Win32/Heri Detection

Win32/Heri is the name given by antivirus software to a heuristically-motivated detection. This means that the detection does not correspond to a specific known virus or malicious file found in the software's database. Instead, heuristic detection relies on patterns, behaviors and markers that may be shared across malicious files.

This approach helps anti-malware software to detect some threats that have not yet been documented and cataloged, intercepting them before they can do any harm, based on those shared patterns with existing malware. However, this approach also triggers a very significant number of what is called "false positives".

A false positive will flag a legitimate file as a threat. This is also the most common case with detections coming up as "Win32/Heri". There are very very few cases where this will flag a file that is really malicious, but there have been many reports of long-standing legitimate and well-known files triggering this false detection, including applications from huge companies such as Google and Blizzard Entertainment.

Of course, if you obtained the file that triggered the detection from a suspicious source, or if the file has a suspicious name, it can also be really malicious. One solution is analyzing the file using several anti-malware solutions to see if detections match.

June 22, 2022