Heuristic analysis in Kaspersky Internet Security 2013


Kaspersky Internet Security 2013


Heuristic analysis in Kaspersky Internet Security 2013

Back to "General Info / What is ..."
2013 Mar 01 ID: 8936

Heuristic analyzer (or simply, a heuristic) is a technology of virus detection, which cannot be detected by Anti-virus databases. It allows detecting objects, which are suspected being infected by unknown or new modification of known viruses. Files which are found by heuristics analyzer are considered to be probably infected.

An analyzer usually begins by scanning the code for suspicious attributes (commands) characteristic of malicious programs. This method is called static analysis. For example, many malicious programs search for executable programs, open the files found and modify them. A heuristic examines an application’s code and increases its “suspiciousness counter” for that application if it encounters a suspicious command. If the value of the counter after examining the entire code of the application exceeds a predefined threshold, the object is considered to be probably infected. 

The advantages of this method include ease of implementation and high performance. However, the detection rate for new malicious code is low, while the false positive rate is high. 

Thus, in today’s antivirus programs, static analysis is used in combination with dynamic analysis. The idea behind this combined approach is to emulate the execution of an application in a secure virtual environment before it actually runs on a user’s computer. In their marketing materials, vendors also use another term - “virtual PC emulation”. 

dynamic heuristic analyzer copies part of an application’s code into the emulation buffer of the antivirus program and uses special “tricks” to emulate its execution. If any suspicious actions are detected during this “quasi-execution”, the object is considered malicious and its execution on the computer is blocked. 

The dynamic method requires significantly more system resources than the static method, because analysis based on this method involves using a protected virtual environment, with execution of applications on the computer delayed according to the amount of time required to complete the analysis. At the same time, the dynamic method offers much higher malware detection rates than the static method, with much lower false positive rates. 

In Kaspersky Internet Security the following components include the Heuristic Analyzer:

Was this information helpful?
Yes No
Thank you


How can we improve this article?

Your feedback will be used for content improvement purposes only. If you need assistance, please contact technical support.

Submit Submit

Thank you for your feedback!

Your suggestions will help improve this article.