Which of the following antivirus detection methods is the most recent to the industry and monitors suspicious code as it executes within the operating system?

A.
Behavior blocking

B.
Fingerprint detection

C.
Signature-based detection

D.
Heuristic detection

Explanation:
A: Of the methods listed, behavior blocking is the most recent evolution in antivirus detection. Behavior blocking allows suspicious code to execute within the operating system and
watches its interactions looking for suspicious activities. These activities include writing to startup files or the Run keys in the Registry; opening, deleting, or modifying files; scripting email
messages to send executable code; and creating or modifying macros and scripts. If the antivirus program detects some of these potentially malicious activities, it can terminate
the software and provide a message to the user. A drawback to behavior blockers is that the malicious code must actually execute in real time. This type of constant monitoring also
requires a high level of system resources.
B is incorrect because fingerprint detection (also referred to as signature-based detection) does not monitor suspicious code as it is executing. Instead, antivirus software scans
incoming data and compares files, e-mail messages, etc., for signatures that match those in the antivirus’s database. A signature is a sequence of code that was extracted from the
virus itself, or the steps it carries out in its attack. If a match is identified, then the antivirus software takes whatever protective action(s) it is configured to carry out. It may quarantine
the file, attempt to clean the file by removing the virus, provide a warning message dialog box to the user, and/or log the event.
C is incorrect because signature-based detection uses signatures (virus code patterns) to identify malicious software or activity patterns before they are executed in the operating
system. Signature-based detection is an effective way to detect malicious software, but there is a delayed response time to new threats. Once a virus is detected, the antivirus vendor
must study it, develop and test a new signature, release the signature, and all customers must download it.
D is incorrect because heuristic detection analyzes the overall structure of executable code, evaluates the coded instructions and logic functions, and evaluates the likelihood of it
being malicious. Antivirus software that uses heuristic detection has a type of “suspiciousness counter,” which is incremented as the program finds more potentially malicious
attributes. Once a predefined threshold is met, the code is officially considered dangerous and the antivirus software protects the system.