Behavioral vs. Heuristic Antivirus

By Kevin Lee

While computers may seem brilliant, at their core, they are unintelligent machines that rely on instructions that humans create to make them work. Viruses are programs that cause computers to execute instructions that can harm them and your data. Software developers create behavioral and heuristic antivirus applications that use different methods to detect and eliminate viruses and other forms of malware that may infect your computer.

Virus Databases and Code Signatures

Windows Defender, a security app that comes with Windows, identifies a suspicious program by checking the program against a database that Microsoft maintains. Security programs that rely on databases for malware information check them frequently because people create new viruses continuously. Many antivirus programs identify threats by examining their "signatures." A signature is similar to a fingerprint: it represents a specific set of a file's characteristics that help others identify the file.

Behavioral Detection

A behavioral detection antivirus program works like a police officer looking for odd behavior in a suspect. If you install an antivirus app that uses behavior detection, it watches your operating system, searching for suspicious events. For instance, if the antivirus program witnesses an attempt to change or modify a file or communicate over the Web, it may take action and warn you of the threat. It may also block the threat depending on how you adjust its security settings.

Heuristic Detection

Antivirus apps that use heuristics are similar to signature-based detection programs. They seek to identify malware by examining the code in a virus program and analyzing the program's structure. A heuristic antivirus app using this detection method might run a process that simulates actually running the code it’s examining. When it does that, the antivirus app seeks to identify additional code logic that may help it determine if the suspected virus is really a threat.

Code Pattern Changes

Because antivirus programs that use behavior detection look for suspicious behavior in a potential virus, they can identify threats that some heuristic antivirus programs may miss. Assume, for example, that a heuristic database contains a code pattern that consists of A-B-B-A. If a virus's creators modify their code so that the pattern changes to A-A-B-B, a heuristic antivirus app may not detect that modified version.


A false positive occurs when an antivirus program informs you that a program is dangerous even though it is not. Malware detection using heuristic methods often increase the number of incidents of false positives. It can also take more time for heuristic antivirus programs to scan files than it does programs that use behavior detection. Many modern antivirus programs use both heuristics and behavioral methods to protect computers from malware.