What is a heuristic virus?

It never feels great when a virus scan uncovers malware on your device, and scary terms like “heuristic virus” don’t exactly help. The good news is that this type of infection is fairly easy to remove once it’s been detected, and we’ll provide a beginner-friendly guide to doing just that.  First, though, let’s address the most obvious question: what’s the difference between a regular virus and a heuristic virus?

What exactly is a heuristic virus?

When people talk about heuristic viruses, they’re usually discussing Heur.Invader, or something similar like Win32 Heur. These viruses are classic examples of Trojan Horses – seemingly innocuous programs that actually contain nasty surprises.

Heuristic viruses are particularly dangerous because they can change your antivirus and security settings without your knowledge. An example of a heuristic virus is a program that installs a whole host of malicious scripts and prevents you from detecting any of them, or one that performs tasks that would normally require user authorization, such as disabling your firewall, removing your access to certain files, or navigating to infected web pages.

How to remove a heuristic virus

One of the things that makes deleting a heuristic virus so difficult is that there’s seemingly no way to tell which parts of your system are working as intended, and which have already been tweaked by the malware. Luckily, most major operating systems have a safe mode built-in that allows us to load a stripped back version of the OS where all settings are set to their defaults.

This is always the first step to removing a heuristic virus infection. On the plus side, once you’re in safe mode, the rest of the process is nice and simple.

Here’s how to remove a heuristic virus:

  1. Start your device in safe mode (platform-specific instructions below)
  2. Enable any heuristic scan options in your antivirus program then run a full scan
  3. Take a look at any suspicious results and delete them. It’s important not to just delete everything without thinking, as heuristic scans can return false positives sometimes
  4. Restart your device, run another scan, and make sure the virus is really gone. If not, consult our in-depth malware removal guide for additional advice

How to boot your computer in safe mode


  1. Press the Windows key, click the power button, and hold shift as you click Restart.
  2. On the menu that appears, select Advanced options, then Startup Settings, then Restart.
  3. Finally, choose Enable Safe Mode. It’s important not to select Safe Mode with Networking or Safe Mode with Command Prompt as these could give the virus more tools to work with.


There are actually two ways to get into Safe Mode, depending on whether you’re using one with an Intel or M1 chip. To find out, open the Apple menu and select About This Mac. If there’s a Processor item on this screen, use method one below. Otherwise, use method two:

Method one: Restart your device and hold the Shift key. Log in (you may have to log in twice). Check the menu bar to verify that it says Safe Mode.

Method two: Turn off your Mac completely. Hold the power button down until the screen turns on and select a volume level once prompted. Hold down the Shift key and select Continue in Safe Mode. Your menu bar should now say Safe Mode.

Linux (Ubuntu)

This is nice and simple: just restart your computer and hold the Shift key during the boot sequence to get to the GRUB Menu. If this doesn’t work, try again but this time, instead of holding Shift, tap the Escape key repeatedly.

When you reach the menu, choose the option that ends with (recovery mode).

What is heuristic virus scanning?

Heuristic virus scanning is a more modern approach to identifying malware. In the past, antivirus programs had a big list of signatures that they knew belonged to malicious programs – if they found code with the same signature on your computer, they could tell exactly which virus it had.

The problem with this method is that it’s impossible to account for every possible new malware variant, as even a single change to the code would create an entirely new signature, allowing attackers to go undetected.

Instead, heuristic scanning looks for code that’s suspicious. For instance, if it realizes that a newly-installed program is contacting a specific IP address every minute or keeping a record of which keys you hit, it can let you know that this is out of the ordinary. Of course, this type of scanning is prone to false positives, so users have to manually check their results. After all, the examples we’ve just given are suspicious out of context, but not all that unusual if you’re using a cloud storage app or something that tests your typing skills.

How to prevent heuristic virus infections

Heuristic viruses are acquired in the same way as any other, most often by downloading files from suspicious websites or running code you don’t understand.

You can protect yourself from rootkits, spyware, and heuristic viruses by following these simple rules:

  • Never open any file you receive in an unsolicited email
  • Only download applications from the official websites. Some even provide the program’s checksum so that you can verify what you’ve downloaded is actually legitimate
  • Do not click links in email messages as you’ll often find that they lead to phishing sites designed to steal your login credentials. Instead, search for the site you need manually
  • Any site that claims to offer paid services for free is lying. Avoid these like the plague
  • Never allow anyone to take remote control of your computer, even if they claim to be a government official or from the technical support department of a company you know
  • Do not open .BAT scripts, .exe files, or Microsoft Office macros if you don’t know who created them
  • Make sure your router isn’t using the default password
  • Schedule regular virus scans using a reputable antivirus program