Skip to main content

Heuristics are dead?

Some people in the security industry may be baffled by a video presented by Richard Steinnon (opens in new tab)with Amrit Williams (opens in new tab), Martin McKeay (opens in new tab) and Mike Murray (opens in new tab).

The discussion is going along predictably and with some good points (like whitelisting isn’t practical), but at the 17:45 minute mark, the odd statement is made the heuristics and behavioral detections don’t work.

This statement directly contradicts fact.

Many of the leading AV engines are, in fact, relying heavily on generic detections and heuristics (some that come to mind include Sophos, Avira, Symantec, and one of the great users of heuristics, ESET). Go ahead and grab a piece of malware, submit it to Virustotal (opens in new tab), and see how many detections are things like “trojan.gen”, “delphi.gen”, “troj.heur.downloader”, or “trojan.packed.gen” . These are generic or heuristic detections. And there’s a lot of them.

As far as I’m concerned, just about the only thing an AV company can do these days is to lean heavily on heuristics or behavioral detections. When you’re processing over 30,000 pieces of malware daily, there’s not much choice.

We’re certainly pushing in that direction. As an example, some preliminary test results of our upcoming MX-V virtualization (opens in new tab)technology (which is almost purely behavioral) are showing detections of almost a quarter of our entire malware repository. That’s pretty powerful, and this is a behavioral system. There are no signficant issues with false positives, either.

Similarly lambasted in the video is Host Intrusion Prevention (HIPS). Well, it’s not very relevant in a 64–bit world, but in a 32–bit world, one thing HIPS can do is block an attempt by an application to write to a place in memory where it’s not supposed to (a buffer overflow (opens in new tab)). Seems like a good idea to me. Or IDS, which relies on rules that are the writer’s best approximation (opens in new tab) of a means to detect a certain type of network event.

As my good friend Randy Abrams over at ESET said:

A battle for the industry is that customers want names for the things that are detected. It isn’t feasible anymore to maintain names for all of the threats. The entire industry has been forced to adopt heuristic approaches that preclude naming each threat…In many cases heuristics are being called signatures. Generic signatures are a type of heuristic and are used with reasonably good success. When the storm worm was at its peak it was being dynamically repackaged every 5 minutes. Generic signatures were able to protect against these threats without the need for a unique signature for each variant.

I invite the curious to spend some time in an AV lab. Fair warning, however: As in legislation and sausages (opens in new tab), you might not want to watch the process.

Alex Eckelberry
Alex Eckelberry

Alex is a technology CEO, with leadership, operating partner, investor, and board member roles at security firms including AutoLoop, Borland, Quarterdeck (now Symantec and Cisco WebEx), GFI/TeamViewer, Sunbelt Software (now ThreatTrack Security), BlueStripe Software, StopBadware, Knowbe4, Malwarebytes, and Runaware Holding AB. When CEO of Sunbelt he ran a security blog, and he still writes on security.