Glossary
What is malware? Types, infection routes, and the basic defenses
What malware is, the main types (virus, worm, trojan, ransomware, spyware, bot), how it spreads, and the shared defense — updates, EDR, least privilege, and backups. Defensive, no attack steps.
"Malicious software that harms your devices or data" — that umbrella term is malware. Here are the main types, and the defense that stays the same no matter which type it is (no attack steps).
The types of malware (a map)
There are a lot of names, but all you really need is a rough map of "these families exist" — because, as below, the defense is shared.
Virus
Attaches to a legitimate file and, when run, replicates and spreads. Can't act on its own.
Worm
Self-replicates on its own and spreads automatically across the network. Explodes through unhardened networks.
Trojan
Poses as useful, legitimate software to get in, then acts maliciously in the background. You install it yourself.
Ransomware
Encrypts files and demands a ransom. Now usually paired with data theft — double extortion (→ dedicated article).
Spyware
Hides unnoticed and steals keystrokes, credentials, and browsing history.
Bot / botnet
Remote-controls infected machines and herds many together for attacks. Orders arrive from a C2 (→C2).
In practice a single piece of malware often wears several of these hats at once (e.g. it gets in as a trojan, acts as spyware to steal data, and finally drops ransomware). That's exactly why it's more useful to firm up your entry / detection / recovery defenses than to spend time on "which type is this?"
Main infection routes (know the entry)
Malware doesn't appear by magic; it comes in through a predictable set of doors. Here are the high-level routes only (no specific techniques).
In every case the entry is a gap in people and operations — opening something carelessly, leaving software outdated, not checking where it came from. The flip side: the defenses below close most of them.
Defense (the type differs, the work doesn't)
You don't need a separate countermeasure per type. Stack the three layers that work against malware in general.
Close the entry: updates, suspicious files, MFA
Update your OS and software regularly so known holes don't linger. Don't open unexpected attachments, macros, or links. Protect key accounts with multi-factor authentication (MFA) so stolen credentials don't mean instant compromise (→ how to choose MFA).
Add a detection layer: antivirus / EDR
Block known threats with antivirus (including your OS's built-in), and where you need more, use EDR to watch behavior and catch unknown malware too (→ what EDR is). Detection isn't perfect, though — never rely on it alone.
Limit the blast radius: least privilege
Don't run everyday work as an administrator. Keeping privileges to the minimum means that even if something does execute, it can't spread far — one device or one account doesn't cascade to everything.
Be able to recover: backups
The last line is a backup. Against ransomware especially, an offline / immutable copy plus regular restore tests is the decider (→ backup and recovery essentials).
Traditional antivirus (matching the known)
- detects by matching a known malware "fingerprint" (signature)
- lightweight and effective against widely-circulating threats
- tends to miss unknown / freshly-made variants
- often mistaken for "install it and you're safe"
EDR (watching behavior)
- detects by suspicious behavior (odd encryption, outbound calls), not filename
- notices unknown attacks and "abuse of legitimate tools"
- leaves a record you can use to investigate and contain after an infection
- still not a substitute for entry (updates) and recovery (backups)
This site's view: memorizing types is not a defense strategy
Attackers keep changing the names and the looks. Chasing "this month's malware name" won't make your defense stronger. What works universally is the structure of three layers — entry, detection, recovery. This site applies the same principle to itself: we keep dependencies updated to close the entry, machine-monitor CVEs to detect, and keep our setup reproducible so we can recover. Defending against malware isn't special — it's an extension of these basics.
The blind spot: "I have antivirus, so I'm fine" isn't true
The most common mistake is treating one detection tool as a lucky charm. Detection always misses a certain fraction, and the moment that's breached your defense drops to zero. What's strong is layering: cut the volume at the entry (don't open, do update), catch what's left with detection (antivirus / EDR), and neutralize whatever still slips through with recovery (backups). Not leaning on any single layer is where malware defense begins.
Read next
- Glossary: what ransomware is (the most damaging type — double extortion) · what C2 (command-and-control) is (how bots are operated)
- Glossary: what EDR is (detecting the unknown by behavior) · what an IOC is (traces of an infection)
- Learn: backup and recovery essentials (being able to recover — the last line) · the security baseline checklist (the foundation for entry, detection, recovery)
FAQ
QWhat's the difference between malware and a virus?
A virus is one type of malware. Malware is the umbrella term for all 'malicious software,' and it includes viruses, worms, trojans, ransomware, spyware, and bots. In everyday speech people call everything a 'virus,' but strictly a virus is the specific type that copies itself by attaching to other files, while malware is the big umbrella word that covers all of them.
QIs free antivirus enough?
For personal basics, the built-in protection your OS ships with (like Microsoft Defender on Windows) plus regular updates, backups, and least privilege already covers a lot. But antivirus mostly matches 'known bad' things, so novel or clever malware can slip past. Where you need stronger defense, EDR complements it by watching behavior and catching unknown attacks. Either way, don't rely on detection alone — pair it with the entry side (updates, not opening suspicious files) and recovery (backups).
QI think I'm infected. What should I do?
First, don't panic-pay anything. The order is: (1) disconnect that device from the network to stop it spreading and calling out, (2) from a separate, safe device, change the passwords for email, banking, and key accounts and turn on multi-factor authentication, (3) restore from a clean backup or reset the device to get back to a known-good state, and (4) cut off the entry you suspect (the attachment you opened, the app you installed, the USB you plugged in). For a device holding important data, consider bringing in a professional.