Signature-based detection: Signature-based engines are extremely effective at identifying and blocking known threats. Multiple signature-based engines form an important part of a multi-layered cocktail approach to real time scanning.

However, signature-based malware detection only works for known malware. It is not useful for new threats. Additionally, in order to be effective signatures must be delivered quickly and propagated — a time consuming task.

Heuristics: Using a rule of thumb to detect variants of known malware is an effective tool in the fight against malware. However, if your heuristics are too aggressive, you experience false positives. Also, heuristics are designed to increase the probability of detecting something that is similar to something that you have seen before. This means that a heuristic won’t detect completely novel malware.

Code Analysis: The behavior of the code can be determined by modeling program logic, behavioral rules, and contextual system call analysis techniques that suggest good or bad intentions.

Code reputation: Unlike URLs whose content can change, a binary can, in fact, have a reputation based on historical analysis. “Good” code can be treated differently than unknown or bad code.

URL Reputation: URL reputation is derived by examining parameters such as IP address information, country of the web server, history and age of the URL, domain registration information, network owner information, URL categorization information, and types of content present.

Tags: Antivirus, categorization, code-analysis, Computer threats, computer-threats, heuristics, Malware, program_logic, signature