Understanding heuristic-based scanning vs. sandboxing.

Author:Cade, Curtis

Most people who work in the anti-malware industry are familiar with signature-based detection, where if a file is determined to be malicious, a signature is written so anti-malware programs are able to detect that file or component in the future. The threat landscape is challenging for signature-based detection with an ever-increasing number of threats and the shortened duration time for the effectiveness of a single signature variation.

Because of these difficulties, complements to signature-based detection, such as heuristic-based scanning, sandboxing and/or multi-scanning (scanning for threats with multiple anti-malware engines) are needed to more effectively address modern risks. In this feature, we look at the pros and cons of both heuristic-based scanning, which is used alongside signature-based detection in multi-scanning solutions to increase detection rates, and sandboxing.

Introduction to Heuristic-based Scanning

As opposed to signature-based scanning, which looks to match signatures found in files with that of a database of known malware, heuristic scanning uses rules and/or algorithms to look for commands which may indicate malicious intent. By using this method, some heuristic scanning methods are able to detect malware without needing a signature. This is why most antivirus programs use both signature and heuristic-based methods in combination, in order to catch any malware that may try to evade detection.

Benefits of Heuristic Scanning

* Heuristic scanning is usually much faster than sandboxing because it does not execute the file and then wait to record its behavior, with the exception of some emulation-based techniques.

* Vendors can change the rules in their heuristic engines with their daily update packages based on new threat vectors without the details being known to malicious actors.

* Does not give away details on how malware is flagged (unlike sandboxing), so malware authors will not be aware of what they need to change in order to evade detection.

* Heuristic scanning is able to detect malware that can evade sandbox detection through blind spots targeted by malware authors.

Limitations of Heuristic Scanning

* When scanning a sample, the information found is generally limited to the threat name.

* Because the engines are looking for specific pieces of code which indicate a malicious action, it can lead to two possible limitations:

** If the vendor has not built detection for a particular action, then the malware will...

To continue reading