Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 057

Antivirus (AV)

Reviewed byCybersecurity entrepreneur & security researcher

What is Antivirus (AV)?

Antivirus (AV)Endpoint software that detects and removes malicious files using signature databases, file scanning, and basic heuristics — the historical foundation of endpoint security.


Antivirus (AV) is the historical category of endpoint security software. Pioneered in the late 1980s by Bernd Fix's routine against the Vienna virus, John McAfee's VirusScan, and Eugene Kaspersky's AVP, AV emerged in response to early PC viruses such as Brain (1986). It scans files on disk, in memory, and in transit, comparing them to a continually updated signature database — historically MD5/SHA hashes and byte patterns — and applying heuristics. AV agents hook the operating system through filesystem mini-filter drivers, on-access scan callbacks, and email/web gateways, quarantining or deleting matches.

The signature model excels against widespread commodity malware but is blind to novel, polymorphic, packed, and fileless threats: a tiny change to a binary alters its hash and defeats exact-match detection, and attackers routinely test payloads against engines before release. Independent labs (AV-TEST, AV-Comparatives) and MITRE ATT&CK Enterprise evaluations consistently show signature-only engines missing modern adversary behavior.

Two responses followed. Vendors evolved AV into next-generation antivirus (NGAV) and endpoint detection and response (EDR/XDR) that add machine-learning classifiers, exploit-prevention, and behavioral telemetry tracing process trees rather than files. On Windows, Microsoft Defender Antivirus integrates with the Antimalware Scan Interface (AMSI) to inspect script content (PowerShell, VBA, JScript) at runtime, closing the fileless gap. Classic AV nonetheless remains a baseline control mandated by frameworks like PCI DSS and many cyber-insurance policies.

flowchart TD
  F[File written / opened / downloaded] --> H[Minifilter on-access hook]
  H --> SIG{Match signature DB?}
  SIG -->|Yes| Q[Quarantine / delete / alert]
  SIG -->|No| HEU{Heuristic or ML flag?}
  HEU -->|Yes| Q
  HEU -->|No| ALLOW[Allow execution]
  U[Signature & engine updates] --> SIG

Examples

  1. 01

    ClamAV scanning incoming email attachments at an SMTP gateway.

  2. 02

    Microsoft Defender Antivirus quarantining a downloaded executable matching a known WannaCry signature.

Frequently asked questions

What is Antivirus (AV)?

Endpoint software that detects and removes malicious files using signature databases, file scanning, and basic heuristics — the historical foundation of endpoint security. It belongs to the Defense & Operations category of cybersecurity.

What does Antivirus (AV) mean?

Endpoint software that detects and removes malicious files using signature databases, file scanning, and basic heuristics — the historical foundation of endpoint security.

How do you defend against Antivirus (AV)?

Defences for Antivirus (AV) typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for Antivirus (AV)?

Common alternative names include: AV, Anti-virus, Signature-based antivirus.

Related terms

See also