Other Antivirus (AV) software may be purchased from most technology stores, but there are many companies that supply their AV software free for home use, such as AVG Free, Avira AntiVir. These companies make the bulk of their money by selling enterprise versions of their AV products to businesses, which is why they can give away home versions.
AV software uses several different methods to find and delete malicious programs. These methods include:
Virus Dictionary Approach
The antivirus software examines a suspect file, then refers to a list of known viruses that have been identified by the author of the antivirus software. If it finds a match in the list, then the software can either delete the file, quarantine it so that it is inaccessible, or attempt to repair the file (by removing the virus).
To remain effective, the virus dictionary approach requires frequent downloads of updated definition entries.
Suspicious behavior approach
The suspicious behavior approach doesn't try and identify the viruses. Instead, it monitors the behaviors of all programs. If a program tried to write data to an executable program, the AV software would flag that as suspicious behavior and the computer user would be signaled.
The suspicious behavior approach provides consistent protection against new viruses that are not yet entered into any virus dictionaries. However, it also alerts users to many programs that are not malicious, and users tend to ignore the warnings. As a result, most modern antivirus software does not use this technique.
A relatively new technique, whitelisting, prevents execution of any and all computer code except that which has been identified as trustworthy by the system administrator. This method means the need to keep virus signatures up-to-date is eliminated. Also, unwanted computer applications are prevented from executing since they are not on the whitelist.
The limitations of this technique lie with the ability of system administrators to properly inventory and maintain the whitelist of approved applications. However, implementations of this technique include tools for automating inventory and whitelist processes.
A sandbox is another detection method. It emulates the operating system and runs the executable in this simulation. After the program has been deleted, the sandbox is analyzed for any changes which would indicate a virus. This type of detection is normally only performed during on-demand scans.
Other types of heuristic analysis are available. Some programs can try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. If the program seems to be a virus (if it immediately tries to find other executables, for example) the program will assume it is a virus. However, like the suspicious behavior approach this method can result in many false positives.