Home supported products

Kaspersky Internet Security 2010

Kaspersky Anti-Virus 2010

Kaspersky Internet Security 2009

Kaspersky Anti-Virus 2009

Kaspersky Anti-Virus (Mac OS X)

Support lifecycle of applications for personal desktop protection

Home legacy products

Business products
Workstations & Servers protection

Fighting malicious programs
How to disinfect...

Training and Certification
Take an educational course and become a certified anti-virus security specialist

Self Service
More help online

Support contacts and conditions
Information about support services and rules

You are visiting our Support Website and we thank you in advance for your participation in this poll and your feedbacks.

Please vote honestly, we will analyze the results and will do our best to improve our service as soon as possible.

Read the same in:

Home / Home products / Home supported products / Technical articles / How to...

Kaspersky Anti-Virus 7.0 MP1 (build 7.0.1.325)

Technical articles / How to... [22]

More Sections

Heuristic analyzer in Kaspersky Lab products versions 7.0 and 2009
ID Article: 1762	Other languages: Will be translated:	42	2009 Jun 03 11:11	Printable version

Concerning to:

Kaspersky Internet Security 7.0/2009

Kaspersky Anti-Virus 7.0/2009

Heuristic analyzer (or simply, a heuristic) is a program that analyzes the code of an object and uses indirect methods of determining whether it is malicious. Unlike the signature-based method, a heuristic can detect both known and unknown viruses (i.e., those created later than the heuristic).

An analyzer usually begins by scanning the code for suspicious attributes (commands) characteristic of malicious programs. This method is called static analysis. For example, many malicious programs search for executable programs, open the files found and modify them. A heuristic examines an application’s code and increases its “suspiciousness counter” for that application if it encounters a suspicious command. If the value of the counter after examining the entire code of the application exceeds a predefined threshold, the object is considered suspicious.

The advantages of this method include ease of implementation and high performance. However, the detection rate for new malicious code is low, while the false positive rate is high.

Thus, in today’s antivirus programs, static analysis is used in combination with dynamic analysis. The idea behind this combined approach is to emulate the execution of an application in a secure virtual environment (which is also called an emulation buffer or “sandbox”) before it actually runs on a user’s computer. In their marketing materials, vendors also use another term - “virtual PC emulation”.

A dynamic heuristic analyzer copies part of an application’s code into the emulation buffer of the antivirus program and uses special “tricks” to emulate its execution. If any suspicious actions are detected during this “quasi-execution”, the object is considered malicious and its execution on the computer is blocked.

The dynamic method requires significantly more system resources than the static method, because analysis based on this method involves using a protected virtual environment, with execution of applications on the computer delayed according to the amount of time required to complete the analysis. At the same time, the dynamic method offers much higher malware detection rates than the static method, with much lower false positive rates.

The following improvements have been added to Heuristic analyzer in Kaspersky Lab’s products version 2009:

feature to create generic behavior signatures of the same malware has been added
calculation of the software “danger rating” using heuristic rules has been added
emulation hardware acceleration (safe performance of the code area on the processor) has been added

One of the main advantages of Heuristic analyzer in Kaspersky Lab’s products version 7.0 and 2009 is a common heuristic which functions both on the base of the emulation data and in the Proactive defense module.