>How do you build a heuristic if not with an algorithm?
I don't know what that means. Perhaps superficially there is some overlap since both run on deterministic hardware, but a heuristic is completely different from an algorithm. Its a technique that can perhaps give you an imperfect answer to the question you're asking. An algorithm describes a method, which, if followed, gives you the answer. Here is an AV heuristic that I made up just now:
-Is it encrypted? +1 point
-Does it contain self modifying/unpacking code? +1 point
-Does it call OS APIs to monitor running programs? +1 point
-Does it run at startup? +1 point
-Does it have no UI? +1 point
-Does it try to punch a hole through NAT? +1 point
-Does its process name contain random strings? +1 point
If you get > 5 points, hash the executable and send the hash/executable for analysis.
>Perhaps the entire AV model employed by Symantec is flawed.
Well, for one, the heuristic isn't the "entire AV model". But what makes you think the entire AV model is flawed? Every major OS uses parts of the AV model.
I don't know what that means. Perhaps superficially there is some overlap since both run on deterministic hardware, but a heuristic is completely different from an algorithm. Its a technique that can perhaps give you an imperfect answer to the question you're asking. An algorithm describes a method, which, if followed, gives you the answer. Here is an AV heuristic that I made up just now:
-Is it encrypted? +1 point
-Does it contain self modifying/unpacking code? +1 point
-Does it call OS APIs to monitor running programs? +1 point
-Does it run at startup? +1 point
-Does it have no UI? +1 point
-Does it try to punch a hole through NAT? +1 point
-Does its process name contain random strings? +1 point
If you get > 5 points, hash the executable and send the hash/executable for analysis.
>Perhaps the entire AV model employed by Symantec is flawed.
Well, for one, the heuristic isn't the "entire AV model". But what makes you think the entire AV model is flawed? Every major OS uses parts of the AV model.