Heuristic Analysis implemented in AntiVirus Software
AntiVirus software with Heuristic Analysis scans your computer for
suspicious code and strange occurrences. The difficulty with this scan technique is to
determine if a piece of suspicious code is really a threat or just a bit of innocent
software.
Therefor heuristic analyzers need to calculate how suspicious a file
appears. Normally a scoring system is implemented, and any file which has enough
suspicious elements (=a high enough score) is regarded as being a possible virus.
These analyzing method is being limited by 2 main problems. Generating false
alarm is probably the biggest challenge for this kind of virus scanning. False alarms are
not only annoying but also can slow down your productivity, often more than a real virus
infection would do.
Secondly, heuristic AntiVirus programs are unable to detect every existing virus.
Virus writers are often aware of that what AntiVirus researchers consider to be
suspicious code. Some AntiVirus companies have even released documentation detailing how
their scoring system works. With such information it is relatively easy writing viruses
avoiding detection.
A method to avoid false alarms is the use of so called negative
heuristics.
Negative heuristics keep track of which piece of code and techniques are definitely
not an indication of a virus infection. Once the positive heuristics have
identified a file that could contain a virus, the negative heuristic software
checks to see whether this file also contains code which is definitely not a virus.
In that case the 'virusscore' gets a lower value, so the AntiVirus scanner will
come up with an accurate conclusion to whether the file contains a virus or not.
Besides the heuristic virusscan method modern AntiVirus software can contain other
kinds of sophisticated software. Please read our article about anti virus software with sandbox
approach
|
