What is heuristic virus scan. Heuristic analysis. heuristic scanning. Software and hardware requirements

Heuristic analysis (heuristic scanning)- a set of antivirus functions aimed at detecting unknown virus databases malware. At the same time, this term also refers to one of the specific methods.

Almost all modern anti-virus tools use technology heuristic analysis program code. Heuristic analysis is often used in conjunction with signature scanning to search for complex scrambled and polymorphic viruses. The heuristic analysis technique makes it possible to detect previously unknown infections, however, treatment in such cases is almost always impossible. In this case, as a rule, an additional update of the anti-virus databases is required to obtain the latest signatures and treatment algorithms, which may contain information about a previously unknown virus. Otherwise, the file is sent for analysis to anti-virus analysts or authors of anti-virus programs.

Heuristic analysis technology

Heuristic scanning methods do not provide guaranteed protection against new ones that are not in the signature set computer viruses, which is due to the use of signatures of previously known viruses as an object of analysis, and knowledge of the mechanism of signature polymorphism as heuristic verification rules. At the same time, since this search method is based on empirical assumptions, false positives cannot be completely excluded.

In some cases, heuristic methods are extremely successful, for example, in the case of very short program parts in the boot sector: if the program writes to sector 1, track 0, side 0, then this leads to a change in the drive partition. But apart from the fdisk helper program, this command is not used anywhere else, and therefore, if it appears unexpectedly, we are talking about a boot virus.

In the process of heuristic analysis, the emulated program is checked by the code analyzer. For example, a program is infected with a polymorphic virus consisting of an encrypted body and a decryptor. The code emulator reads instructions into the antivirus buffer, parses them into instructions and executes them one instruction at a time, after which the code analyzer calculates the checksum and compares it with the one stored in the database. Emulation will continue until the part of the virus necessary for calculating the checksum is decrypted. If the signature matches, the program is defined.

Disadvantages of heuristic scanning

Excessive suspiciousness of the heuristic analyzer can cause false positives if the program contains fragments of code that perform actions and/or sequences, including those characteristic of some viruses. In particular, the unpacker in files packed with the (Win)Upack PE packer causes false positives from a number of antivirus tools that do not recognize this problem.

Availability of simple techniques for deceiving the heuristic analyzer. As a rule, before distributing a malicious program (virus), its developers examine the existing widespread anti-virus products, avoiding its detection during heuristic scanning by various methods. For example, modifying the code, using elements whose execution is not supported by the code emulator of these antiviruses, using encryption of a part of the code, etc.
Despite the statements and brochures of anti-virus developers regarding the improvement of heuristic mechanisms, the effectiveness of heuristic scanning is far from expected.
Even with successful identification, treatment of an unknown virus is almost always impossible. As an exception, some products can treat single-type and a number of polymorphic, encrypted viruses that do not have a permanent viral body, but use a single injection method. In this case, for the treatment of tens and hundreds of viruses, there may be one entry in the virus database.

Scanning

Antivirus protection.

Anti-virus programs have been and remain the main means of combating viruses. You can use antivirus programs (antiviruses) without having an idea of how they work. However, without understanding the principles of the antivirus device, knowing the types of viruses, as well as how they spread, it is impossible to organize reliable computer protection. As a result, a computer can be infected even if antiviruses are installed on it.

Today, several fundamental methods for detecting and protecting against viruses are used:

scanning;

heuristic analysis;

use of anti-virus monitors;

detection of changes;

use of antiviruses built into the BIOS of the computer.

In addition, almost all anti-virus programs provide automatic recovery infected programs and boot sectors. Of course, if possible.

The simplest virus-scanning technique is for the anti-virus program to sequentially scan the files it checks for signatures of known viruses. A signature is a unique sequence of bytes that belongs to a virus and is not found in other programs.

Antivirus scanners can only find known and studied viruses for which a signature has been determined. The use of simple scanner programs does not protect your computer from the penetration of new viruses.

For encrypted and polymorphic viruses capable of completely changing their code upon infection new program or boot sector, the signature cannot be extracted. Therefore, simple anti-virus scanners cannot detect polymorphic viruses.

Heuristic analysis allows you to detect previously unknown viruses, and for this you do not need to first collect data on file system, as required, for example, by the change detection method discussed below.

