Virus signature definition
A virus signature is a set of unique characteristics that a known malware type has. Antivirus programs use these signatures to detect and block malware, ensuring that devices remain safe from known threats. As malware develops, virus signatures may also change and evolve. Cybercriminals constantly modify malicious programs to prevent them from being detected by antivirus software.
See also: attack signature
Virus signature components
- The sequence of bytes that appears in the malware's code can be part of the signature. The bytes can be a particular instruction or a set of instructions unique to that malware.
- Hash values (like an MD5 or SHA-1) derived from the malware's contents may also be part of the signature. When cybercriminals make even the slightest change, the malware will result in a vastly different hash.
- File attributes (metadata), like its size, name, date created, or file type, can sometimes be part of its signature, especially if consistent across multiple infections.
- Behavior patterns that are associated with the malware — like the registry keys it modifies or the files it drops, can be part of its identifying signature.
- Memory footprint. Specific patterns in the malware's memory usage or how it allocates memory can also be used as a component of its signature.
- API calls. The sequence or pattern of system or application function calls the malware invokes can be another identifying trait.
