In the world of virus definitions there are two ways an application can spot a virus using malware detection:
- Signature Based: where an application has been given samples of code specific to the malicious software
- Heuristic Based: where an application has been told what applications do in the past to spot malicious software
Imagine a door man at the local night club. He has been told not to let in specific people. Hes been told not to let in John, Bob or Sam as they are trouble makers but everyone else can get through. This is an example of signature based matching. The problem with this method is that any new potentially malicious user can walk through the door without being challenged by the malware detection platform.
Now imagine a doorman that senses things about the clients coming into the door where he scores them accordingly. For example, the client may have been drinking too much, isn’t dressed appropriately or is generally aggressive or abusive. These are all patterns of bad behavior which a doorman can sense and score accordingly and make a decision on the spot whether or not to allow them in. This is an example of heuristic based pattern matching using a malware detection platform.
Whilst signature based virus malware detection has been standardised for many years now, heuristics in theory should surpass this, and maybe even replace it entirely. With its ability to halt zero day attacks (attacks which the vendor is unaware of, or yet to patch), it makes it a far more responsive and flexible tool for defence of an end point. Not just end points though, but now network edge defence also.
With the rise of NGFW (Next Generation Firewalls) and UTM (Unified Threat Management) devices, heuristic based malware protection can be applied to traffic before it even reaches the internal points within your network. Fortigate is a prime example of this with the services bundled into one device. Other alternatives can include solutions from Checkpoint, Cisco and Juniper at the expense of extra equipment, licenses and in some cases, lower throughput.