Heuristic analyzer (or simply, a heuristic) is a technology of virus detection, which cannot be detected by Anti-virus databases. It allows detecting objects, which are suspiced being infected by unknown or new modification of known viruses. It allows detecting about 92% of new threats. This mechanism is quite effective and has very rarely false detections. Files which are found by heuristics analyzer are considered to be suspicious.
An analyzer usually begins by scanning the code for suspicious attributes (commands) characteristic of malicious programs. This method is called static analysis. For example, many malicious programs search for executable programs, open the files found and modify them. A heuristic examines an application’s code and increases its “suspiciousness counter” for that application if it encounters a suspicious command. If the value of the counter after examining the entire code of the application exceeds a predefined threshold, the object is considered suspicious.
The advantages of this method include ease of implementation and high performance. However, the detection rate for new malicious code is low, while the false positive rate is high.
Thus, in today’s antivirus programs, static analysis is used in combination with dynamic analysis. The idea behind this combined approach is to emulate the execution of an application in a secure virtual environment before it actually runs on a user’s computer. In their marketing materials, vendors also use another term - “virtual PC emulation”.
A dynamic heuristic analyzer copies part of an application’s code into the emulation buffer of the antivirus program and uses special “tricks” to emulate its execution. If any suspicious actions are detected during this “quasi-execution”, the object is considered malicious and its execution on the computer is blocked.
The dynamic method requires significantly more system resources than the static method, because analysis based on this method involves using a protected virtual environment, with execution of applications on the computer delayed according to the amount of time required to complete the analysis. At the same time, the dynamic method offers much higher malware detection rates than the static method, with much lower false positive rates.
In Kaspersky Internet Security 2012 the following components include the Heuristic Analyzer: