Problem solve Get help with specific problems with your technologies, process and projects.

Can an antivirus program's behavior-based functions be judged?

Most antivirus tools do not give users the configuration option to turn specfic detection functions on or off, making it difficult to judge the accuracy of a program's behavior-based technology. In this expert Q&A, Ed Skoudis explains the best ways to judge performance.

How can I personally judge an antivirus program's heuristic capabilities?
The term "heuristics" gets thrown around a lot in relation to antivirus programs, and it means different things to different people. Some folks use the word to describe behavior-based detection, which involves finding malware based on what it does while it runs. I personally don't use heuristics to describe behavior-based detection because I think that term muddies the water. I like to refer to behavior-based detection by the very subtle phrase: "behavior-based detection."

The other meaning applied to the term heuristics is the one that I prefer. To understand this alternate interpretation, start out by thinking of normal signature-based detection, in which an antimalware tool detects a malicious program by matching a signature with the bits in the malware's file or running memory image. That's strict signature matching.

Heuristics, as I like to use the term, refers to a technology that uses "fuzzy signatures." That is, instead of matching the malware file exactly, the heuristics engine looks for piece-parts of the file that are known to be evil. Because malware authors often reuse components of previous malware specimens (reusing code is just as economical for the bad guys as it is for us), the technology has a chance of detecting those pieces. Today's heuristic detection capabilities are quite impressive, spotting malware based on small snippets of files, processes, registry key names and values, and a myriad of other items of known malware.

Now, back to your question: how can you judge heuristics, or behavior-based, antimalware functionality? One of the difficulties here is isolating strict signature-based, behavior-based and heuristics-based detection from each other. Most antivirus tools do not give users the configuration option to turn detection functions on or off, one by one. It's an all-or-nothing proposition; you've enabled the tools defenses in totality, or you have not.

It is difficult to isolate behavior-based detection so that it doesn't inadvertently interfere with signature or heuristics detection. In our own research at Intelguardians, we created a spyware-like tool called Spycar. Released publicly for free in May 2006, Spycar is entirely benign, but it mimics some spyware functions. Spycar can help get a feel for whether a given antivirus tool protects against common spyware behaviors, like the altering of Run registry keys or the changing of a host's file.

Keep in mind, though, that most antivirus vendors have since created signatures for Spycar. Because it is now snagged on a signature, it is not able to test behavior-based defenses. So, you could either write your own Spycar-like tool, or wait for Spycar 2 to be released later this year. Spycar 2 models a whole bunch of new spyware behaviors and bundles them in interesting packages. Intelguardians will release this and other new testing tools late in 2007.

If you didn't mean behavior-based defenses, but instead use the term "heuristics" like I do, meaning "fuzzy" signatures, you can use the test of time to evaluate the technology. Set up the antivirus tool and get its signatures completely up to date. Then, wait three months or so and let the bad guys innovate. After that time has passed, gather a zoo of malware, picking from the specimens that attackers have so graciously contributed to your antispam filter or finding items elsewhere (offensivecomputing.net has a bunch of specimens as well). Then see how well your tool's old signatures match up with the new set of malware. Such an experiment is a rough measure and a useful comparison method when testing the heuristic capabilities of antimalware tools. The only downside is that an effective test requires a time lag.

More information:

  • Learn how heuristics can detect polymorphic viruses.
  • Find out how to achieve network security with tomorrow's antivirus tools.
  • This was last published in July 2007

    Dig Deeper on Malware, virus, Trojan and spyware protection and removal

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.