Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: kalpik on April 27, 2005, 04:13:28 AM
-
Hi!
Is it true that Avast does not have any Heuristics scanning engine? If thats true, its very alarming! Cuz Heuristics is the first defence against unknown virii! I think even AVG has Heuristics scanning (though i have personally seen that Avast is a MUCH MUCH better AV than AVG). If Avast does not have this feature, it should be the first post an the Wishlist!!
Kalpik
-
Well, it does but it doesn't. It does I believe have generic scanning for trojans, but in terms of a true heuristic program - no, this has been discussed on the forums. There are several pros, but also several cons, to having a heuristics.
-
Hi!
Could you please explain all the cons of having Heuristics? Your help is appreciated.
Kalpik
-
As far as I know Avast has no heuristics in its on-demand/on-access scanner but Avast has so-called heuristics in its e-mail scanner (Internet mail and Outlook/Exchange) to fight agianst fast-spreading e-mail worm (it really works in the real-world and save me several time) but I think Avast's heuristics is not the true heuristics in antivirus scence.
Althought Avast has no true heuristics but it has other method to fight against unknown malware such as generic detection of trojan.
Please read this thread and you will find what you want to know. :)
http://forum.avast.com/index.php?board=2;action=display;threadid=4979
-
True, McAfee uses these heuristics techinque as well, Panda uses this Tru prevent technology to detect unknown viruses. I don't really mind if Avast! dosn't have heuristics as long as we get updates daily.
-
I don't really mind if Avast! dosn't have heuristics as long as we get updates daily.
Unfortunately, Avast has always been simply underrated by some people just because of Avast has no so-called heuristics, it has fancy skins, it has sounds and it has the free version.
-
I love the skins ( my favorite is the bionic avast ;) ) And the sound is always enjoyable to hear. (yes including the virus detected one ;D. So what if it dosn't have heuristics? People should know that it's one of the best antivrus that has different shields and has staff working hard to make virus signature files for updates.
-
Heuristics have a big potential,especially for AV that is not so well known (so virii writers don't fool its heuristics). Just look at NOD32. I had doubts about heuristics until i tried it. Same with ArcaVir 2005. Detected brand new worm before they had defs for it. And even if heuristics detect only few samples it's still better than nothing.
-
And even if heuristics detect only few samples it's still better than nothing.
I totally agree.
And even so-called heuristics in e-mail scanner of Avast can detect potential dangerous extensions in file attachment I've seen this several times.
I'm just curious, if Avast doesn't implement traditional heuristics like other AVs so is there any plan to develop other proactive detection for Avast, something like advanced generic detection? ;D ;D ;D
-
The biggest concern of anyone introducing Heuristics is false positives and inexperienced users who will delete the file that the virus was detected in. This can have huge potential implications on the users system.
Perhaps a means of getting round this is to have two Alarms and actions, Heuristic and Signature detected. Then to correctly identify the warning as a Heuristic detection and perhaps move it to the chest rather than allow for auto/user deletion.
This could be similar to the email heuristic warning, but that warning is very ineffective as many who post here don't realise the difference and delete emails regardless of the fact that it is pointed out it is just Suspicious and not positively identified as infected.
There have been similar requests on the forums to have a different Warning Alarm for Web Shield detection, because that says there is a virus on your computer (and it won't be if you abort the connection) and many people have spent a lot of time trying to find it on their computer.
-
But lets face it,Alwil will have to impliment some form of heuristics soon or later.
Signatures are ok,but in these days,certanly not enough.
-
I totally agree that it will have to happen. My reference to Signatures was mearly to show the different method of detection, known Vs possible (Signature V Heuristics)
-
The biggest concern of anyone introducing Heuristics is false positives and inexperienced users who will delete the file that the virus was detected in. This can have huge potential implications on the users system.
Yeah... But, sometimes, the signatures bring false positives as much as heuristics would :P
Heuristics have a big potential,especially for AV that is not so well known (so virii writers don't fool its heuristics). Just look at NOD32. I had doubts about heuristics until i tried it. Same with ArcaVir 2005. Detected brand new worm before they had defs for it. And even if heuristics detect only few samples it's still better than nothing.
In fact. But, I have some experiences on it... Promisses more than could realise. Better detection are just side by side of false positives. I do believe in fast updating and avast! can't be better on it. Well, it could be better on adding signatures that, nowadays, were not that fast anymore :'(
Perhaps a means of getting round this is to have two Alarms and actions, Heuristic and Signature detected. Then to correctly identify the warning as a Heuristic detection and perhaps move it to the chest rather than allow for auto/user deletion.
This could be similar to the email heuristic warning, but that warning is very ineffective as many who post here don't realise the difference and delete emails regardless of the fact that it is pointed out it is just Suspicious and not positively identified as infected. There have been similar requests on the forums to have a different Warning Alarm for Web Shield detection, because that says there is a virus on your computer (and it won't be if you abort the connection) and many people have spent a lot of time trying to find it on their computer.
