Detection Techniques

Idealistic systems to defend against malware have to cover few steps such as: detection, identification, prevention and recovery.

Detection: Determines that a give program is probable malicious
Identification: Classifying a given program as matching to or linked to an identified piece of malware.
Prevention: Blocking a malicious program from executing hostile functions.
Recovery: Getting rid of a malicious program from a system and/or fixing any damage it has caused.

A good number of accepted practical systems at the current time falls in category of signature based malware scanners. Signatures are the unique data patterns that malware scanners use to detect viruses as they scan your files or data. Signature based scanning is a procedure whereby a unique `signature or rules' is computed for a given virus or other malicious program . This is done by the manufacturers of antivirus products, who provide their software with signatures that frequently updated. When the antivirus product scans a program it looks for malicious activities which match signatures. The disadvantage of this technique is that it can only notice malicious activities that have beforehand signature generated.

A new Signature should be created for every new malware and even for every variant of an already existing malware. This is a time-consuming exercise, thus bring the basic problem with Signature-based Malware detection. A malware which is specially developed for a particular attack cannot be detected in principle. The antivirus software companies collect sample of malware and create a signature. By that time a certain level of damage will be done.
To address this problem, IDS Intrusion Detection System was introduced. The IDS is able to identify harmful behavior and therefore belongs to the class of "Behavior Blockers". All active programs in the system are constantly monitored. It stops the potentially damaging behavior activities as soon it is noticed and alert notification is generated. This prevents further execution of a mistrustful program without Signatures.
Behavior Blockers, an additional technology is becoming increasingly popular, the HIPS Host-based Intrusion Prevention System approach. These tools give notification of attempts to control many system interfaces such as autostarts, device drivers, the network, etc., but they do not offer any exact information as to whether an action is actually harmful or not. This is kind of personal Firewall apart from windows firewall initially generates numerous (false) alarms until the software has been suitably qualified.
Windows Firewall cannot distinguish between malicious traffic and legitimate ones. Windows update is mostly to patch several vulnerabilities in Windows and underlying applications. It is not a mechanism to detect a malicious piece of software. Extend of threat con varies from malware to malware. Few set of malwares are exclusively targeting banks as per the predefined list the malware authors can offer. They can imitate the websites, for example altering the hosts file or modifying the DNS entry, so when a user visits a specific bank website instead of going to the legitimate website he is redirected to phished website.