Anti-virus programs that implement the heuristic analysis method scan programs and boot sectors of disks and floppy disks, trying to detect virus-specific code in them. The heuristic analyzer can detect, for example, that the program under test installs a resident module in memory or writes data to the program's executable file.

Almost all modern anti-virus programs implement their own methods of heuristic analysis. On fig. 1, we showed one such program - the McAffee VirusScan scanner, manually launched to scan the disk for anti-virus.

When an antivirus detects an infected file, it usually displays a message on the monitor screen and makes a record in its own or system log. Depending on the settings, the antivirus can also send a message about a detected virus to the network administrator.

If possible, the antivirus disinfects the file by restoring its contents. Otherwise, only one option is offered - delete the infected file and then restore it from backup(unless, of course, you have one).

Page 1

Heuristic analysis allows you to detect unknown viruses, but it does not require the preliminary collection, processing and storage of information about the file system. Its essence lies in checking the possible habitats of viruses and identifying commands (groups of commands) in them that are characteristic of viruses. If suspicious commands are detected in files or boot sectors, a message is displayed about a possible infection.

Heuristic analysis, like the forecasting methods discussed above, is based on the principles of inductive logic, since its central concept is the reliability of the hypothesis, the degree of its validity. Obviously, it is possible to increase the degree of validity of the heuristic hypothesis regarding the forecast of the development of scientific and technological progress in any of its directions, taking into account the dynamics and trends in the development of scientific research in these areas of science in the analysis.

Using heuristic analysis, it is possible to establish the most appropriate combinations of functional subgroups that are part of the corresponding functional groups for the selected process algorithm: for example, technological and transport rotors that do not require a top plate for their installation on the bed.

This concludes our heuristic analysis of stellar speckle interferometry.

The program provides for the possibility of carrying out heuristic analysis at three levels. At the same time, files and system areas of disks are examined in order to detect unknown viruses using characteristic code sequences.

The second principle is the heuristic analysis of the significance of the factors taken into account, based on practical experience and intuition.

In 1998, a system for visual heuristic analysis of numerical matrices Visual HCA was created under the guidance of prof. Repeatedly published reports at conferences in Mexico (China, Belgium) and articles in foreign and domestic journals. In 2000, developed application system visual monitoring of Mexico City pollution measurement data using a visual heuristic analysis system.

Implemented in this antivirus program A special heuristic analysis algorithm also makes it possible to detect files infected with new types of viruses.

In a number of cases, such a scheme of ordered deterministic calculations, accompanied by a deep heuristic analysis, makes it possible to obtain sufficiently substantiated solutions and thus complete the optimization of the adsorption plant with incomplete information. But sometimes the solutions obtained can differ significantly in their components. Then it is recommended to continue the optimization calculation according to the scheme described below.

Since we now already have an exact theory of game solutions, we are obliged, after this preliminary heuristic analysis, to give an exact analysis strictly based on mathematical theory.

It should be emphasized that a research group formed to solve a particular problem of organizational management must be able to use a formal mathematical apparatus and be capable of a purely heuristic analysis of real situations.

Maclaurin and that fission will occur when the growing ratio t reaches a critical value m 0 14 (see Sec. Two interesting results follow from this heuristic analysis. First, stars with M 0 8 MQ reach the main sequence and stop contracting before their nucleus can undergo division caused by rotation.

The solution of the problem of constructing a set of conflict options is carried out with the help of the SPP of optimal design, which are included in the software of the automated design system. Further, using heuristic analysis algorithms, the computer first ranks and selects a finite number of the best options for the AL project, then their diagnostics or, conversely, first diagnostics, then selection. The results obtained are issued to the terminal devices so that the designer can conduct their final assessment.

When solving a two-criteria problem, one should strive to ensure an extremum of a linear combination of criteria or find Pareto sets and make a final decision based on a heuristic analysis of these sets. Sometimes they do the following. A restriction is imposed on one of the criteria and the second criterion is forced to take an extreme value.

