[KB127] What are Heuristics?


In addition to comparing potential malware against known viruses, all ESET products use heuristics to detect viruses, trojans and other threats. The use of heuristics is a technique that implements a set of guidelines or rules in order to problem-solve efficiently. In an antivirus context, heuristics are a set of rules used to detect malicious program behavior without needing to uniquely identify the specific threat, as is required by classic signature-based detection. The primary advantage of the heuristic-based model is not only its ability to detect variants or modified forms of existing malicious programs, but also new previously-unknown malicious programs. All ESET products use heuristics to detect both known and unknown threats and malware. Two forms of heuristics are used, passive and active.

Passive heuristics

Passive heuristics analyze a potential threat as it is scanned, tracing through the instructions in the program before passing the code to the processor for execution. Passive heuristics look for patterns, routines or program calls that indicate malicious behavior. Though an important tool, passive heuristics alone are only part of the solution, as there is no single action that a malicious program can perform that is not also allowed in a legitimate program. This is why the simultaneous use of active heuristics is important.

Active heuristics

The active heuristic technology used by ESET products creates a virtual computer within the scanning engine that allows the scanner to observe what the program might do if allowed to run on a real computer. This can reveal potentially malicious activities that other detection techniques would not identify.