When the number of viruses has exceeded hundreds, the antivirus experts thought about the idea how to detect malicious programs that are unknown to the antivirus programs as there are no corresponding antivirus databases. To rectify the problem a
heuristic analyzer has been developed. The heuristic analyzer analyzes the code of the executable files to detect in them new kinds of Malware that is usually not detected by the antivirus databases.
In other words – the heuristic analyzer has been developed to search for unknown viruses. When scanning a program the analyzer emulates its execution and makes protocols of its all “suspicious” actions, e.g. opening or closing a file, intercepting the vectors of interruption, etc. On the account of the protocol the program can be stated as possibly infected.
Thus, about 92% of new viruses are detected by the heuristic analyzer. This mechanism is very effective and rarely leads to false positives. Files that are suspected by the heuristic analyzer to be infected by a virus are called
possibly infected or
suspicious.
The heuristic analyzer is a part of all antivirus products of Kaspersky Lab. If no known Malware has been detected in a file during the antivirus databases scan, the file is scanned by the heuristic analyzer then.
