Each time a new virus is discovered, anti-virus vendors release a signature update for that virus. Those signatures are basically snippets of code extracted from the actual virus and enable anti-virus scanners to detect malicious programs. If a file contains code that matches a signature, then there is a very good chance that that file contains a virus.
Simple signature-based detection is an effective and computationally efficient method to detect viruses, but it does have a couple of shortcomings. Firstly, viruses are becoming increasingly sophisticated and use polymorphism (automatic mutation) and other concealment techniques, such as encryption, to evade detection. Secondly, there is always a gap between the time that a virus is discovered and the time that the vendors release a signature – and this gap represents a window of risk during which systems remain vulnerable.
Heuristic detection is intended to overcome these shortcomings. Heuristic scanners work by detecting virus-like behaviour. Because viruses tend to perform certain actions that legitimate programs do not, they can usually be identified by those actions. For example, many viruses attempt to alter the Hosts file. This is a Windows file that maps web addresses to IP numbers and by altering it a virus can direct a person to an unexpected website (entering www.paypal.com into the address bar will result in the user being taken to www.scam.com instead). Few legitimate programs attempt to alter the Hosts file and so, if a program does perform this action, it’s a fair bet that it’s malicious.
In order to establish what actions a program will perform, most heuristic scanners use a sandboxed virtual machine. When a user attempts to start a program, it is temporarily prevented from starting while the scanner launches it inside the virtual machine. If no virus-like behaviour is observed, the program is allowed to start normally; if, however, virus-like behaviour is observed, then the user is informed and asked whether the file is to be cleaned, deleted or quarantined.
Because heuristic scanners look at behaviour, they’re able to detect new and emerging viruses for which a signature has yet to be released and are immune to the techniques that can enable viruses to evade detection by signature-based scanners. That’s the upside. The downside is that heuristics is an inexact science and so some incidents of misidentification are inevitable – not all malicious programs will be detected and sometimes a legitimate program will be incorrectly identified as malicious. Furthermore, heuristic scanning can be computationally intensive and, resultantly, slow a computer’s operations.
Despite its shortcomings, heuristic scanning is essential in order to protect against today’s rapidly evolving threats. Most anti-virus products include a heuristic scanner, but their capabilities vary enormously. To see a comparison of various products effectiveness, check out the proactive/retrospective tests performed by Anti-Malware Test Lab and AV Comparatives.