What exactly is in the updates which my antivirus software downloads regularly?

The title pretty much sums up the question, but it can be phrased more broadly as to how, exactly, antivirus, or more generally anti-malware, software works. Do the updates include “live” viruses (which are kept within a safe environment so as not to actually infect thr sytem), and the antivirus software compares files which it analyses against these samples to detect if a given file is a virus? Or is the basic principle more complex? Likewise, are the updates accumulative, in the sense that the software has access of an ever growing body of updates taking up ever more space on the system, or do new updates supersede previous ones?

I’m not an expert, but my WAG is that they wouldn’t distribute live viruses in quarantine, but instead fragments of their code, especially recognizable chunks of the code they’d use to replicate themselves. I think it would be possible to excise a chunk which is large enough to recognize, but which couldn’t infect anything by itself.

I know very little about the workings of antiviruses, but my limited understanding is that when new viruses have become known, the heuristic signatures are updated. So if you don’t update regularly, a recent virus will not be detected because the heuristics do not match any known virus.

They download signatures not live malware. What’s is virus a signature?

The Old School of virus checking included looking for virus “signatures”. Maybe a certain virus tacks on a certain chunk of code at the end of a program or some other easily detected site.

So by looking for that chunk of code in that spot, you spot the virus.

Keeping in the virus database a sufficiently long snippet of that code certainly works, but it creates a problem: The virus checker’s database could be flagged as malware my other programs. So “encoding” the snippet avoids this.

One good way to store such things is using hashes like MD5.

A program might also maintain MD5 hashes of key system executables and verifies that these aren’t changed at all. OS updates replace these files so updating the scanner is a must.

But malware authors got wise, they “mutate” their code on infection so it’s unlikely easy to spot. In addition there are just tons of viruses created all the time. As noted above, heuristics are now crucial. Look for certain more general indicators for something odd, then do a more thorough analysis. Malware author’s try to get around these, so it’s an ongoing battle.

Your anti-virus program could also detect false positives, where legitimate programs are flagged as being malware. Updates to the AV program also mitigate this.

Those updates are there to make the Anti Virus (AV) software of your choice aware of new threads and how to protect your system.

Your AV does NOT download “live” Viruses or any other threats to your PC, what it gets is the “signature” of those threats, meaning the way those threat files look like and/or behave - think of it as a “wanted poster” for Viruses, so the AV can identify and apprehend those viruses.

Every day there are new Viruses or new threats released - your AV software needs to know how to combat those and your AV gets that knowledge via those updates.