Question about Spybot's heuristic analysis

[tomdkat]

So, I have a malware installer that when scanned by Spybot as an individual file, yields some interesting results. The malware scan part indicates nothing was found but the heuristic part reports a threat being found. Cool. To make sure the heuristic part wasn't reporting something erroneously, I renamed the executable file and performed the single file scan again.

This time, the malware part indicated nothing was found and the heuristic part also reported nothing being found.

Clearly, in this case the name of the executable was factored in during the heuristic analysis.

My question: how does the Spybot heuristic analysis work and why was the file name the only apparent criteria used to identify the file as being malware?

I have since sent the file in for analysis and hopefully updating of the Spybot database.

Thanks!

Peace...

[spybotsandra]

Hello,

Heuristics describes other methods of file detection other than the classic methods that include attributes such as filename, filesize, hashes, digital signatures, versioning information. Our heuristics go deeper into a file and try to determine its function by reading the actual file contents or parts of it and checks it for certain patterns.

Best regards
Sandra
Team Spybot

[tomdkat]

Hello,

Heuristics describes other methods of file detection other than the classic methods that include attributes such as filename, filesize, hashes, digital signatures, versioning information. Our heuristics go deeper into a file and try to determine its function by reading the actual file contents or parts of it and checks it for certain patterns.

Ok. Doesn't the behavior I described above contradict this? I would have expected the heuristic scan to return a "nothing found" result, like the malware scan did. If "heuristics" describes other methods of detection, different than the "classic" methods, why did changing the file name (in my case) affect the result? When I scanned the file (including the name change) with an anti-virus app, it detected the threat as expected.

Peace...

[tomdkat]

Or is the heuristic analysis function broken in Spybot 1.6.2?

Peace...

[MisterW]

Hello Tomdkat,
The Spybot heuristic works like Sandra described it in her post but on some files the filename is one of the hard criteria of our detection. So maybe other criteria found on the file are not sufficient to detect the file as "bad" and only if these criteria + a special filename were found on the system it is enough to say that its a dangerous file.

We always try to find a compromise between good heuristic detection and avoiding false positives. Maybe we were to carefully with that one ;-)

I will try to look in the file you sent to us to check if we could optimize our heuristic detection

Best regards,
Markus
Team Spybot