The other meaning applied to the term heuristics is the one that I prefer. To understand this alternate interpretation,...
start out by thinking of normal signature-based detection, in which an antimalware tool detects a malicious program by matching a signature with the bits in the malware's file or running memory image. That's strict signature matching.
Heuristics, as I like to use the term, refers to a technology that uses "fuzzy signatures." That is, instead of matching the malware file exactly, the heuristics engine looks for piece-parts of the file that are known to be evil. Because malware authors often reuse components of previous malware specimens (reusing code is just as economical for the bad guys as it is for us), the technology has a chance of detecting those pieces. Today's heuristic detection capabilities are quite impressive, spotting malware based on small snippets of files, processes, registry key names and values, and a myriad of other items of known malware.
Now, back to your question: how can you judge heuristics, or behavior-based, antimalware functionality? One of the difficulties here is isolating strict signature-based, behavior-based and heuristics-based detection from each other. Most antivirus tools do not give users the configuration option to turn detection functions on or off, one by one. It's an all-or-nothing proposition; you've enabled the tools defenses in totality, or you have not.
It is difficult to isolate behavior-based detection so that it doesn't inadvertently interfere with signature or heuristics detection. In our own research at Intelguardians, we created a spyware-like tool called Spycar. Released publicly for free in May 2006, Spycar is entirely benign, but it mimics some spyware functions. Spycar can help get a feel for whether a given antivirus tool protects against common spyware behaviors, like the altering of Run registry keys or the changing of a host's file.
Keep in mind, though, that most antivirus vendors have since created signatures for Spycar. Because it is now snagged on a signature, it is not able to test behavior-based defenses. So, you could either write your own Spycar-like tool, or wait for Spycar 2 to be released later this year. Spycar 2 models a whole bunch of new spyware behaviors and bundles them in interesting packages. Intelguardians will release this and other new testing tools late in 2007.
If you didn't mean behavior-based defenses, but instead use the term "heuristics" like I do, meaning "fuzzy" signatures, you can use the test of time to evaluate the technology. Set up the antivirus tool and get its signatures completely up to date. Then, wait three months or so and let the bad guys innovate. After that time has passed, gather a zoo of malware, picking from the specimens that attackers have so graciously contributed to your antispam filter or finding items elsewhere (offensivecomputing.net has a bunch of specimens as well). Then see how well your tool's old signatures match up with the new set of malware. Such an experiment is a rough measure and a useful comparison method when testing the heuristic capabilities of antimalware tools. The only downside is that an effective test requires a time lag.
Related Q&A from Ed Skoudis
At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your ...continue reading
Wi-Fi on airplanes seems like it will be unavoidable in the future, but what security risks does it pose? In this security threats expert response, ...continue reading
There are some rare forms of malware that antivirus software doesn't pick up on, but there are some good tools to remove all sorts of malware.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.