Heuristic analysis
   HOME

TheInfoList



Click Here for Items Related To - Heuristic analysis
OR:
Heuristic analysis on:   [Wikipedia]   [Google]   [Amazon]

Heuristic analysis is a method employed by many
computer A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations ( computation) automatically. Modern digital electronic computers can perform generic sets of operations known as programs. These prog ...
antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...
programs designed to detect previously unknown
computer viruses A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a comput ...
, as well as new variants of viruses already in the "wild". Heuristic analysis is an
expert An expert is somebody who has a broad and deep understanding and competence in terms of knowledge, skill and experience through practice and education in a particular field. Informally, an expert is someone widely recognized as a reliable so ...
based analysis that determines the susceptibility of a system towards particular threat/risk using various decision rules or weighing methods. MultiCriteria analysis (MCA) is one of the means of weighing. This method differs from statistical analysis, which bases itself on the available data/statistics.


Operation

Most antivirus programs that utilize heuristic analysis perform this function by executing the programming commands of a questionable program or script within a specialized
virtual machine In computing, a virtual machine (VM) is the virtualization/ emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized h ...
, thereby allowing the anti-virus program to internally simulate what would happen if the suspicious file were to be executed while keeping the suspicious code isolated from the real-world machine. It then analyzes the commands as they are performed, monitoring for common viral activities such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus, and the user alerted. Another common method of heuristic analysis is for the anti-virus program to
decompile A decompiler is a computer program that translates an executable file to a high-level source file which can be recompiled successfully. It does therefore the opposite of a typical compiler, which translates a high-level language to a low-level l ...
the suspicious program, then analyze the machine code contained within. The source code of the suspicious file is compared to the source code of known viruses and virus-like activities. If a certain percentage of the source code matches with the code of known viruses or virus-like activities, the file is flagged, and the user alerted.


Effectiveness

Heuristic analysis is capable of detecting many previously unknown viruses and new variants of current viruses. However, heuristic analysis operates on the basis of experience (by comparing the suspicious file to the code and functions of known viruses). This means it is likely to miss new viruses that contain previously unknown methods of operation not found in any known viruses. Hence, the effectiveness is fairly low regarding accuracy and the number of
false positive A false positive is an error in binary classification in which a test result incorrectly indicates the presence of a condition (such as a disease when the disease is not present), while a false negative is the opposite error, where the test resul ...
s. As new viruses are discovered by human researchers, information about them is added to the heuristic analysis engine, thereby providing the engine the means to detect new viruses.


References


External links


Retrospective/proActive antivirus test from AV-Comparatives.org
Antivirus software {{malware-stub de:Heuristik#Informatik