Heuristic analysis (heuristic scanning) is a set of antivirus functions aimed at detecting malware that is unknown to virus databases. At the same time, this term denotes one of the specific methods.
Almost all modern anti-virus tools use the technology of heuristic analysis of program code. Heuristic analysis is often used in conjunction with signature scanning to search for complex encrypted and polymorphic viruses . The heuristic analysis technique allows you to detect previously unknown infections, however, treatment in such cases is almost always impossible. In this case, as a rule, an additional update of the anti-virus databases is required to obtain the latest signatures and treatment algorithms, which may contain information about a previously unknown virus. Otherwise, the file is submitted for research to antivirus analysts or authors of antivirus programs.
Content
Heuristic Analysis Technology
Heuristic scanning methods do not provide guaranteed protection against new viruses that are not in the signature set of computer viruses, which is due to the use of previously known viruses as an object of signature analysis, and knowledge of the mechanism of signature polymorphism as heuristic verification rules. At the same time, since this search method is based on empirical assumptions, false positives cannot be completely ruled out.
In some cases, heuristic methods are extremely successful, for example, in the case of very short program parts in the boot sector: if the program writes to sector 1, track 0, side 0, this leads to a change in the partition of the drive. But besides the fdisk utility, this command is not used anywhere else, and therefore in case of its unexpected appearance we are talking about a boot virus.
In the process of heuristic analysis, the emulated program is checked by a code analyzer. For example, a program is infected with a polymorphic virus consisting of an encrypted body and a decryptor. The code emulator reads the instructions into the antivirus buffer, parses them into instructions and executes them according to one instruction, after which the code analyzer calculates the checksum and compares it with the one stored in the database. Emulation will continue until the part of the virus necessary for calculating the checksum is decrypted. If the signature matches, the program is defined.
Disadvantages of Heuristic Scanning
- Excessive suspiciousness of the heuristic analyzer can cause false positives if the program contains fragments of code that performs actions and / or sequences, including those characteristic of some viruses. In particular, the unpacker in the files packed with the PE-packer (Win) Upack causes false positives of a number of anti-virus tools that do not recognize such a problem.
- The presence of simple techniques for deceiving a heuristic analyzer. As a rule, before distributing a malicious program (virus), its developers investigate existing common antivirus products, using various methods to avoid its detection during heuristic scanning. For example, modifying the code using elements whose execution is not supported by the antivirus data emulator code, using encryption of part of the code, etc.
- Despite the statements and brochures of anti-virus developers regarding the improvement of heuristic mechanisms, the efficiency of heuristic scanning is far from expected.
- Even with a successful determination, treatment of an unknown virus is almost always impossible. As an exception, with some products it is possible to treat the viruses of the same type and a number of polymorphic, encrypted viruses that do not have a constant viral body, but use a single introduction technique. In this case, for the treatment of tens and hundreds of viruses, there may be one entry in the virus database.
See also
- Heuristic algorithm
- Signature Based Discovery