Understanding Heuristic-based Scanning vs. Sandboxing

The threat landscape is challenging for signature-based detection with an ever-increasing number of threats and the shortened duration time for the effectiveness of a single signature variation. As opposed to signature-based scanning, which looks to match signatures found in files with that of a database of known malware, heuristic scanning uses rules and/ or algorithms to look for commands which may indicate malicious intent. By using this method, some heuristic scanning methods are able to detect malware without needing a signature. Sandboxes consist of some sort of purpose-built environment, usually virtualized (in some cases physical), where the potentially malicious files are executed and their behavior is recorded. The recorded behavior is then analyzed automatically through a weights system in the sandbox and/or manually by a malware analyst. The goal of this analysis is to determine whether the file is malicious and if it is, what exactly the file does. Both heuristic-based scanning and sandboxing present unique strengths and weaknesses, and for different situations one scanning method may be more appropriate than the other. Curtis Cade takes a look.