Heuristic analysis is an expert-based analysis technique
that determines the susceptibility of a system towards particular threat/risk
using various decision rules or weighing methods. Heuristic analysis of malware essentially differs
from traditional anti-malware analysis because it attempts to analyze software
by what it attempts to do rather than what it specifically looks like.
Why
traditional anti-virus techniques don’t work anymore
Traditional anti-virus programs use a list of known signatures
for malware which is essentially a fingerprint of the code within that malware
that makes it unique. All a malware
writer has to do to avoid detection is to frequently change that signature
enough to avoid detection.
Heuristic analysis attempt to identify malware by what it
does not just what it looks like. While
signatures change by the minute, the characteristics of what malwares try to do
doesn’t change as fast.
Most antivirus programs that utilize heuristic analysis
perform this function by executing the suspicious command strings within a
specialized virtual machine or “sandbox” to see what it does effectively
allowing a simulation of what would happen if that suspicious file were to be
executed in the “real world”. It analyzes the commands as they are performed, looking
for common viral activities such as replication, file overwrites, and attempts
to hide their existence. If one or more of these virus-like actions are
detected, the suspicious file is flagged as a potential virus, and the user
alerted.
Another method of heuristic analysis is for the
anti-virus program to de-compile suspicious programs and analyze the source code
contained within. The source code of the suspicious file is compared to the
source code of known viruses and virus-like activities. If a certain percentage
of the source code matches with the code of known viruses or virus-like
activities, the file is flagged, and the user alerted.
Is
Heuristic Analysis effective?
While heuristic analysis is capable of detecting many
previously unknown viruses and new variants of current viruses, it does operate
on the basis of experience with known malware structures. It is likely to miss new malware and variants
that use previously unknown techniques or methods of operation not found in known
viruses. Hence, the effectiveness is fairly low regarding accuracy. It can also be susceptible to false-positives
for legitimate software that uses similar or unfamiliar coding techniques that
can disable that software because it “acts” like a virus.
As new viruses are discovered by human researchers,
information about them is added to the heuristic analysis engine, thereby
providing new criteria to detect new viruses.
Each vendor’s analysis techniques are unique and mostly proprietary so
effectiveness can vary significantly from one company or product to the next.
Should
you use it?
Let’s face reality.
Signature-based anti-virus doesn’t work very well any more. Sure, Heuristic isn’t the perfect solution,
but you’re still better off with it than without it. Any new A/V products or firewall components
you purchase should have a Heuristic component. You
should just be aware that it’s NOT going to catch everything and it may even occasionally
knock out a legitimate program if you’re not careful.
Is the product you’re using effective?
It’s important to use a recognized leader in malware
protection. There are professional
ratings reports published each year that rank A/V products. My particular favorite rating organization is
Gartner Research and each year they rank vendors using their Magic Quadrant
reviews. They rank products based upon how well they work and how complete is the vendors offering. Last year 5 Security vendors
were ranked as Leaders. If your vendor was listed in their Leaders quadrant, you can be pretty well assured that you’re
getting the most bang for your buck in this category. Be aware, that there are A LOT of A/V vendors
that don’t even make the chart at all, let alone get into the Leader category. My advice is to stick with one
of the Leaders. If you’re using a
FREEWARE anti-virus product, you’re just asking for trouble.
No comments:
Post a Comment