Find White Papers
Home About Contact Help
Free Membership Member Login
Sep 5, 2008
View Popular Research Browse Topics Find Business Solutions RSS Feeds List Your Research
Search the Library                  Advanced Search

Heuristics Analysis: Detecting Unknown Viruses

ESET
By : ESET
INFORMATION
Published : Sep 19, 2007
Length : 28
Type : White Paper
 
Download Now
Save for Later
  Email This Page
Overview :

“It ain’t what you don’t know that kills you, it’s what you know that just ain’t so.” Some of the most persistent myths in computing relate to virus and anti-virus (AV) technology. The widely-held belief that AV software can only detect specific, known viruses has been around since the early days of AV research.

It wasn’t altogether true then; some of the first AV programs weren’t intended to detect specific viruses, but rather to detect or block virus-like behavior, or suspicious changes in files. And, it’s definitely not true now.

This white paper explains the unique technology of heuristics and how it provides proactive protection against malware. 
View All Items By This Company
Browse Related Categories :

Anti Spam

,

Anti Virus

,

Email Security

,

Internet Security

,

Intrusion Detection

,

Phishing
 

What does an AV program detect? Quite a lot as it happens, including some items that aren’t technically viruses. Most of what we see referred to as viruses might be better described as malware. The irony is that many specialist detection products (i.e. for detecting spyware or Trojans) are marketed as being necessary because AV only detects viruses.
In fact, commercial AV catches a far wider range of malware than most of these specialist services. A specialist program may detect more threats within its own specialty, but this depends not only on the program’s ability to catch specific threats and threat types, but also on other factors such as:

  • The program’s generic detection capabilities
  • The criteria used to differentiate between malware variants
  • The sample sharing mechanisms between vendors (AV vendors have particularly effective and well-established ways of doing this, compared to vendors in other areas of malware detection.)

The following sections consider three major types of malware. A complete taxonomy of all malware would be out of scope for this paper.

Viruses
It’s certainly reasonable to expect AV software to detect viruses, and it is partly because AV has been so successful at detection over the years, that its capacity for detecting other types of malware has been underestimated.
While there are many definitions of virus, a definition accepted by most malware researchers is “a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself” [1, 2].
This definition covers many types of virus, including:

  • Boot sector and/or partition sector infectors
  • File infectors (parasitic viruses)
  • Multipartite viruses
  • Macro and script viruses

While some of these virus types are rarely seen today (for example boot sector and partition sector infectors), AV programs generally detect all known
viruses for the platform on which they are found (and sometimes for other platforms). In general, they’re also pretty good at detecting new and unknown “true” viruses heuristically.
Worms
The AV industry has never quite reached consensus on whether worms are, as Cohen stated, a “special case of virus” [1], but whatever the case, AV software normally detects them anyway.
There are at least as many definitions of worm as there are of virus, but most AV researchers define a worm as a program that replicates non-parasitically, i.e. without attaching itself to a host file. Mass mailers could be described as a special type of worm. Most AV companies describe this type of email-borne malware as a worm, but some mailers and mass mailers have the characteristics of a “pure” virus (Melissa, for example, was actually a pure virus, a macro virus that spread like a worm, while W32/Magistr was a file infector).
Here too, vendors have a pretty good handle on the detection of new variants. New mass mailers, for example are usually flagged by messaging security providers and systems almost as soon as they appear.

Non-replicative Malware
It follows from the above definitions that if a malicious program doesn’t replicate, it can’t be a virus or worm. But that doesn’t mean AV software can’t detect it, or that it isn’t damaging.
Keep in mind that even when vendors used to protest at the detection of non-replicative objects because they weren’t viruses, some non-replicative objects (some of them not even executable programs, let alone malicious) were still detected and flagged. [3] For example:

  • Intendeds (viruses that fail to replicate) and corruptions
  • Garbage files
  • Virus-related but non-viral programs such as germs, droppers, and virus generators
  • Legitimate test programs such as an EICAR test file [4]

Many non-replicative objects have circulated for years in poorly maintained virus collections that have been used by some reviewers to test AV software. Most vendors gave up protesting long ago and added definitions (signatures) for these objects to their databases, in the hope of avoiding being penalized for not detecting them. Unfortunately, the increasing sophistication of heuristic scanners has barely kept pace with the ability of AV testers to find new and not always appropriate ways of testing. Later in this paper we will briefly consider technically acceptable ways of testing a product’s heuristic capabilities.
Search the Library                  Advanced Search
Today's Popular Reports This Weeks Most Popular Reports Most Popular Topics Vendor Directory Home
About Us Contact Us List Your Papers Partner With Us Site Map