What is heuristic based detection

By Kevin Lee

i Pixland/Pixland/Getty Images

While computers may seem brilliant, at their core, they are unintelligent machines that rely on instructions that humans create to make them work. Viruses are programs that cause computers to execute instructions that can harm them and your data. Software developers create behavioral and heuristic antivirus applications that use different methods to detect and eliminate viruses and other forms of malware that may infect your computer.

Windows Defender, a security app that comes with Windows, identifies a suspicious program by checking the program against a database that Microsoft maintains. Security programs that rely on databases for malware information check them frequently because people create new viruses continuously. Many antivirus programs identify threats by examining their "signatures." A signature is similar to a fingerprint: it represents a specific set of a file's characteristics that help others identify the file.

A behavioral detection antivirus program works like a police officer looking for odd behavior in a suspect. If you install an antivirus app that uses behavior detection, it watches your operating system, searching for suspicious events. For instance, if the antivirus program witnesses an attempt to change or modify a file or communicate over the Web, it may take action and warn you of the threat. It may also block the threat depending on how you adjust its security settings.

Antivirus apps that use heuristics are similar to signature-based detection programs. They seek to identify malware by examining the code in a virus program and analyzing the program's structure. A heuristic antivirus app using this detection method might run a process that simulates actually running the code it’s examining. When it does that, the antivirus app seeks to identify additional code logic that may help it determine if the suspected virus is really a threat.

Because antivirus programs that use behavior detection look for suspicious behavior in a potential virus, they can identify threats that some heuristic antivirus programs may miss. Assume, for example, that a heuristic database contains a code pattern that consists of A-B-B-A. If a virus's creators modify their code so that the pattern changes to A-A-B-B, a heuristic antivirus app may not detect that modified version.

A false positive occurs when an antivirus program informs you that a program is dangerous even though it is not. Malware detection using heuristic methods often increase the number of incidents of false positives. It can also take more time for heuristic antivirus programs to scan files than it does programs that use behavior detection. Many modern antivirus programs use both heuristics and behavioral methods to protect computers from malware.

Antivirus software is your first line of defense against malware. As it runs in the background, it will scan your computer for potential threats while blocking them before they are able to infect your computer. There are different types of antivirus software, however. While some of them use signature-based methods of detection, others use heuristic analysis. What is heuristic analysis antivirus software exactly, and how does it work?

Overview of Heuristic Analysis Antivirus Software

Heuristic analysis antivirus software is defined by its ability to detect known forms of malware as well as unknown forms of malware. Known forms of malware consists of viruses, trojans, worms, ransomware and other malicious software that has already been identified. Unknown forms of malware consists of these same types of malware, except they haven’t been identified or otherwise discovered yet.

How Heuristic Analysis Antivirus Software Works

The problem with signature-based antivirus software is that it’s only capable of protecting against known viruses. Signature-based antivirus software lives up to its namesake by using signatures to identify malware. All forms of malware have a signature. A signature is simply a string or sequence of code that’s unique to a piece of malware. When scanning your computer, signature-based malware will look for these signatures.

While heuristic analysis antivirus software can protect against known pieces of malware, it offers protection against unknown malware as well. The term “heuristic” means to learn something without the assistance of anyone or anything else. Heuristic antivirus software follows this principle by leveraging artificial intelligence (AI) to identify new pieces of malware that haven’t been previously identified.

Heuristic analysis antivirus software is designed to look for patterns in the code of files and programs that are associated with malware. It doesn’t necessarily look for signatures. Signatures are explicit lines or sequences of code that a given piece of malware uses. Heuristic analysis antivirus software simply looks for patterns, which may indicate a potential threat.

Some types of heuristic analysis software also uses dynamic scanning to detect malware. Dynamic scanning is an advanced detection method that involves running or executing files in a virtual container. The virtual container will separate the files form the rest of your computer. While the files run in the virtual container, heuristic analysis software will analyze them for potential threats.

In Conclusion

Heuristic analysis is a new class of antivirus software. It’s particularly effective at identifying unknown pieces of malware. Heuristic analysis antivirus software doesn’t use signatures. Instead, it uses AI to look for patterns while also executing and running files in a virtual container.

#antivirus #heuristic #analysis

In addition to comparing potential malware against known viruses, all ESET products use heuristics to detect viruses, trojans and other threats. The use of heuristics is a technique that implements a set of guidelines or rules in order to problem-solve efficiently. In an antivirus context, heuristics are a set of rules used to detect malicious program behavior without needing to uniquely identify the specific threat, as is required by classic signature-based detection. The primary advantage of the heuristic-based model is not only its ability to detect variants or modified forms of existing malicious programs, but also new previously-unknown malicious programs. All ESET products use heuristics to detect both known and unknown threats and malware. Two forms of heuristics are used, passive and active.

