What is Heuristic Analysis?

Deriving from the Ancient Greek word meaning "to discover," heuristic analysis is an approach to discovery, learning and problem-solving that uses rules, estimates or educated guesses to find a satisfactory solution to a specific issue. While this way of problem-solving may not be perfect, it can be highly successful when applied to computer processes where a quick answer or timely alert is required based on intuitive judgment.

Heuristic analysis can be found in the majority of mainstream antivirus solutions on the market today. Similar to signature scanning, which detects threats by searching for specific strings, heuristic analysis looks for specific commands or instructions that would not typically be found in an application.

When left to their own devices, these potentially malicious commands could execute functions such as:

• the payload of a trojan
• the replication mechanics of a virus
• the distribution pattern of a worm

Most heuristic antivirus processes use a rule or weight-based system to determine how much danger a program functionality could pose. If these rules exceed a predetermined threshold, an alarm is triggered and preemptive action is taken. Depending on the antivirus settings, this alarm may simply send an alert to a server administrator, or automatically place a file into quarantine

The game of cat and mouse between antivirus companies and cybercriminals is one that has been playing out for decades. Antivirus heuristic analysis helps software providers and their customers to stay one step ahead by detecting viruses that were previously unknown, and to defend against new malware that has not yet been added to virus definition files.

Heuristic based antivirus tools use a number of different scanning techniques, including:

• File analysis -- During file analysis, the scanning software will closely inspect a file to determine its purpose, destination and intent. For example, if a file's purpose is to delete specific files, it could be flagged as a virus.
• File emulation -- Also known as dynamic scanning or sandbox testing, file emulation tests a file in a controlled virtual environment to see what happens. If the file behaves like a virus, it is probably a virus!
• Genetic signature detection -- Designed to locate different variations of a virus, genetic signature detection uses previous virus definitions to discover viruses within the same family.

These techniques can be used to detect viruses at rest on file storage or in transit between two endpoints. For example, the Anti-Spam Agent within Forcepoint Email Security can be set to analyze the email header and body of an email to determine how closely the contents resemble spam. From time to time, heuristic analysis can detect false positives, but this can be addressed by setting custom filters and rules that add these false positives to a whitelist.

While heuristic analysis and detection processes may not be completely flawless and may throw up false positives from time to time, this method of proactive virus scanning can be a very effective way to complement traditional signature scanning solutions. Heuristic analysis antivirus software is constantly being improved, ensuring that processes run more efficiently and make better use of computer resources. For organizations looking for optimum protection from known and unknown malware and viruses, heuristic antivirus analysis is definitely a worthwhile investment.

Forcepoint's approach to cybersecurity comes from decades of experience. Our solutions are designed to scale with your business and deliver the highest level of security. We would be delighted to tell you more about the benefits of heuristic antivirus analysis and how we can tailor our solutions to suit your business. Get in touch with our team today to arrange a free demo.