|
AVZ heuristics analyzer |
Home Previous Next |
An anti-virus application searches for viruses and malicious objects by comparing the objects being analyzed with its database of virus signatures. When detecting a match, the anti-virus can remove the virus. Notably, removal rules and techniques are normally stored in the same database.
This database becomes a vulnerable spot of the anti-virus program, because the anti-virus can detect only those viruses that have descriptions in the database. This problem can be partially resolved by a heuristics analyzer—a special anti-virus subsystem that attempts to detect new virus varieties that are not described in the database. Besides viruses, the AVZ heuristics analyzer tries to detect spyware, hijackers, and trojans.
The principle of heuristics analyzer operation is based on searching for features characteristic of viruses and spyware (program code fragments, specific registry keys, files and processes). The heuristics analyzer also attempts to assess the similarity of an object to known viruses.
An heuristics analyzer that analyzes the entire system, not just individual files on the disk, is the most effective when it comes to detecting spyware, rootkits, and hijackers. The analyzer analyzes all data in the registry, files on the disk, processes and libraries in memory, TCP and UDP ports listened to, active services, and loaded drivers.
Heuristic analysis returns a rather high percentage of false positive results.errors. The analyzer can report a suspicious object, but this information has to be checked by virologists. Following the check the object may be recognized as malicious and included in the database, or a false positive is documented and the heuristics analyzer algorithms are amended accordingly.
Most anti-virus applications (AVZ included) let you adjust the sensitivity of the heuristics analyzer. This always leads to a contradiction: while the chances of detection of an unknown malicious object increase with sensitivity, higher sensitivity also raises the probability of false positives. This means that you should look for a “golden mean”.
The heuristics analyzer has several sensitivity levels and two special modes:
| • | Heuristics analyzer block mode. In this mode, the analyzer is fully disabled. In addition to heuristics analysis sensitivity adjustment, AVZ makes it possible to enable or disable heuristics analysis of the system. |
| • | Paranoid mode. In this mode, maximum sensitivity is enabled, and the slightest suspicion triggers a warning. The large number of false positives makes this mode unacceptable. However, it can be useful at times. |
The main messages of the AVZ heuristics analyzer are as follows:
| • | "File name >>> suspected virus_name (brief details of the object)". This message is displayed when AVZ detects an object resembling a known malicious object. The details in brackets enable the developer to locate the anti-virus database record that triggered this message. |
| • | "File name >>> PE with a nonstandard extension". This means that a program file has been detected with a nonstandard extension, other than EXE, DLL, or SYS. While this is not dangerous, many viruses hide their PE files behind PIF and COM extensions. This message is shown at any heuristic sensitivity level for PE files with PIF and COM extensions, and only at maximum heuristic sensitivity level for other files. |
| • | "File name >>> Name contains more than 5 spaces". Multiple spaces in the file name are rare. Many viruses use spaces to mask the real extension, creating files with such names as "photo.jpeg .exe". |
| • | "File name >>> Hidden extension detected". This message is shown upon detection of more than 15 spaces in the file name. |
| • | "File name >>> File has no visible name". This message is shown for files that do not have a name (that is, their file names look like this: ".exe" or ".pif"). |
| • | "Process file_name can access the network". This message is displayed for processes that use such libraries as wininet.dll, rasapi32.dll, ws2_32.dll, that is, system libraries that contain functions for accessing the network or controlling the process of dialing a number or establishing a connection. This check is performed only with the heuristics sensitivity level set to maximum. Even though the fact of an application using a network library does not make it malicious, it is still worth paying attention to unintelligible processes in this list. |
The message can be followed by a number representing the degree of danger in percentage points. You should pay special attention to files with a danger level of more than 30.