Passive heuristics

Passive heuristics analyze a potential threat as it is scanned, tracing through the instructions in the program before passing the code to the processor for execution. Passive heuristics look for patterns, routines or program calls that indicate malicious behavior. Though an important tool, passive heuristics alone are only part of the solution, as there is no single action that a malicious program can perform that is not also allowed in a legitimate program. This is why the simultaneous use of active heuristics is important.

Active heuristics

The active heuristic technology used by ESET products creates a virtual computer within the scanning engine that allows the scanner to observe what the program might do if allowed to run on a real computer. This can reveal potentially malicious activities that other detection techniques would not identify.

There is often confusion between heuristic analysis and what’s commonly known as a “heuristic virus”. Heuristics are more accurately described as heuristic analysis, the method in which dangerous code is found. The term, heuristic virus, can often be misleading.

While the term heuristic virus can be referred to as the method in which malicious code is detected, it’s better suited to describe the specific virus, Heur.Invader—a malware designed to change system settings.

Heuristic analysis is an adaptive antivirus defense that discovers malicious code through educated guesses. The need for manual review lowers the scalability of this type of analysis, as the techniques are less accurate. Enter machine learning in antivirus software. By automating the majority of processes, and manually analyzing for continuous improvement within the remainder, antivirus software is more effective with zero risks of file-based malware infection.

Heuristics: Detection Approach or Virus?

Heuristics are generally used in antivirus software alongside scanning solutions as a way to estimate where malicious code is on your computer. What may be referred to as a “heuristic virus” is the detection of possible malware, adware, trojans, or other threats. This preliminary warning may appear in a scan as “HEUR” and should be considered suspect code to further inspect.

Heuristic analysis can detect potential viruses without needing to specifically identify them. The process is agile and continually improves as it discovers threats. The longer it runs, the more efficient and effective it becomes. Unfortunately, heuristic analysis is labor-intensive and often results in false positives that must be manually reviewed.

What Is Heuristic Analysis?

Heuristic analysis is based on several techniques. These techniques explore file source codes and match them with previously discovered threats. Depending on the proportion of the match, the system will find the probability of a threat and flag code that’s likely malicious.

Heuristic-based analysis uses a number of techniques to analyze behaviors and threat levels including:

• Dynamic scanning: Analyzes the behavior of a file in a simulated environment.
• File analysis: Analyzes the intent, destination, and purpose of a file.
• Multicriteria analysis (MCA): Analyzes the weight of the potential threat.

Heuristic virus scans use these analysis techniques for virus detection within code.

Heuristic Virus Detection

Signature-based detection and sandboxing are used with heuristic virus detection for the most effective result.

Heuristic-based detection may determine code is a threat if the program:

• Persists in the memory after performing its task.
• Attempts to write to the disk.
• Modifies required operating system files.
• Mimics known malware.

Heuristic Scanning

Adjusting the sensitivity level within heuristic scans determines the tolerance level of suspicious files. With an increased level of sensitivity, there is a greater level of protection, but also a higher risk of false positives.

Enable the heuristic scan and choose its sensitivity levels with the following steps:

1. Open the settings in the main window of the program.
2. Configure the scan properties in the scan section.
3. Select the checkbox to enable the scan in the Heuristic section.
4. To alter the sensitivity level, open settings and select one of the three levels.

How Do You Get Rid of a Heuristic Virus?

A remote server controls the Heur.Invader virus. When removing the Heur.Invader virus, use antivirus software to run a full scan in safe mode. Remove the threat from your machine once detected.

This critical threat can disable antivirus software, install malicious programs, collect sensitive information, and change security settings. When removing the Heur.Invader virus, always boot the computer in safe mode. Doing so starts the computer only with the necessary drivers and services and won’t load the virus—which can disable antivirus software.

1. Boot the computer in safe mode.
2. Run your full antivirus software scan as normal.
3. Once the scan denotes malicious code, inspect the element manually for false positives.
4. Remove the malicious code.

In sum, heuristic analysis finds inconsistencies in an application and can be found in most antivirus software programs. The downside of heuristic detection, though, is the need for manual review due to frequent false positives. Pair this detection method with automation and other detection tools for the most accurate outcomes.

Sources: Panda Security 1, 2 | Techwalla | Wikileaks | IET