How Does Norton AntiVirus Work?

When Norton AntiVirus scans your computer, it compares the hard drive, memory, boot sectors and any removable drives that you are scanning against its downloaded virus definition database. The database contains patterns or definitions of binary code that is unique to each virus known to Norton. Once Norton AntiVirus searches your computer and discovers code that matches something in the database, it will flag the virus for quarantine or removal. This method only protects your computer from known viruses.

Suspicious behavior detection does not rely on virus definitions. Instead, this method relies on active monitoring to scan your computer's programs to locate suspicious behavior. When you begin to use suspicious behavior detection, you will have to accept or deny programs that try to run on your computer until Norton learns which programs are known to be safe. This method can protect your computer from unknown or new viruses, but it can also create false positives.

Another method of detection that is used allows Norton to emulate the first part of the code for any new program that you try to execute on your computer. This method looks for self-modifying code that looks for other executable programs on your computer. Once identified, the executable will not be allowed to run. Unfortunately, this method also results in many false positives and may not allow trusted programs to run.

Norton's sandbox runs executable files in an emulated operating system that will not allow your operating system to become infected. After the program has finished running, the sandbox will analyze the executable for any changes that may indicate that the file has a virus. Unlike suspicious behavior detection that runs passively on your computer, the sandbox is primarily used to scan individual files on-demand.