What is W32.eheur.malware14 and What Should I do if I See It?
We had a situation in the office today that prompted this tutorial. Someone downloaded a file from a legitimate website that many millions of people use every day. When the file had downloaded, the antivirus flagged up an alert that said the download contained ‘W32.eheur.malware14’ and had been placed into the virus vault. So what is W32.eheur.malware14 and what should you do about it?
Given the current hostile environment of the internet, running a computer without a fully functioning antivirus and malware scanner is just asking for trouble. However, running them is only part of the story. The other part is knowing what to do if they find something. I’ll cover that in a minute.
What is W32.eheur.malware14?
The evolution of antivirus software had been rapid and now keeps us safer than ever. It also identifies more threats and creates a lot less drama than they used to. Most functions are handled automatically and as a user, you actually have to do very little to manage your antivirus. Except when it flags something like this.
So what is What is W32.eheur.malware14?
- The W32 part is the platform affected. In this case Windows 32-bit. As Windows x64 also uses x32, both types of installation are potentially at risk.
- The eheur part is for heuristics which is a function of antivirus that looks at the potential intent of code.
- Malware14 is the category in which the antivirus places its findings. In this case, in the malware category.
So in theory, W32.eheur.malware14 has been identified as malware using heuristic analysis. But it isn’t so cut and dried.
Heuristic analysis
Most antivirus use two or more ways to detect viruses and malware. The two most common are signatures and heuristics. Signatures are like fingerprints that identify a particular piece of malicious code. Those updates that your antivirus downloads every day? It is the most up to date database of virus signatures the company has so your antivirus can detect as many viruses as possible.
Heuristic analysis is used to back up signature analysis. Most antivirus companies know that they don’t have all the signatures for all viruses as they evolve too quickly. Heuristic analysis is a way around that. It uses a set of rules that analyzes files on your computer for their potential to do harm. It reads every line of code in a file and assesses whether it is legitimate or whether it is hiding malicious intent. If something looks suspicious, it will flag it for further study and/or isolate the file.
Heuristic analysis is great in that it does not depend on signatures which is a reactive defense. It does not have to execute the file to see what happens like sandboxing. Instead, it analyzes the code to see what would potentially happen.
The downside to this way of working is that it is prone to false positives. Some code can be flagged as malware when in fact it isn’t. These instances are now thankfully rare, but they happen.
Is W32.eheur.malware14 malware?
It might be. It also might not be. Helpful huh? If your antivirus flags up W32.eheur.malware14 on your computer, your best bet it to treat it as suspicious until proven otherwise.
Your antivirus should show you the file path of the threat. Start there. If it says something like C:\Windows\System32\ssText32 for example, it is likely to be a false positive. But don’t relax just yet. If the file is part of a legitimate program acquired from a legitimate source, it may be a false positive. Either way, it’s good to get a second opinion.
Even if you’re using the latest, most recommended antivirus package available, it can still get things wrong. You can perform an online scan or download a second antivirus scanner and run a full scan. If you install a second program, you will either need to uninstall it after the scan or uninstall your original scanner. Two antivirus scanners do not play well together on a single computer.
Online antivirus scans are available from Eset, Kaspersky, Trend Micro and other companies. Also try Malwarebytes malware scanner as it will often detect things antivirus doesn’t. Either run one of these or download another scanner. If you choose the latter, perform a full scan or ask the program or app to scan the folder flagged by your original scan. You can do that by right clicking the file and selecting Scan with…
If your second opinion also flags the file as potential malware, it might just be malware. If the file is a legit file, like above, perform a web search to see if there have been instances of false positives. Usually, the forum of your antivirus provider will mention them.
If you don’t see posts mentioning false positives, let the antivirus delete or lock down the file to keep you safe. It’s always better to be safe than sorry when it comes to malware!