The name of this group of methods comes from the famous Greek word attributed to Archimedes "Eureka!" - "found!", expressing joy over his discovery. Heuristic methods are based on creative thinking and knowledge of specialists - experts, practical experience of business managers, their intuition, individual and collective judgments. Such methods are considered qualitative-logical, complementing the formalized quantitative methods of analysis. The need for their application is due to the complexity and impossibility of a clear mathematical modeling of many socio-economic processes (although many of these methods involve the use of mathematical procedures for processing initial information and the results of logical expert analysis).

All heuristic methods can be conditionally divided into expert methods and methods of activating creative thinking (sometimes they are called psychological).

expert methods, Based on the knowledge, judgments and experience of specialists, they allow us to solve two groups of analytical problems:

1) obtaining information about specific economic phenomena and their causes, about the requirements of key business stakeholders;
2) assessment of the characteristic manifestations of stable cause-and-effect relationships, forecasting the possible development of socio-economic processes and substantiating the most rational management decisions for a given situation.

The first group of tasks is solved with the help of questionnaires, surveys and interviews of employees of enterprises and representatives of other groups of stakeholders of these enterprises. To solve the second group of tasks, highly qualified professional experts are involved. In this case, both individual and collective methods of expert assessments can be used.

Individual Methods involve the use of the opinions of selected experts-experts, formulated by each of them independently of each other and collected through interviews or questionnaires. The disadvantage of this approach lies in the well-known limited knowledge of individual specialists about all aspects of the problem under study, in the commitment of each of them to a particular position or scientific school.

More efficient application collective methods, based on the involvement of groups of various experts - theorists and practitioners, who are well aware of the essence of the problem, the specifics of related branches of knowledge and activities that have different points of view. The interaction of involved specialists makes it possible to explore the problem from different angles. Among these methods, the most popular commission method(production meetings, conferences, seminars and "round tables"), allowing to develop a common position of the participants, taking into account all the circumstances discussed. The disadvantage of this method is that the decisions made, due to the desire for compromises and the psychological pressure of the most authoritative experts, do not necessarily reflect their best options offered by individual members of the commissions. This shortcoming is partly overcome by dividing the work of the commission into two stages:

? general discussion of the problem and free expression of opinions of the participants;
? critical analysis of all proposals made and development of solutions.

To an even greater extent allows avoiding the conformity of experts delphi method, based on a remote anonymous survey conducted in several rounds by independent experts (often not even aware of the existence of each other) with subsequent statistical processing of the results and the development of a final decision by a group of analysts - the organizers of the survey.

Widely known methods of collective notebook and bank of ideas, allowing gradual accumulation of ideas and proposals put forward by independent experts, successful standard solutions, practical examples with the possibility of their systematization and evaluation.

Methods for activating creative thinking are aimed at creating psychological conditions that allow a person to generate new ideas and look for ways to solve various problems. Among such methods of organizing the creative process in solving problems of economic analysis, the most widely used method is "brainstorming".

"Brainstorm" represents effective method group organization of analytical activities to solve any problems, based on the emancipation of the creative activity of its participants. It usually involves three stages. The first stage is a clear formulation of the problem that needs to be solved, and the selection of members of the creative team. The composition of the participants should not be large, but it should include not only experts on the subject, but also other interested persons who are not connected by subordination relations. The second stage is the generation of ideas to solve the problem. A feature of this stage is the creation of conditions for the most free creativity in the complete absence of assessments and any criticism of the proposals made. At the same time, even the direction of the search for ideas and the criteria for their evaluation are not set. The main goal is the maximum number of proposals put forward and their possible combinations, all of which must be recorded. Even fantastic and seemingly absurd ideas are welcome. The duration of this stage should not exceed one and a half hours, since after this, creative activity, as a rule, begins to subside. The third stage is the classification of the proposals made, the selection, evaluation and development of various combinations of the most promising ideas carried out by analysts - the organizers of the "storm".

