I recently received a few questions about heuristics and thought the answers may be of broader interest than just to the person asking.
1- What is the difference between the detection by generic signatures and passive heuristic? Aren't they the same?
2- In this thread: http://www.wilderssecurity.com/showthread.php?t=261904 I can't understand Marcos's replay: 'it's heuristic detection coupled with generic signatures that are based on the results of emulation by advanced heuristics' !!
How do generic signatures base on the results of the advanced heuristics emulation?! Aren't they two separate techniques? Could you plz simplify this point ?
The answers…
1) Generic signatures measure how similar a threat is to something we already know. Passive heuristics attempt to determine if the file will do something harmful if it is allowed to execute. If you know what a dog looks like, then you can identify an animal as a dog even if you have never seen that breed before. This is kind of how generic signatures work. Now, if there is an animal you have never, ever seen before you might try to determine if it is dangerous by looking for things like claws and sharp teeth, and the size of the animal. This is an analogy for passive heuristics. The two approaches are quite different.
2) When programs are encrypted the advanced heuristics can sometimes be used to force the program to decrypt itself, then in addition to advanced heuristic techniques, both generic signatures and passive heuristics can be used to analyze the decrypted file.
The use of one heuristic approach does not preclude the use of other heuristic approaches as well.
Randy Abrams
Director of Technical Education
