Heuristic Analysis, Unseen Malware

Heuristic Analysis, Unseen Malware

It is generally well-understood that antimalware programs—the software which detects computer viruses, worms, trojan horses, and other threats to your system—work by scanning files using signatures they already have. Signature scanning works very well for detecting threats that have already been identified but how do antimalware programs detect new, previously unseen threats?  One of the methods used is heuristics. Heuristic – In computer science, a heuristic algorithm, or simply a heuristic, is an algorithm that is able to produce an acceptable solution to a problem in many practical scenarios, in the fashion of a general heuristic, but for which there is no formal proof of its correctness.
source. Wikipedia

Antivirus (AV ) systems supplement signature scanning with a variety of more generic approaches, which are often grouped together under the banner of heuristic analysis. We can summarise“The heuristic” refers to the act or process of finding or discovering.

How Heuristic Analysis Work ?

Heuristic programming is usually regarded as an application of artificial intelligence, and as a tool for problem-solving. Heuristic programming, as used in expert systems, builds on rules drawn from experience, and the answers generated by such a system get better as the system “learns” by further experience.. heuristic analysis is closely related to trial-and-error and learning by experience. The heuristic analysis uses a rule-based approach to diagnosing a potentially-offending file. As the analyzer engine works through its rule-base, checking the message against criteria that indicate possible malware, it assigns score points when it locates a match. If the score meets or exceeds a threshold score [8], the file is flagged as suspicious (or potentially malicious or spammy) and processed accordingly. Heuristic analysis performs the intelligent decision-making process, effectively acting as a virtual malware researcher. heuristic analyze through programming and improve future detection rates.

Heuristic analysis can be found in the majority of mainstream antivirus solutions on the market today. Similar to signature scanning, which detects threats by searching for specific strings, heuristic analysis looks for specific commands or instructions that would not typically be found in an application.
Most heuristic antivirus processes use a rule or weight-based system to determine how much danger a program functionality could pose. If these rules exceed a predetermined threshold, an alarm is triggered and preemptive action is taken. Depending on the antivirus settings, this alarm may simply send an alert to a server administrator, or automatically place a file into quarantine

Heuristic-based antivirus tools use a number of different scanning techniques
1. File analysis — During file analysis, the scanning software will closely inspect a file to determine its purpose, destination and intent
2. File emulation — Also known as dynamic scanning or sandbox testing, file emulation tests a file in a controlled virtual environment to see what happens.
3. Genetic signature detection — Designed to locate different variations of a virus, genetic signature detection uses previous virus definitions to discover viruses within the same family.

1. It is a detailed, technically sound process that assesses the product against very clear criteria.
Because it is done by several people there is a better chance of getting a range of views and picking up more potential problem areas.
2. The very act of setting up the heuristic evaluation is a useful exercise as it forces you to identify the root elements of the product and focuses development on the main issues.
3. There are fewer practical and ethical issues attached to heuristic evaluation as testers are testing in a virtual space.
4. Heuristic evaluation tends to focus on fewer, more relevant areas so the problems it identifies tend to be important ones.

1.A lot of time is spent in analyzing and reviewing to make sure that the results are relevant and are related to issues, you are concerned with.
2.Time-consuming and expensive to research and set up as a number of experts are required.

Leave a comment