A modification of the brainstorming method is synectics method. The term "synectics" itself means the use of various, often heterogeneous elements that seem incompatible to solve creative problems. Synectics differs from the classic “brainstorming” by organizing the group’s influence on the creative activity of its members, determining specific methods for generating ideas, allowing critical discussion and screening out put forward ideas directly at the stage of their generation. At the same time, the group should include not just professionals, but creative individuals who strive for competition and are ready to defend their positions, possessing various psycho-emotional characteristics (enthusiasts, conservatives, optimists, skeptics, etc.). Characteristic of synectics is the use of various verbal methods of activating thinking: analogies (finding solutions based on the analysis of already solved similar problems in other areas, searching for solutions in science fiction, myths, fairy tales), inversion (search for solutions "from the opposite"), empathy (identification of oneself with the analyzed object and understanding the problem based on their own feelings), idealization (research from the standpoint of obtaining the ideal result). It should be noted that for the synectic group of experts it is very important preliminary preparation, mutual understanding and cohesion, otherwise the growing criticality of discussions can simply block the generation of new ideas.

morphological method. This method is based on an assessment of the internal structure of the object under study and the corresponding decomposition of the problem under consideration into separate tasks, selection possible solutions for each of these tasks, their systematization and synthesizing a general solution to the problem by combining particular solutions.

Theory of inventive problem solving(TRIZ). Initially, the purpose of TRIZ was to study the principles of development technical systems and the creation of practical methods for solving inventive problems based on the identification and elimination of contradictions in such systems to achieve an ideal end result. Now TRIZ has become a universal methodology for analyzing various problems in many areas, including economics. The activation of creative thinking is achieved by structuring the tasks of analysis and a certain sequence of their solution:

1) what the system is intended for, what elements it consists of, what are their functions and how they interact;
2) which connections of the elements of the system and their functions are useful, which are useless, and which are harmful;
3) which elements, functions and relationships can be changed and which cannot be changed;
4) what are the possible options for changing the elements of the system, their functions and relationships;
5) what changes provide an improvement in the functioning of the system as a whole, and which ones cause contradictions in the system and weaken it;
6) how to implement improving changes while eliminating or minimizing emerging contradictions.

To stimulate creative activity and organize systematic independent work of expert analysts, they often resort to the implementation of peculiar rules. Rule 24 prescribes that all 24 hours a day the analyst must think about the problem under study. Rule 25 - to successfully solve the problem, it is necessary to put forward at least 25 ideas. Rule 26 - there are 26 letters in the English alphabet, and as a hint to yourself, you need to think about which letter the key word for solving the problem will begin with.

Heuristic methods of analysis

You have probably met a person in your life who first of all struck you by the fact that he has an extremely developed imagination, original and unexpected judgments, ideas that are characteristic of highly developed intuitive thinking. We usually call such a person a creative person. And the ability to generate new ideas has every reason to refer to one of the most important features of a creative person.

Both at school and in higher and secondary specialized educational institutions, unfortunately, insufficient attention is paid to the development of intuition, the ability to generate new ideas. Teachers mainly pay attention to logical methods of solving problems, including in the process of solving creative problems.

Calculation methods operate only with quantitatively defined information, the use of which in the analysis of control systems is very limited. For the analysis of economic activity, the use of heuristic methods aimed at obtaining the qualitative characteristics of a business entity is of great importance. Heuristic methods are based mainly on the experience and intuition of specialists, their individual or collective judgments. Among the heuristic methods, one can single out evaluation and evaluation-search methods of analysis.

Heuristic methods are widely described in works on personnel management, management organization and organizational behavior.

The conditions that predetermine the need to use heuristic methods can be characterized as follows:

The qualitative nature of the initial information, described using economic and social parameters, the lack of sufficiently representative and reliable information on the characteristics of the object of study;

Large uncertainty in the initial data for analysis;

Lack of a clear subject description and mathematical formalization of the subject of assessment;

Lack of time and funds for research using formal models;

Absence technical means with appropriate characteristics for analytical modeling;

Extremeness of the analyzed situation.

Heuristic methods of analysis are a special group of methods for collecting and processing information, based on the professional judgment of a group of specialists.

Classification of heuristic analysis methods

Heuristic evaluation methods

EVALUATION AND SEARCH METHODS

Commissions and conferences

Brainstorm

Collective Notebook

Bank of ideas

Method of active sociological tested analysis and control

business games

Functional cost analysis.

