What is Heuristic Analysis in Antivirus? Definition, Advantages, and More
Everybody knows that Antivirus programs are programs the main task of which is to protect against viruses, or more precisely, malware.
The methods and principles of protection are theoretically of little importance, the main thing is that they are aimed at combating malware, like Total AV antivirus. But in practice this is somewhat different: almost any antivirus program combines in different proportions all technologies and methods of virus protection created to date.
All antivirus protection methods includes two main groups:
- Signature method – Accurate virus detection methods based on comparing a file to known virus samples.
- Heuristic method – approximate detection method that allows you to assume with a certain probability that a file is infected.
Heuristic Analysis Essentials
The word “heuristic” comes from the Greek verb “find.” The essence of the heuristic methods is that the solution to the problem is based on some plausible assumptions rather than strict conclusions from available facts and preconditions. Since such a definition sounds rather complicated and unclear, it is easier to explain on examples of various heuristic methods.
Scan for Viruses Similar to Known Threats
If the signature method is based on selecting virus features and searching for those features in the files being tested, the heuristic analysis is based on the (highly plausible) assumption that new viruses often appear to be similar to any of those already known. After the fact, this assumption is justified by the presence of signatures in antivirus databases to determine not one, but several viruses at once. Based on this assumption, the heuristic method is to find files that do not fully but very closely match the signatures of known viruses.
A positive effect of this method is the ability to detect new viruses before they get the allocated signatures.
- The probability of incorrect virus presence determining in a file when the file is clean – such events are called false-positives.
- Impossibility of treatment – both due to possible false-positives and inaccurate determination of the virus type, the attempt of treatment can lead to more information loss than the virus itself, which is unacceptable.
- Low efficiency – this kind of heuristic analysis is not suitable against truly innovative viruses, causing the largest epidemics.
Scan for Viruses that Perform Suspicious Actions
Another heuristic-based method comes from the assumption that malware seeks to harm a computer in one way or another. The method is based on highlighting major malicious actions, such as:
- Removal of the file
- File recording
- Recording to specific areas of the registry
- Open the port for eavesdropping
- Interception of keyboard input
Performing each such action separately is not a reason to consider the program malicious. But if the program sequentially performs several similar actions, for example, writes itself to the registry autostart key, intercepts the data entered from the keyboard, and sends this data to some address on the Internet with a certain frequency, then this program is at least suspicious. Based on this principle, the heuristic analyzer should constantly monitor the actions that the programs perform.
The advantage of the described method is the ability to detect previously unknown malware, even if they are not very similar to those already known. For example, new malware can use a new vulnerability to penetrate a computer but then begins to perform already familiar malicious actions. The analyzer of the first type may miss such a program, but the analyzer of the second type may detect it well.
The negative sides are the same as before:
- False operations
- Impossibility of treatment
- Low efficiency
It is up to you what antivirus to choose and what analyzing methods it should imply. At the same time, we recommend you to find the solution that combines both advanced signature and heuristic methods to ensure your safety on the Internet.
Cryptocurrency vs Stocks
Cryptocurrency is a form of digital currency in which encryption techniques are used to regulate the generation of units of…
SDLC vs DevOps: Which Is Better?
SDLC vs DevOps: The term Software Delivery Lifecycle (SDLC), as the name suggests, refers to the multi-step process that starts…
Romsopedia – Download best ROM games for Free