look for files or programs that perform actions or routines that are known to be harmful.

Note

Most security companies have their own naming scheme for their detections, which can be rather confusing. For example, the infamous worm that caused the 2008 epidemic is known to F-Secure as Worm:W32/Downadup, but is referred to as Kido and Conficker by other companies. Despite the different names, they all refer to the exact same worm.