So, I have a malware installer that when scanned by Spybot as an individual file, yields some interesting results. The malware scan part indicates nothing was found but the heuristic part reports a threat being found. Cool. To make sure the heuristic part wasn't reporting something erroneously, I renamed the executable file and performed the single file scan again.
This time, the malware part indicated nothing was found and the heuristic part also reported nothing being found.
Clearly, in this case the name of the executable was factored in during the heuristic analysis.
My question: how does the Spybot heuristic analysis work and why was the file name the only apparent criteria used to identify the file as being malware?
I have since sent the file in for analysis and hopefully updating of the Spybot database.
Thanks!
Peace...