Anti-virus does much more than reactively detect known viruses; it proactively scans for unknown ones too. So, how do scanners really work? The aim of this paper is to reduce some of the confusion around the workings of AV technology, and to clarify what is realistic to expect from AV protection, particularly heuristic analysis.
Heuristic Analysis -
Detecting Unknown Viruses
Anti-virus does much more than
reactively detect known viruses; it
proactively scans for unknown ones too.
So, how do scanners really work?
David HarleySecurity Author and ConsultantandAndrew LeeChief Research OfficerESET LLC
www.eset.com
Heuristic Analysis(Apr2007).indd 1 9/19/07 2:31:12 PMHeuristic Analysis(Apr2007).indd 2 9/19/07 2:31:12 PMHeuristic Analysis - Detecting Unknown Viruses
1
Table of Contents Page
About the Authors 2
Introduction 3
Watching the Detectives 4 Viruses 4 Worms 5 Non-replicative Malware 5
What does Heuristic really mean? 7 Signature Scanning 8 The Opposite of Heuristics 10 Generic Anti-virus 10 I'm Absolutely Positive 12 Sensitivity and Misdiagnosis 13 Testing Issues 15
Conclusion: A Heuristic Paradox 18
References 20
Glossary 21
www.eset.com
Heuristic Analysis(Apr2007).indd 3 9/19/07 2:31:13 PM2
About the Authors
David Harley David Harley has been researching and writing about malicious software and other security issues since the end of the 1980s. From 2001 to 2006 he worked in the UK's National Health Service as a National Infrastructure Security Manager, where he specialized in the management of malicious software and all forms of email abuse, as well as running the Threat Assessment Center. Since April 2006 he has been working as an independent author and technology security consultant.
David's first major book was "Viruses Revealed" (Harley, Slade, Gattiker), Osborne's comprehensive guide to computer virus protection. He has contributed chapters and editing to many other books on security and education, as well as a multitude of articles and conference papers. His latest writing project is as technical editor and major contributor to "The AVIEN Guide to Malware Defense in the Enterprise", to be published by Syngress in 2007.
SMALL BLUE-GREEN WORLD8 Clay Hill House, Wey Hill, Haslemere, SURREY GU27 1DATelephone: +44 7813 346129http://smallblue-greenworld.co.uk
Andrew LeeAndrew Lee, CISSP, is Chief Research Officer at ESET LLC. He was a founding member of the Anti-Virus Information Exchange Network (AVIEN) and its sister group AVIEWS (AVIEN Information & Early Warning System). He is a member of AVAR (The Association of Anti-virus Asia Researchers) and a reporter for the WildList International Organization, a group that maintains a list of computer viruses which are still "in the wild." Before joining ESET, he spent his time managing malware defenses as a senior security administrator for a large government organization in the UK.
Andrew is the author of numerous articles on malware issues, and is a frequent speaker at conferences and events including AVAR, EICAR, and Virus Bulletin.
ESET, LLC610 West Ash Street, Suite 1900, San Diego, California 92101, U.S.A. Telephone: +1.619.876.5400Fax: +1.619.876.5845http://www.eset.com
1.866.343.ESET (3738)
Heuristic Analysis(Apr2007).indd 4 9/19/07 2:31:13 PMHeuristic Analysis - Detecting Unknown Viruses
3
Introduction
"It ain't what you don't know that kills you, it's what you know that just ain't so." Some of the most persistent myths in computing relate to virus and anti-virus (AV) technology. The widely-held belief that AV software can only detect specific, known viruses has been around since the early days of AV research. It wasn't altogether true then; some of the first AV programs weren't intended to detect specific viruses, but rather to detect or block virus-like behavior, or suspicious changes in files. And, it's definitely not true now. Commercial AV systems supplement signature scanning with a variety of more generic approaches, which are often grouped together under the banner of heuristic analysis. Furthermore, most modern AV products are capable of detecting a wide range of malicious software (malware is a contraction of the words "malicious" and "software"), not just viruses. These may be combined with other security technologies such as the detection of spam and phishing messages. The aim of this paper is to reduce some of the confusion around the workings of AV technology, and to clarify what is realistic to expect from AV protection, particularly heuristic analysis. The specifics of heuristic scanning are discussed in some detail. For the ... [download for more]
