|
Heuristic scanning is an addition to signature-based detection that allows antivirus products to be more flexible. Worms and viruses can avoid a signature-based malware detector easily by morphing themselves into a different form, obfuscating (e.g., swapping parts of the code or substituting instructions with their alternatives that server the same purpose, but look entirely different to signature-based detectors), or simply encrypting some parts of themselves.
Heuristic scanning, names so after the Greek word which means “to discover”, instead of looking for a perfect signature match, works with the probability of this file being malicious. Antivirus vendors were very careful and cautious, gradually introducing this seemingly natural technique, in order to keep the number of false alarms low. However, with such more flexible methods an increase in the error rates is inevitable – that is why reports on heuristics being used in production have started appearing recently, relative to the couple of decades of antivirus industry, with, perhaps, the most famous such report on the Symantec’s Bloodhound technology that was published in 1999.
Working with a whole number of “signs” and “flags”, that may consider, for example, the file size, or a certain behavior, heuristic engine assigns a score to each characteristic found, and in the end produces a probability of this file being a virus, which then is compared to a threshold to give the user a yes/no answer. The reports of the early heuristic technology indicated that the heuristics were still heavily tied to the signatures and specific virus versions; merely helping the antivirus to catch all possible obfuscations or different appearances of the same signature. Currently, there is some indication that the present-day heuristic components may go beyond that, actually attempting to find new malware.
Dynamic heuristics, used during the virus emulation technique, may look for some suspicious behavior exhibited during the runtime of a virus.
|
|
|
|
