Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Malware detection that flags unknown threats by analyzing suspicious behavior, code structure, and rules rather than known signatures.
Heuristic Detection Definition: Malware detection that flags unknown threats by analyzing suspicious behavior, code structure, and rules rather than known signatures.
Heuristic detection is a malware-detection technique that identifies previously unknown or modified threats by analyzing the behavior, structure, and characteristics of code against rules and patterns associated with malicious activity, rather than relying solely on exact signatures of known malware. This lets security tools catch new, polymorphic, and zero-day threats that signature databases have not yet cataloged.
Heuristic engines work in two main ways. Static heuristics examine a file's code, structure, and instructions for suspicious traits such as self-modifying code, packing, or API calls used to hook the system. Dynamic heuristics execute or emulate the file in a sandbox and watch its runtime behavior, flagging actions like attempting to overwrite system files, inject into other processes, disable security tools, or contact command-and-control servers. Each suspicious indicator contributes to a weighted score; if the score crosses a threshold, the sample is flagged. Many modern engines blend heuristics with machine learning and behavioral analytics.
Heuristic detection matters because attackers constantly recompile and obfuscate malware specifically to evade signature matching, so a purely signature-based defense always lags behind. Heuristics provide proactive coverage against novel variants, but the trade-off is false positives, where legitimate software exhibiting unusual behavior is wrongly flagged, so tuning sensitivity is a core operational concern.
For example, an endpoint protection product receives a never-before-seen executable. Its static analysis notices the file is packed and imports functions for keystroke logging, while sandbox emulation shows it attempting to add itself to a startup registry key and connect to an external IP. No signature exists for this sample, but the accumulated suspicious behaviors push the heuristic score past the threshold, so the product quarantines it before it can run on the user's machine.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →