Heuristic Detection.

A detection method that uses rule-of-thumb indicators — suspicious code patterns, packers, anomalous strings, and API call combinations — to flag likely-malicious files without an exact signature. It belongs to the Defense & Operations category of cybersecurity.

A detection method that uses rule-of-thumb indicators — suspicious code patterns, packers, anomalous strings, and API call combinations — to flag likely-malicious files without an exact signature.

Heuristic detection complements signatures by scoring suspicious characteristics of a file or its execution. Static heuristics inspect PE header anomalies, presence of known packers (UPX, Themida), high entropy, code obfuscation, suspicious imports such as VirtualAlloc + WriteProcessMemory + CreateRemoteThread, and risky strings; dynamic heuristics observe behavior in an emulator or lightweight sandbox. The term was popularized in the early 1990s by tools like Frans Veldman's TbScan and Eugene Kaspersky's AVP; today it lives inside most NGAV/EDR engines as a fast pre-filter before deeper ML or cloud lookup. Heuristics catch unknown variants of known families but produce more false positives than signatures, so vendors tune thresholds and combine the score with reputation, prevalence, and behavioral signals before convicting.

Defences for Heuristic Detection typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Heuristics, Heuristic scanning.