What Are Heuristics In An Antivirus Software
Heuristics is a method/way by which computers and antiviruses can protect the systems. It is used to detect unknown viruses as well as their new variations. Heuristic is an expert-based analysis that determines if the system is susceptible to a threat or an attack. The weighing method is by multi-criteria analysis and is based on available statistics. The antivirus utilizes this method by performing the commands of a program in a special machine, allowing the antivirus to simulate what would happen if a suspicious file was executed, while keeping the suspicious code isolated in a real machine.
Another method of heuristic analysis is when the antivirus program decompiles a suspicious program, and analyzes the machine code within. The source code in the suspicious file is compared to the source code found in known viruses. If a certain percentage is found to be matching, the file is flagged and the user is alerted about the presence of a potentially harmful virus.
Heuristic analysis can detect many unknown viruses as well as their new, unknown variants. The analysis is based on experience by comparing a suspicious file with a known virus file. New viruses can be missed if they contain unknown methods of operation. However, users should know that its effectiveness is currently low and there could be many false positives arising from the analyses.
New viruses get continued to be discovered by researchers, and information about them is added to the heuristic analysis, allowing the engine to know new means to detect new viruses. Numerous antivirus solutions employ heuristic detection methods to find malware. New ones, when found, are added to the list of viruses.
Methods of heuristic detection
Antiviral uses numerous methods to spot malware. The chief technique is to analyze a suspicious file – its behavior and characteristics – to determine if it is malware. A few common heuristic scanning methods are listed below:
- Generic Signature Detection: This way is used to locate variations of viruses. Many viruses are re-created and can be found under different names, but are from the same family. Generic detection uses signatures of previous antiviruses to locate new ones even if they have a different name.
- File Analysis: This method is like a file going through a security setup. The software takes an in depth looks at the file to determine its purpose, intention, and destination. If the file has instructions to follow a certain act like delete certain files, then it should be considered a virus.
- File Emulation: This is also called sandbox method or dynamic scanning. The file is run in a controlled virtual system to see what it does. If the file acts like a virus, it is marked as a virus.
Heuristic detection is effective in locating unknown threats, but the scanning and analysis takes some time, slowing down system performance. This method may increase the numbers of false positives. This happens when a file is marked malicious and is quarantined or deleted, but it is actually a perfectly fine file. Many files may look like a virus but are not so and they may be stopped from working on the computer.
Security professionals are still trying to find a perfect balance of providing protection without the creation of false positives. They have made the process faster by using computer resources effectively.
Heuristic detection will continue to be dynamic and there will be improvement in its speed and efficiency. It is important to have a security solution which includes heuristic detection methods. For the complete protection and proactive prevention, heuristic antivirus detection is the way to go.