Heuristic analysis is a method of detecting viruses by examining code for suspicious properties.
Traditional methods of virus detection involve identifying malware by comparing code in a program to the code of known virus types that have already been encountered, analyzed and recorded in a database – known as signature detection.
While useful and still in use, signature detection method has also became more limited, due to the development of new threats which exploded around the turn of the century and are continuing to emerge all the time.
To counter this problem, the heuristic model was specifically designed to spot suspicious characteristics that can be found in unknown, new viruses and modified versions of existing threats as well as known malware samples.
Cybercriminals are constantly developing new threats, and heuristic analysis is one of the only methods used to deal with the huge volume of these new threats seen daily.
Heuristic analysis is also one of the few methods capable of combating polymorphic viruses — the term for malicious code that constantly changes and adapts. Heuristic analysis is incorporated into advanced security solutions offered by companies like Kaspersky Labs to detect new threats before they cause harm, without the need for a specific signature.
How Does Heuristic Analysis Work?
Heuristic analysis can employ a number of different techniques. One heuristic method, known as static heuristic analysis, involves decompiling a suspect program and examining its source code. This code is then compared to viruses that are already known and are in the heuristic database. If a particular percentage of the source code matches anything in the heuristic database, the code is flagged as a possible threat.
Another method is known as dynamic heuristics. When scientists want to analyze something suspicious without endangering people, they contain the substance in a controlled environment like a secure lab and conduct tests. The process is similar for heuristic analysis — but in a virtual world.
It isolates the suspicious program or piece of code inside a specialized virtual machine — or sandbox — and gives the antivirus program a chance to test the code and simulate what would happen if the suspicious file was allowed to run. It examines each command as it's activated and looks for any suspicious behaviors, such as self-replication, overwriting files, and other actions that are common to viruses.
Potential Issues
Heuristic analysis is ideal for identifying new threats, but to be effective heuristics must be carefully tuned to provide the best possible detection of new threats but without generating false positives on perfectly innocent code.
For this reason, heuristic tools are often typically just one weapon in a sophisticated antivirus arsenal. They are typically deployed along with other methods of virus detection, such as signature analysis and other proactive technologies.