Author Topic: What does [Susp] tag stands for?  (Read 4585 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
What does [Susp] tag stands for?
« on: September 12, 2010, 12:26:15 AM »
I've seen quite some detections with such tag, like Win32:FNFAV-C [Susp], INF:AutoRun [Susp], JS:ScrObfs-gen [Susp] etc...

Now i do know that [Heur] stands for a heuristic detection, but what is [Susp] then? I'm guessing suspicious, but wouldn't that fall under [Heur] as well? Just curious as usual :)
Visit my webpage Angry Sheep Blog

Gargamel360

  • Guest
Re: What does [Susp] tag stands for?
« Reply #1 on: September 12, 2010, 12:35:23 AM »
Methinks those are behavior shield detections.

edit:http://forum.avast.com/index.php?topic=59700.0

or not.
« Last Edit: September 12, 2010, 12:40:54 AM by Gargamel360 »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: What does [Susp] tag stands for?
« Reply #2 on: September 12, 2010, 12:47:21 AM »
I don't think they are. Those have [Heur] tag. That's why i'm wondering. Unless they use [Heur] for behavior analysis heuristics and [Susp] for more "traditional" heuristics used to scan Autoruns, BAT's, scripts, HTML files and so on, stuff that usually doesn't run inside virtual emulators but can still be checked with heuristics.
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: What does [Susp] tag stands for?
« Reply #3 on: September 12, 2010, 12:55:19 AM »
I believe they are basically equivalent - some virus analysts using [Heur] even though we originally agreed on [Susp] (or vice versa, I don't remember it myself  ;)).

Gargamel360

  • Guest
Re: What does [Susp] tag stands for?
« Reply #4 on: September 12, 2010, 01:11:41 AM »
Ok, thanks for clearing that up. :)