What is a heuristic virus ?

Heuristic viruses are viruses that have not yet been recorded in the virucidal database, and there is a possibility of misjudgment. Heuristic scanning is the most effective way to detect viruses by analyzing the order in which commands appear, or combinations, to determine whether a file is infected, and each object is examined, but it is also the most likely to have false positives. Moreover, there is no record of this virus in its virus database at the time of the killing, mainly for a variant of a certain virus.

In fact, it is to compare the object file with the virus source code in the virus signature database, and when the matching rate between the two is greater than a certain value (usually this value is small, so it is easy to give false positives), the antivirus software will list it as a suspicious file for further removal. This is known as heuristic antivirus.

Heuristic antivirus.

The difference between a virus and a normal program can be reflected in many aspects, such as: usually an application in the initial instruction, is to check the command line input for parameter items, clear the screen and save the original screen display, etc., while the virus program will not do this, usually its initial instruction is to directly write disk operation, decode instructions, or search for executable programs under a certain path and other related operation instruction sequences. These significant differences can be seen at a glance by a skilled programmer in the debugging state.

Heuristic scanning technology is actually a concrete program that transplants this experience and knowledge into a virus detection software.

Heuristics refer to "the ability for self-discovery" or "the knowledge and skill to use a certain way or method to determine things." "A virus detection software that uses heuristic scanning technology is actually a dynamic allotter or decompiler implemented in a specific way, and through the decompilation of the relevant instruction sequence, the real motive is gradually understood and determined. For example, if a program starts in a sequence like this:

mov ah,5 int,13h,that is, to call the BIOS instruction function of the format disk operation, then this program is highly suspicious and worthy of alarm, especially if this instruction does not have the command line to obtain the parameter options for execution, and does not require the user to interactively input the operation instructions to continue, you can safely assume that this is a virus or malicious destruction program.

Heuristic anti-virus represents the inevitable trend of the development of anti-virus technology in the future, and anti-virus technology with certain artificial intelligence characteristics shows us the possibility of a general-purpose virus detection technology and product that does not need to be upgraded (less expensive or does not depend on upgrading). Due to the powerful advantages that many traditional technologies cannot achieve, they will be widely used and develop rapidly. The application of pure heuristic analysis technology (without any prior research and understanding of the target virus sample) has been able to achieve a virus detection rate of more than 80%, and its false positive rate is easily controlled, which is unimaginable and a qualitative leap for the virus detection software that only uses the traditional feature scanning technology based on the study of known viruses and extracts the "characteristic string".

In today's world where new viruses and variants emerge one after another, and the number of viruses continues to surge, the generation and application of this new technology are of special significance.

Kaspersky's Proactive Defense and Heuristic Antivirus are ahead of other antiviruses in terms of antivirus software.