What is Heuristic Analysis?
The term “heuristic virus” is a nickname for a malware called Heur.Invader. Heur.Invader malware can disable antivirus software, modify security settings, and install additional malicious software onto a computer. Adware and Trojans are examples of heuristic viruses. Heuristic analysis refers to the methods employed by antivirus programs designed to detect previously unknown pieces of malware. This differs from signature-based anti-malware detection where a signature is written so that anti-malware programs are able to identify related files or components in the future. As heuristic viruses can be polymorphic, having malicious code that changes and adapts, heuristic analysis methods are necessary to detect malware, because signature-based detection methods generally cannot move as quickly as the heuristic viruses can transform and spread. Heuristic analysis uses a number of tools and methods for detection:
Sandboxing. Sandboxing is a process that tests and analyzes a file’s behavior in a controlled environment to see if it behaves like a virus. Using a purpose-built environment, usually virtualized, suspected files are executed, and their behavior is recorded and analyzed automatically through a weights system in the sandbox, or manually by a malware analyst. 1 The benefits of sandboxing are that analysts are able to see, in detail, what a file will do in a particular environment, providing more information about how to classify the file and determine what the intention and effects of the file are.
Dynamic scanning. While signature-based scanning is looking for matches to signatures in a database of known malware, dynamic scanning uses rules/or algorithms to look for commands which may indicate malicious intent. The benefits of dynamic scanning are that it is faster than sandboxing, its rules can be changed with daily updates, and malware authors will not be aware of how the malware was flagged, making it more difficult for malware authors to develop strategies to evade detection.
File analysis. During file analysis, the scanning software will inspect a file to determine its purpose, destination, and its intent. If its purpose is to do something suspicious, such as deleting files, the file could then be flagged as a virus. The benefits of file analysis are that the automated analysis tools produce reports detailing information such as registry keys used, file activity, and network traffic and mutex values.2
Genetic signature. Genetic signature detection is designed to locate different variations of a virus using previously defined viruses to detect viruses that are of the same family.
If your antivirus products have not alerted you to a problem but you are experiencing some of the following symptoms, you may have heuristic virus3:
- Suspicious computer behavior such as high CPU usage on unrecognized processes
- Significantly increased network traffic or bandwidth use
- New services added or existing services removed
- Unable to access network resources such as shared drives
- Applications cease to function, or files can’t be accessed
- Unexpected registry keys added
1 Miao, 2015, “Understanding Heuristic-based Scanning vs. Sandboxing”
2 Sweeney, 2015, “Malware Analysis & Antivirus Signature Creation”
3 McAfee, 2021, “Troubleshoot to find possible infected files if a virus is not detected”