When something in your vicinity happens, you know right away if it is good or right. When the traffic light on a busy road is red, you know not to cross and when it is green you can cross, but still be looking around to see if it is safe. With different instances that are close but not identical to the aforementioned event, you still will know what is right or wrong instantly as your brain will adapt to new environments and combines it with previous experiences. Basically your brains apply a logical algorithm to the event, the result combined with common sense – based on experiences – make the decision.
Where we try to mimic this on computers, we call this heuristics. The problem here is that a computer cannot adapt to slightly off predefined events, as for the computer it is rather a black and white decision: something is true or false.
We can however bring some intelligence into the equation for the computer by defining boundaries (thresholds) and define the decisions for within those different boundaries. That is where heuristic start, having the computer take pre-defined actions as if it would be a human brain doing the same.
When applied in the field of computer security, this makes it a bit more difficult. The edge between potentially malicious and not can be a thin line as it depends on the situation, or application. Any application opening all files on a system can be an indexing tool or a malware scanner. But when the application starts to write to specific files? Then the application can still be an anti-malware scanner cleaning a suspicious file but it can also be a malicious application propagating.
When you look at the code as a human, most often, it is rather clear what this application is doing and you will act upon that judgment. Still the above is just one heuristic. Nowadays malware is rather complex and obfuscated. The sequence that makes something malicious may be well hidden inside regular code and dispersed over the application running. It may depend on actions in other processes running. To detect this dynamically, you will need to combine results from different processes that each may be innocent by itself but when combined are malicious.
Creating a sequence of heuristics to detect complex malware is also known as “Advanced Heuristics” and a very powerful way of detecting new malware and threats or modified threats and variants of existing malware. As the sequence of different behaviors have to reach a threshold, a limit that has to be passed to trigger an event, by logic you can assume with a high probability that the examined object is not safe and therefore should be blocked. And where malware authors try to find new ways to take control of your system or to infect your system, the malware scanners get updated advanced heuristic rules to counter that. Over the years, with increasing experience, advanced heuristics have become a powerful and successful tool to prevent malicious actions to be exercised.
Author Righard Zwienenberg, ESET