I’ve read a few articles that describe the heuristic detection used by AVs as being either “weight-based” or “rule-based”. The weight-based aspect seems to make sense, but I don’t understand what “rule-based” detection is or how it works.
This article describes rule-based detection as follows:
Nearly all nowadays utilized heuristic approaches implement rule-based systems. This means, that the component of the heuristic engine that conducts the analysis (the analyser) extracts certain rules from a file and this rules will be compared against a set of rule for malicious code. If there matches a rule, an alarm can be triggered.
I just don’t understand what a “rule” is in this context. How is it different from any other signature. If it is one of the many characteristics that may be used in weight-based detection, how is this approach significantly different than that?