Heuristics

by Levi D. Johnson.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on software  

You are here: Categories » Computers and technology » Software

Consider a situation in which you were tasked with identifying all world-class international spies that you might meet, but you did not know what they actually looked like. You could approach this challenge by first developing a matrix that listed known spy attributes and assigned points to them based on how strongly they indicate a spy. Your list might look something like this:

  • Wears a stylish suit or a tuxedo (70 points).

  • Survives catastrophes and other improbable situations (30 points).

  • Drives a slick car (80 points).

  • Never has a bad hair day (58 points).

The list could go on, but you get the idea. If the sum of all points for the individual exceeds a certain value, you might decide that he or she is probably a spy without ever seeing this particular spy before. Then, you can ask for a ride in the slick car.

Realizing the limitations of signature-based detection methods, antivirus vendors have devised similar ways in which they can detect previously unseen viruses that exhibit certain behavioral and structural characteristics. Symantec, for instance, calls this feature of its Norton AntiVirus product Bloodhound. A heuristics-based detection engine scans the file for features frequently seen in viruses, such as these:

  • Attempts to access the boot sector.

  • Attempts to locate all documents in a current directory.

  • Attempts to write to an EXE file.

  • Attempts to delete hard drive contents.

As the heuristics scanner examines the file, it usually assigns a weight to each virus-like feature it encounters. If the file's total weight exceeds a certain threshold, then the scanner considers it malicious code. If the scanner's developer sets the threshold too low, then the user could be overwhelmed with false alarms. On the other hand, if the threshold is set too high, or if virus-like features are not properly identified, then the detector will miss too many viruses. Either way, the user's protection is limited unless the sensitivity is set just right.

This technique would not be very helpful if antivirus software was able to detect malware only after the virus exhibited malicious behavior such as infecting programs or deleting files. If that were the case, you might get a warning from the antivirus software that says, "Your system has just been completely undermined by a virus! Have a nice day." Although this is certainly interesting information, you need to get the warning before the malware has its way with your machine. The trick is to parse the suspicious file in a way that allows antivirus software to estimate what actions would be performed if the virus actually has a chance to execute. This analysis must occur before the code runs. Antivirus software accomplishes this goal by attempting to emulate the processor that would have executed the potentially malicious program. In the case of executables compiled for Intel x86 machines, this approach calls for emulating key features of the x86 processor. In the case of VBScript macros embedded into Microsoft Office documents, this approach requires emulating basic functionality of the VBScript processing engine.

Considering the difficulty of reliably emulating a processor, heuristic detection approaches are far from foolproof. It is especially challenging to assess the effects of macro-based viruses, because their structure and possible execution flows are much less predictable than those of compiled executables. As a result, virus scanners do not rely on heuristics as the sole approach to detecting viruses—they also use the good old signature technique, and sometimes they also employ the integrity verification method described next.

Share
Leave a comment or ask a question
Total comments: 0

Software Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Should You Go For VMware or HyperV - VMware and Microsoft have been providing several solutions to host VMs at no charge and if you are a newbie to virtual machines it may be a good idea to inform yourself about the advantages of ea (more...)
Remote Access Services (RAS) under Windows XP Professional - Authentication protocols • EAP - Extensible Authentication Protocol. A set of APIs in Windows for developing new security protocols as needed to accommodate new technol (more...)
Detecting SoftICE by Calling INT 3h - This is one of the most well known anti-debugging tricks, and it uses a back door in SoftICE itself. It works in all versions of Windows, and it is based on calling INT 3h with registers containing (more...)
Detecting SoftICE by Calling INT 68h - Here's a way to detect the presence of SoftICE in memory by calling INT contain the value 43h before calling INT be in the AX register. 68h. The AH register must 68h. If SoftICE is active in memor (more...)
How Can You Increase Your computer performance - Basic computer knowledge or/ and appropriate technical assistance can help you increase computer performance. Computers have become an expected supporter in this modern world. O (more...)
Detecting SoftICE by Searching Memory - This detection searches the memory in the V86 mode for the WINICE.BR string. Because this method is infrequently used, it's worth considering, though it can only be used in Windows 9x. Thi (more...)
Fight for the Future, Digital Future: Google VS Apple - We can be proud as we watch one of the greatest virtual wars unleashing at the digital market. If 15 years ago it was Apple Vs Windows confrontation, today it has slightly changed its main parties (more...)
The Beginner's Guide to iPad Video Conversion on Mac - So, you've just taken in a shiny new iPad and impressed by its beautiful display. There are several possible sources of content that you will want to convert for viewi (more...)
Touch and View: iPad application - iPad application development has become an extremely popular topic at numerous conferences and workshops since the product introduction keynote. Mobile software companies went boldly into the une (more...)
Deciding on TIFF vs. JPEG Output for Scanned Images - It can be difficult to understand which file type is best for saving your scanned images. Here's a brief breakdown of the two most common options. Preserving beloved memories is on (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.