What is Heuristic Antivirus Detection?

By Taylor Thomas
FOLLOW US
SHARE

Several antivirus solutions and internet security suites claim to utilize heuristic detection to find malware, but what does that mean? The software providers claim heuristic technologies can find viruses that have previously been unknown, detecting and defending from new malware that has yet to be discovered and added to virus definition files.  You might find a program that accomplishes this feat among premium security suites. But how can the software do that? Does this proactive detection really work? And if so, is it worth it?

Heuristic Detection Methods

Antivirus software may use one or several techniques to proactively detect malware. The main essence of each method is to analyze the suspicious file’s characteristics and behavior to determine if it is indeed malware. Here are a few of the common heuristic/behavioral scanning techniques:

File Emulation: Also known as “sandbox testing” or dynamic scanning, file emulation allows the file to run in a controlled virtual system (or “sandbox”) to see what it does. Think of this approach as watching the virus in a sterile testing room with a two-way mirror. If the file acts like a virus, it’s deemed a virus.

File Analysis: Think of this method as the suspected file having to go through airport security (complete with carry-on check). File analysis involves the software taking an in-depth look at the file and trying to determine its intent, destination, and purpose. Perhaps the file has instructions to delete certain files, and should be considered a virus.

Generic Signature Detection: This technique is particularly designed to locate variations of viruses. Several viruses are re-created and make themselves known by a variety of names, but essentially come from the same family (or classification). Genetic detection uses previous antivirus definitions to locate these similar “cousins” even if they use a slightly different name or include some unusual characters. The best way to illustrate this idea is with identical twins. They may have slightly different fingerprints, but their DNA is identical.

Pros and Cons of Heuristic Detection

Heuristic Detection is an effective way to locate unknown threats for the most up-to-date realtime protection, but there are downsides.
Obviously this sort of scanning and analysis can take some time, which may slow-down system performance.

The main concern with heuristic detection is that it often increases false positives. False positives are when the antivirus software determines a file is malicious (and quarantines or deletes it) when in reality it is perfectly fine and/or desired. Because some files may look like viruses but really aren’t, they are restricted and stopped from working on your computer.

Is Heuristic Detection Worth It?

Security professionals have come a long way with heuristic detection, and are still working to find the perfect balance that provides proactive protection without causing the hassle of false positives. They have also made the processes much faster by utilizing computer resources more effectively and utilizing better scanning technology.

We expect heuristic detection to continue to be dynamic and improve in speed, efficiency, and efficacy. For now, it is a good idea to utilize a security solution that includes heuristic detection methods. If you find they get in the way, you can usually turn them off anyways. But for utmost protection and truly proactive prevention, heuristic antivirus detection is definitely the way to go.

Appendix:
How do you pronounce heuristic?
Good question. The general consensus is that the “h” isn’t necessarily silent, and the most popular/proper pronunciation is “hyoo-ris-tik.”

At TopTenREVIEWS We Do the Research So You Don't Have To.™