How Symantec Protection Engine detects risks

Symantec Protection Engine uses the following tools to detect risks:
Definitions
Symantec engineers track reported outbreaks of risks (such as viruses, Trojan horses, worms, adware, and spyware) to identify new risks. After a risk is identified, information about the risk (a signature) is stored in a definition file. This file contains information to detect and eliminate the risk. When Symantec Protection Engine scans for risks, it searches for these signatures.
Heuristics
Symantec Protection Engine uses Symantec Bloodhound heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors (such as self-replication) to target potentially infected documents. Bloodhound technology is capable of detecting as much as 80 percent of new and unknown executable file threats. Bloodhound-Macro technology detects over 90 percent of new and unknown macro viruses. Bloodhound requires minimal overhead since it examines only programs and the documents that meet stringent prerequisites. In most cases, Bloodhound can determine in microseconds whether a file or document is likely to be infected. If it determines that a file is not likely to be infected, it moves to the next file.
Decomposition of container files
Symantec Protection Engine extracts container files so that they can be scanned for risks. Symantec Protection Engine continues to extract container files until it reaches the base file. Symantec Protection Engine imposes limits on file extraction. These limits protect against denial-of-service attacks that are associated with the overly large files or the complex container files that take a long time to decompose. These limits also improve scanning performance.
Symantec Protection Engine scans a file and its contents until it reaches the maximum depth that you specify. Symantec Protection Engine stops scanning any file that meets the maximum file size limit, cumulative file size limit, or maximum file count. It then generates a log entry. Symantec Protection Engine resumes scanning any remaining files. This process continues until Symantec Protection Engine scans all of the files to the maximum depth (that do not meet any of the processing limits).
Symantec Insight
Symantec Insight is a file-based detection technology that classifies files as good or bad by examining properties, usage patterns, or users of a given file rather than scanning it.
Android Application (APK) Reputation
Symantec Protection Engine has introduced a new Android Application Reputation feature that you can use to classify the untrusted APK files. APK Reputation uses Symantec’s mobile intelligence framework that leverages data from the sources such as Norton community watch, market crawling, and malware industry partners. The files will have security ratings such as low bad, high bad, neutral, medium bad, low good, medium good, and high good.
Advanced machine learning
Advanced machine learning technology detects malware based on static attributes. This technology enables Symantec Protection Engine to detect malware in the pre-execution phase, thereby stopping large classes of malware, both known and unknown. In Symantec Protection Engine, this technology works with the File Insight (Reputation) technology to provide best-in-class protection with low false positives.