The Doctor Web anti-viruses simultaneously use several malware detection methods, which allow them to perform thorough checks on suspicious files and control software behaviour:
|1.||The scans begin with signature analysis, which is performed by comparison of file code segments to the known virus signatures. A signature is a finite continuous sequence of bytes which is necessary and sufficient to identify a specific virus. To reduce the size of the signature dictionary, the Doctor Web anti-viruses use signature checksums instead of using complete signature sequences. Checksums uniquely identify signatures which preserves correctness of virus detection and neutralization. The Dr.Web signature databases are composed so that some entries can be used to detect not just specific viruses, but whole classes of threats.|
|2.||On completion of signature analysis, the Doctor Web anti-viruses use the unique Origins Tracing method to detect new and modified viruses which use the known infection mechanisms. Thus the Dr.Web users are protected against such viruses as notorious blackmailer Trojan.Encoder.18 (also known as gpcode). In addition to detection of new and modified viruses, the Origins Tracing mechanism allowed to considerably reduce the number of false triggering of the Dr.Web heuristics analyser. |
|3.||The detection method used by the heuristics analyser is based on certain knowledge about attributes that characterize malicious code. Each attribute or characteristic has weight coefficient which determines the level of its severity and reliability. Depending on the sum weight of a file, the heuristics analyser calculates the probability of unknown virus infection. As any system of hypothesis testing under uncertainty, the heuristics analyser may commit type I or type II errors (omit viruses or raise false alarms).|
While performing any of the abovementioned checks, the Doctor Web anti-viruses use the most recent information about known malicious software. As soon as experts of the Doctor Web virus laboratory discover new threats, the update for virus signatures, behaviour characteristics and attributes is issued. In some cases updates can be issued several times per hour. Therefore the automatic update of virus databases provides the detection of even the newest viruses.