Good suggestions... I hope it won't be lost into the jungle of the forum threads :-\ :'(
-
Your putting my words into RejZors mouth ;D
Perhaps a means of getting round this is to have two Alarms and actions, Heuristic and Signature detected. Then to correctly identify the warning as a Heuristic detection and perhaps move it to the chest rather than allow for auto/user deletion.
This could be similar to the email heuristic warning, but that warning is very ineffective as many who post here don't realise the difference and delete emails regardless of the fact that it is pointed out it is just Suspicious and not positively identified as infected. There have been similar requests on the forums to have a different Warning Alarm for Web Shield detection, because that says there is a virus on your computer (and it won't be if you abort the connection) and many people have spent a lot of time trying to find it on their computer.
-
Are the people at Alwil listening!!!!
-
Well heuristics do produce some false positives,but look at signatures. Alwil had many problems with it and they don't even have heuristics in avast!.
And sooner they start using heuristic,better they'll act after some time. False positive reports will help them fine tune heuristics so they won't cause FPs later.
-
Heuristics can be success at some level to catch unknown malware but it can be a very strong marketing point to facinating people as NOD32 advaned heuristcs and Norman Sandbox.
-
Yeah,well they can since AH and Sandxox are very effective. BitDefender HIVE will work the same way as Sandbox. I had doubts about it and thought it's only a marjketing trick,but it's not. I had several samples that were detcted only by heuristics before anyone else even made signatures.
-
...more or less because the malware writer did a lousy job in this case.
The main problem with heuristics engines is that they are publicly available. That is, it's trivial for the virus author to fine-tune his/her masterpiece so that it slips thru. It's as easy as that, and it's somehow surprising for me that the punks don't currently do it so often (at least for the relatively unknown scanners such as nod32).
Otherwise, of course I agree heuristics methods are powerful and we're definitely taking them seriously. But it's probably too technical a thing to discuss here - I somehow don't like the screams for heuristics without deep technical background... :-\
Cheers
Vlk
-
Yeah,thats the main reason to use heuristics now. avast! is not as known as Symantec or McAfee,so there would be a very small chance that virii writers will fine tune it against avast!. Maybe more flexible Blocker could do half of this job,but in current form it simply fails to do anything. And finetuning virii to avoid heuristics is a time consuming thing. Source code for them is not available so you have to test every and each modification. And there is no 100% success rate in this.
-
Beating any heuristics engine currently on the market is actually much easier than you might thing...
Fortunately for the planet, most of today's malware writers are not very good programmers. :)
-
Ok,so if there won't be any heuristics,please think about this:
http://forum.avast.com/index.php?topic=13091.0
-
But if you can programm better than the virus makers then, why don't you provide avast! with an even better shield of heuristics?
If we won't have Heuristics, the virus samples must be faster analysed to have avast! at the same level of other antivirus programs.
Well, we realise you're on USA ;)
-
What I meant is that heuristics is by design weak in the sense that virus authors can freely test their code and tweak it in the way it slips thru, and that such a tweaking is very easy. That is, a CONTRARY of what Technical is suggesting - i.e. that building a reliable heuristics engine is easy. ;) :)
-
Trust me,no one will tweak viriis against avast! for few more years,so take advantage of this when you can. avast! detection rates are good,but not excellent.
-
We all realise thats its better to remove a virus asap. If you take a virus today lets say, that avast cannot recognize it, then in two days that the virus definitions are issued, you will be already in a big trouble...
here you realise the need of heuristics... Its better removing a potential virus and have false positives instead of detecting nothing
-
That is, a CONTRARY of what Technical is suggesting - i.e. that building a reliable heuristics engine is easy. ;) :)
I was not suggesting this or being ironic.
I - the same as you - want avast! better and the Heuristic won't make it worse than now.
Elsewhere I suggested a beta update of the VPS (like we have into SpyBot). This way, only the beta testers will update the very new signatures, avoiding a huge number of false positives.
Like RejZor said, avast! detection rates are good,but not excellent. :)
-
I found this on Wilders...
Scan performed at: 29/04/2005 10:49:13
Scanning Log
NOD32 version 1.1083 (20050429) NT
Operating memory - probably unknown NewHeur_PE virus [7]
date: 29.4.2005 time: 10:50:07
Scanned disks, directories and files: C:
C:\pagefile.sys - error opening (file locked) [4]
C:\Documents and Settings\All Users\Application Data\mp3intrahelpsupport\bibblue.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\All Users\Application Data\mp3intrahelpsupport\Glue Web.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\axsdoqdk.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\ewwnqxzy.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\Global Wipe Base.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\jcoxyzjq.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\qqdqjohm.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\saaqaawy.exe - probably unknown NewHeur_PE virus [7]
number of scanned files: 3827
number of viruses found: 103
time of completion: 10:51:34 total scanning time: 87 sec (00:01:27)
Notes:
[4] File cannot be open. It is being exclusively used by another application or operating system.
[7] File is probably infected with an unknown virus. Please send it to sample@nod32.com
Lots of heuristic detections? According to filenamings they are not false positives.
I'm talking about such situations.