Heuristic methods are often called creative because they rely on the creative thinking of a group of people. The key to the reliability and validity of the conclusions of the analysis with heuristic methods is the correct selection of experts. Depending on the goals and focus, the expert group may be homogeneous or include representatives different groups related professionals, and sometimes just interested persons. For example, when forming a group of experts to analyze technological developments, it includes technologists who can professionally evaluate the technical novelty of a solution, economists who evaluate its effectiveness, mechanics who can assess the feasibility of implementing new technology on the existing production base, workers - executors of the new technology. When assessing the quality of products and the demand for them, the expert group includes not only commodity experts, but also manufacturers and consumers of products. At the same time, when developing some technical solution at the first stage, only specialists of the relevant profile are included in the group of experts.

In practice, quite complex methods of forming a group of experts have developed:

According to formal criteria, when the specialty, work experience, length of stay in one team are taken into account; this also includes psychological assessments of the individual according to the sociological service of the organization (if any), for example, the ability for creative thinking, constructive thinking, etc.;

Based on the self-assessment of the person obtained during the survey, in this case, the future expert himself evaluates his capabilities, including qualifications, analytical and constructive thinking, the ability to adapt to certain situations, etc.; such selection of experts is supplemented by determining the level of self-assessment of the future expert - underestimated, overestimated or adequate, which is carried out with a special

psychological selection of experts;

Based on the assessment of persons associated with the applicant, when the professional and personal qualities of a specialist are evaluated by specialists of a similar profile, consumers of services, employees implementing the expert's decisions;

The method of random selection (sampling), if many persons (for example, consumers of products and services) can act as experts.

Quite often, when analyzing the activities of an economic entity, the group of experts includes managers of different levels and employees. For example, this is how a group of experts is formed when choosing a strategy for the development of production, changing the incentive system, reforming accounting and reporting systems, and restructuring organizational structures.

Thus, both formal and psychological selection methods are widely used in the selection of experts. In this regard, heuristic methods are often called psychological.

(Melyukhova Yana) 1) Typology method based on the now popular positioning theory. The main idea of this theory is the existence of a ready-made picture of standard situations and decisions that is uniform for all. The analyst's task is to select a position corresponding to the object of analysis in terms of certain parameters, and to obtain a standard solution offered by the developers of the method. Practical applications of this theory are the matrices of ZKG, McKenzie, etc. The technology for implementing the method includes such steps as:

Evaluation of the analyzed object according to some given parameters;

Positioning of the object in the typological scheme in accordance with the values of the parameters;

scheme by the type of the analyzed object.

When constructing a typological scheme, two or more parameters can be used. Parameters can reflect both simple properties and complex ones. An example of a complex property is market prospects, characterized by size, growth rate, level of user satisfaction, competition, price level, profitability and

etc. As can be seen from the above example, the parameters can have both quantitative and qualitative assessment. The positioning of the analyzed object (objects) on the typological grid is possible in the form of one or another mark (points, circles, etc.).

If there are developments in specific areas, the use of typological grids allows you to determine the type of the analyzed object and use ready-made recommendations for its improvement. However, one must be extremely careful with the method of typology. It must be borne in mind that universal "recipes" are quite seductive in their simplicity, which contrasts with the solution of creative problems, but the benefits of applying the recommendations received are very limited. It is better to know how to identify and solve problems than to believe in ready-made recipes for success. According to the author, only in combination with other assessment methods, the typology method makes it possible to characterize the situation and find acceptable options for predictive management decisions.

(Kiseleva Olya) 2) Peer review method relies on the identification of a generalized assessment by an expert group through statistical processing of individual, independent assessments made by experts. Members of the group in this case may be equal or have a different rank, which is taken into account when deriving the results of the examination.

When recruiting experts, one should be guided by such requirements as:

High level of general erudition, possession of special knowledge in the analyzed area;

The presence of a certain practical and (or) research experience on the problem under consideration;

The ability to adequately assess the development trends of the object under study;

Lack of bias, interest in a particular result of the assessment.

Favorable conditions for the work of experts are created as a result of preliminary instruction, training in research methodology, provision additional information about the object of analysis.

(Olia Prilepa) 3) Method of the expert commission is based on the identification of a single collective opinion by specially selected experts when discussing the problem posed and alternatives for solving it as a result of certain compromises.

When using the method of the expert commission, not only the statistical processing of the results of the individual scoring of all experts is carried out, but also the exchange of views on the results of the examination and the refinement of the estimates. The disadvantage of this procedure is the strong influence of authorities on the opinion of the majority of participants in the examination.

