When the number of viruses had reached several hundred, antivirus experts came with an idea of detecting new malicious programs unknown to antivirus software due to absence of corresponding antivirus databases. They developed a heuristic analyzer
. Heuristic analyzer examines the code of executable files to detect new pieces of malware which bypass existing antivirus databases.
In other words the heuristic analyzer has been developed to detect unknown viruses. When scanning a program the analyzer emulates its execution and logs all its "suspicious" actions, e.g. opening/closing files, intercepting interruptions, etc. On the basis of these logs, a program can be recognized as possibly infected.
Thus, about 92% of new viruses are detected by the heuristic analyzer. This mechanism is very effective and rarely leads to false positives. Files that are suspected by the heuristic analyzer to be infected with a virus are called possibly infected
The heuristic analyzer is built into all antivirus products of Kaspersky Lab
. The heuristic analyzer processes all files scanned using existing databases with negative result.