Symantec Protection Engine uses the following tools to detect risks:
Symantec engineers track reported outbreaks of risks (such as viruses, Trojan horses, worms, adware, and spyware) to identify new risks. After a risk is identified, information about the risk (a signature) is stored in a definition file. This file contains information to detect and eliminate the risk. When Symantec Protection Engine scans for risks, it searches for these signatures.
Symantec Protection Engine uses Symantec Bloodhound™ heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors (such as self-replication) to target potentially infected documents. Bloodhound technology is capable of detecting as much as 80 percent of new and unknown executable file threats. Bloodhound-Macro technology detects and repairs over 90 percent of new and unknown macro viruses. Bloodhound requires minimal overhead since it examines only programs and the documents that meet stringent prerequisites. In most cases, Bloodhound can determine in microseconds whether a file or document is likely to be infected. If it determines that a file is not likely to be infected, it moves to the next file.
Container file decomposer
Symantec Protection Engine contains a decomposer that extracts container files so that they can be scanned for risks. The decomposer continues to extract container files until it reaches the base file. Symantec Protection Engine imposes limits on file extraction. These limits protect against denial-of-service attacks that are associated with the overly large files or the complex container files that take a long time to decompose. These limits also improve scanning performance.
Symantec Protection Engine scans a file and its contents until it reaches the maximum depth that you specify. Symantec Protection Engine stops scanning any file that meets the maximum file size limit or that exceeds the maximum amount of time to decompose. It then generates a log entry. Symantec Protection Engine resumes scanning any remaining files. This process continues until Symantec Protection Engine scans all of the files to the maximum depth (that do not meet any of the processing limits).
Symantec Insight™ is a file-based detection technology that classifies files as good or bad by examining properties, usage patterns, or users of a given file rather than scanning it.