In contact with

What is a heuristic analyzer?

The heuristic method, unlike the signature method, aims to detect non-signatures malicious code, but typical sequences of operations that make it possible to draw a conclusion about the nature of the file with a sufficient degree of probability. The advantage of heuristic analysis is that it does not require pre-compiled databases to work. Due to this, new threats are recognized before their activity becomes known to virus analysts.
please write to me if you know
Heuristic scanning is a method of operation of an anti-virus program based on signatures and heuristics. This technology, however, is used very carefully in modern programs, as it can increase the number of false positives.
A heuristic analyzer (heuristic) is an anti-virus module that analyzes the code of an executable file and determines whether the scanned object is infected.
Heuristic analysis does not use standard signatures. On the contrary, the heuristic makes a decision on the basis of predetermined, sometimes not entirely clear rules.
For greater clarity, this approach can be compared with artificial intelligence, which independently conducts analysis and makes decisions. However, this analogy only partially captures the essence, since the heuristic does not know how to learn and, unfortunately, has low efficiency. According to antivirus experts, even the most modern analyzers are unable to stop more than 30% of malicious codes. Another problem is false positives, when a legitimate program is identified as infected.
However, despite all the shortcomings, heuristic methods are still used in antivirus products. The fact is that the combination of different approaches can improve the final efficiency of the scanner. Today, heuristics are supplied with the products of all major market players: Symantec, Kaspersky Lab, Panda, Trend Micro and McAfee.
The heuristic analysis checks the file structure and its compliance with virus templates. The most popular heuristic technique is to check the contents of a file for modifications of already known virus signatures and their combinations. This helps to identify hybrids and new versions of previously known viruses without additional update antivirus base.
Heuristic analysis is used to detect unknown viruses and, as a result, does not involve treatment.
This technology is not able to 100% determine the virus in front of it or not, and like any probabilistic algorithm, it sins with false positives.
Any questions - will be resolved by me, contact us, we will help in any way we can
The heuristic analyzer summarizes the tendencies of the program code in terms of system interrupt calls, extrapolating the level of possible maliciousness. Thus, a balanced protection of the operating system is provided.
Well, I sort of explained everything, understand? ;))
it's a type of artificial intelligence. in real life, this technology is not available, there are some approximations to it, as if the antivirus itself analyzes the program and decides whether it is a virus or not

Scanning

Antivirus protection.

Today, several fundamental methods for detecting and protecting against viruses are used:

scanning;

heuristic analysis;

use of anti-virus monitors;

detection of changes;

use of antiviruses built into the BIOS of the computer.

In addition, almost all anti-virus programs provide automatic recovery of infected programs and boot sectors. Of course, if possible.

Encrypting and polymorphic viruses that can completely change their code when they infect a new program or boot sector cannot be identified by a signature. Therefore, simple anti-virus scanners cannot detect polymorphic viruses.

Heuristic analysis allows you to detect previously unknown viruses, and for this you do not need to first collect data about the file system, as required, for example, by the change detection method discussed below.

When an antivirus detects an infected file, it usually displays a message on the monitor screen and makes an entry in its own or system log. Depending on the settings, the antivirus can also send a message about a detected virus to the network administrator.

If possible, the antivirus disinfects the file by restoring its contents. Otherwise, only one option is offered - delete the infected file and then restore it from a backup copy (if you have one, of course).

Antivirus programs are programs whose main task is to protect against viruses, or more precisely, against malware.

Theoretically, methods and principles of protection are not of particular importance, the main thing is that they should be aimed at combating malware. But in practice, the situation is somewhat different: almost any anti-virus program combines in different proportions all the technologies and methods of protection against viruses that have been created to date.

Of all the methods of anti-virus protection, two main groups can be distinguished:

Signature Methods- accurate virus detection methods based on file comparison with known virus samples
Heuristic methods- approximate detection methods that allow to assume with a certain probability that the file is infected

signature analysis

The word signature in this case is a tracing paper for the English signature, meaning "signature" or, in a figurative sense, "a characteristic feature that identifies something." Actually, that says it all. signature analysis consists in identifying the characteristic identifying features of each virus and searching for viruses by comparing files with the identified features.

