How Does Norton AntiVirus Work?

By Katherine Johnson

Avoid downloading suspicious, unknown programs from the Internet.
i Images

Norton AntiVirus offers a fee-based suite of anti-virus products that provide users with a variety of different virus detection methods. You can protect your computer from viruses by regularly scanning your computer with Norton AntiVirus. Norton's anti-virus suite uses virus definitions, suspicious behavior, emulation and the sandbox method to detect viruses that may be on your computer.

Virus Definitions

When Norton AntiVirus scans your computer, it compares the hard drive, memory, boot sectors and any removable drives that you are scanning against its downloaded virus definition database. The database contains patterns or definitions of binary code that is unique to each virus known to Norton. Once Norton AntiVirus searches your computer and discovers code that matches something in the database, it will flag the virus for quarantine or removal. This method only protects your computer from known viruses.

Suspicious Behavior

Suspicious behavior detection does not rely on virus definitions. Instead, this method relies on active monitoring to scan your computer's programs to locate suspicious behavior. When you begin to use suspicious behavior detection, you will have to accept or deny programs that try to run on your computer until Norton learns which programs are known to be safe. This method can protect your computer from unknown or new viruses, but it can also create false positives.

Emulate Code

Another method of detection that is used allows Norton to emulate the first part of the code for any new program that you try to execute on your computer. This method looks for self-modifying code that looks for other executable programs on your computer. Once identified, the executable will not be allowed to run. Unfortunately, this method also results in many false positives and may not allow trusted programs to run.


Norton's sandbox runs executable files in an emulated operating system that will not allow your operating system to become infected. After the program has finished running, the sandbox will analyze the executable for any changes that may indicate that the file has a virus. Unlike suspicious behavior detection that runs passively on your computer, the sandbox is primarily used to scan individual files on-demand.