Why do some antivirus programs find infections that others miss?

Viruses don't identify themselves as such. In fact, they often try to disguise themselves to make it difficult to detect them. Virus scanning software uses a variety of different techniques to figure out if a program looks like a known virus, but the exact methods they use and the things they look for vary from program to program. Since these virus definitions differ, sometime a rule either won't exist or won't detect a particular edge case that another virus scanner will detect.

While some virus scanners are better than others, in general, they are simply different. Even the best virus scanner (if you could determine a best) would still miss some viruses that the worst one might pick up.


The simplest answer is because each anti-virus solution is coded differently. They're different pieces of software. It's expected that there should be differences, just as you'd expect differences between MS Office, OpenOffice and Star Office.

Expanding on that, some anti-virus uses virus databases, which, in layman's terms, hold information about known viruses. These are always one step behind the bad guys in that they have to know about a virus before they can add it to the db. While most anti-virus products that use this type of technology do a good job of keeping up-to-date, it's certainly possible for one AV product to moss what others find.

Other forms of anti-virus use heuristics (they analyze the behavior of software) to try to detect malware. These can detect malware that traditional AV software can miss, and it can miss malware that the other type of anti-virus can find.


Antivirus compares known hashes of viruses to the hashes of your files. When the hashes match it blows the box and tells you about it. These companies operate their own databases for known malware hashes. Therefore one company may have a hash identified that another does not.

A lot of malware is now generated on the fly by the attack site. Meaning it uses a polymorphic payload encoder to manipulate the virus code (without changing how the code operates) to make a new hash that no antivirus company has yet. Essentially every victim gets a hash that the companies don't have. Now, the companies eventually see these hashes one by one and that's why one company may have the new hash while the other does not.