Virus signature will be considered a set of features that allow you to uniquely identify the presence of a virus in a file (including cases where the entire file is a virus). Together, the signatures of known viruses make up the anti-virus database.

The task of extracting signatures, as a rule, is solved by people - experts in the field of computer virology, who are able to extract the virus code from the program code and formulate its characteristic features in the form that is most convenient for searching. As a rule, because in the simplest cases, special automated signature extraction tools can be used. For example, in the case of simple Trojans or worms that do not infect other programs, but are entirely malicious programs.

Almost every antivirus company has its own group of experts who analyze new viruses and update the antivirus database with new signatures. For this reason, anti-virus databases in different antiviruses are different. Nevertheless, there is an agreement between anti-virus companies to exchange virus samples, which means that sooner or later the signature of a new virus gets into the anti-virus databases of almost all anti-viruses. The best antivirus will be the one for which the signature of the new virus was released before anyone else.

One common misconception about signatures is that each signature corresponds to exactly one virus or malware. And as a result, an anti-virus database with a large number of signatures allows you to detect more viruses. Actually it is not. Very often, one signature is used to detect a family of similar viruses, and therefore it is no longer possible to assume that the number of signatures is equal to the number of detected viruses.

The ratio between the number of signatures and the number of known viruses is different for each anti-virus database, and it may well turn out that a database with a smaller number of signatures actually contains information about a larger number of viruses. If we recall that anti-virus companies exchange virus samples, we can assume with a high degree of confidence that the anti-virus databases of the most famous anti-viruses are equivalent.

An important additional feature of signatures is the precise and guaranteed detection of the virus type. This property allows you to add to the database not only the signatures themselves, but also the methods of treating the virus. If signature analysis gave only an answer to the question whether there is a virus or not, but did not give an answer what kind of virus it is, obviously, treatment would not be possible - the risk of doing the wrong actions would be too great and, instead of treatment, to receive additional loss of information.

Another important, but already negative, property is that in order to obtain a signature, you must have a sample of the virus. Hence, signature method unsuitable for protection against new viruses, since until the virus has been analyzed by experts, it is impossible to create its signature. That is why all the largest epidemics are caused by new viruses. From the moment a virus appears on the Internet to the release of the first signatures, it usually takes several hours, and during this time the virus is able to infect computers almost unhindered. Almost - because the additional protection tools discussed earlier, as well as heuristic methods used in antivirus programs, help protect against new viruses.

Heuristic Analysis

The word "heuristic" comes from the Greek verb "to find". The essence of heuristic methods is that the solution of the problem is based on some plausible assumptions, and not on strict conclusions from the available facts and premises. Since such a definition sounds rather complicated and incomprehensible, it is easier to explain using examples of various heuristic methods.

If the signature method is based on identifying the characteristic features of a virus and looking for these features in the files being scanned, then heuristic analysis is based on the (very plausible) assumption that new viruses often turn out to be similar to some of the already known ones. Post factum, this assumption is justified by the presence in anti-virus databases signatures to detect not one, but several viruses at once. Based on this assumption, the heuristic method is to search for files that do not fully, but very closely match the signatures of known viruses.

The positive effect of using this method is the ability to detect new viruses even before signatures are allocated for them. Negative sides:

Chance of mistakenly detecting a virus in a file when the file is actually clean - such events are called false positives
Impossibility of treatment - both due to possible false positives, and due to possible inaccurate determination of the type of virus, an attempt to treat can lead to greater losses of information than the virus itself, and this is unacceptable
Low efficiency - against truly innovative viruses that cause the most widespread epidemics, this kind of heuristic analysis is of little use

Search for viruses that perform suspicious activities

Another method, based on heuristics, is based on the assumption that malware somehow seeks to harm the computer. The method is based on the identification of the main malicious actions, such as, for example:

Deleting a file
Write to file
Writing to specific areas of the system registry
Opening a listening port
Interception of data entered from the keyboard
Mailing of letters
And etc.

It is clear that the performance of each such action separately is not a reason to consider the program malicious. But if a program sequentially performs several such actions, for example, writes its own startup to the autorun key of the system registry, intercepts data entered from the keyboard and sends this data to some Internet address with a certain frequency, then this program is at least suspicious. A heuristic analyzer based on this principle must constantly monitor the actions that programs perform.

The advantage of the described method is the ability to detect previously unknown malicious programs, even if they are not very similar to those already known. For example, a new malware can use a new vulnerability to infiltrate a computer, but after that it starts to perform its usual malicious actions. Such a program can be skipped by a heuristic analyzer of the first type, but can be detected by an analyzer of the second type.

The negative traits are the same as before:

False positives
Impossibility of treatment
Low efficiency

This article is about antivirus software. For the application of heuristics in usability evaluation, see heuristic evaluation.

Heuristic analysis is a technique used by many computer anti-virus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the "wild".

Heuristic analysis is an expert-based analysis that determines a system's susceptibility to a particular threat/risk using various decision rules or weighting methods. Multicriteria analysis (MCA) is one of the means of weighting. This method is different from statistical analysis, which relies on available data/statistics.

operation

Most anti-virus programs that use heuristic analysis of the execution of this feature by executing programming commands from a questionable program or script in a specialized virtual machine, thereby allowing the anti-virus program to internally simulate what would happen if a suspicious file were to be executed while storing the suspicious code. isolated from the real world of the machine. It then analyzes commands as they are executed, monitors common virus activities such as replication, file overwrites, and tries to hide the existence of a suspicious file. If one or more virus-like actions are detected, the suspicious file is marked as a potential virus, and the user is alerted.

Another common heuristic analysis technique for an antivirus program is to decompile a suspicious program and then analyze the native code contained within. The source code of a suspicious file is compared with the source code of known viruses and virus-like activities. If a certain percentage of the source code matches that of a known virus or virus-like activity, the file is flagged and the user is alerted.

efficiency

Heuristic analysis can detect many previously unknown viruses and new variants of current viruses. However, heuristic analysis works based on experience (comparing the suspicious file with the code and function of known viruses). This means that you are more likely to miss new viruses that contain previously unknown working methods not found in one of the known viruses. Therefore, the performance is quite low in terms of accuracy and false positives.

As new viruses are discovered by human researchers, information about them is added to the engine's heuristic analysis, thus providing the engine with a means to detect new viruses.

What is heuristic analysis?

Heuristic analysis is a method of detecting viruses by analyzing the code of suspicious properties.

Traditional virus detection methods involve detecting malware by comparing the code in the program with that of known types of viruses that have already been encountered, analyzed and recorded in a database - known as signature detection.

While useful and still in use, the signature-based detection method has also become more limited, due to the development of new threats that exploded around the turn of the century and continue to emerge all the time.

To solve this problem, a heuristic model has been specifically designed to identify suspicious signs that can be found in unknown, new viruses and modified versions of existing threats, as well as known malware samples.

Cybercriminals are constantly developing new threats, and heuristic analysis is one of the few techniques used to combat the sheer volume of these new threats seen daily.

Heuristic analysis is also one of the few methods capable of fighting polymorphic viruses - a term for malicious code that is constantly changing and adapting. Heuristic analysis included advanced solutions security offered by companies like Kaspersky Labs to detect new threats before they cause harm, without the need for a specific signature.

What does heuristic analysis work?

Heuristic analysis allows the use of many different techniques. One heuristic technique, known as static heuristic analysis, involves decompiling a suspicious program and examining its source code. This code is compared with viruses that are already known and found in heuristic databases. If any percentage of the source code matches an entry in the heuristic database, the code is flagged as a possible threat.

Another technique is known as dynamic heuristics. When scientists want to analyze something suspicious without endangering people, they keep the substances in a controlled environment, like a secure laboratory and testing. This process is similar for heuristic analysis - but also in the virtual world.

It isolates suspicious programs or a piece of code inside a specialized virtual machine- or sandboxing - and gives the antivirus program a chance to check the code and simulate what would happen if a suspicious file was allowed to run. It examines each command as it works and looks for any suspicious behaviors such as self-replicating, overwriting files, and other actions that are common to viruses. Potential Issues

Heuristic analysis is ideal for detecting new threats, but to be effective heuristics must be carefully tuned to provide the best possible detection of new threats, but without generating false positives on completely innocent code.