Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: RejZoR on July 03, 2006, 11:32:28 PM

Title: Why aren't you using more generic signatures?
Post by: RejZoR on July 03, 2006, 11:32:28 PM
I'm noticing that avast! indeed has the capability of generic detection. And a pretty good one actually. But why don't you use it more often?
So far i've seen just few, but would certanly like to see them more.
Title: Re: Why aren't you using more generic signatures?
Post by: RejZoR on July 08, 2006, 11:38:02 PM
This is what i mean with generic signatures ;D

(http://img86.imageshack.us/img86/8018/generics9zg.gif)

Also loads of Ardamax files are getting nailed by avast! generic detection lately.
You could just as well "replace" heuristics to some degree with already tested and of course existing tech. Just use it more often plz ;D
Title: Re: Why aren't you using more generic signatures?
Post by: DavidR on July 09, 2006, 12:15:51 AM
It would also seem that the other AVs that picked this up would appear to have done so using Heuristics.
Title: Re: Why aren't you using more generic signatures?
Post by: RejZoR on July 22, 2006, 11:39:55 AM
(http://img81.imageshack.us/img81/7852/generics002pr4.png)

Another one. avast! generic engine seems to be pretty good.
Keep on adding more of generic signatures :)
Title: Re: Why aren't you using more generic signatures?
Post by: Lisandro on July 22, 2006, 01:34:40 PM
RejZor, how do you get into these samples? Just surfing dangerous?  ;D
Do you have a virus collection or any virus samples supplier?
Title: Re: Why aren't you using more generic signatures?
Post by: RejZoR on July 22, 2006, 01:49:44 PM
This one is a random snapshot from Jotti. I've seen dozens of Win32:Ardamax-gen detections on it too.
Though i get most of samples from other users, P2P and questionable websites. Other half is from Malware Research.
Title: Re: Why aren't you using more generic signatures?
Post by: RejZoR on July 24, 2006, 10:09:55 AM
Wow, Alwil guys did listen to me (or just a pure coincidence ;D).
Check out new -gen signatures :) Keep up the good work team!

EDIT:
Btw, any chance to see generics for Zlob nasties?
Title: Re: Why aren't you using more generic signatures?
Post by: gnwd on July 25, 2006, 08:14:10 AM
That's interesting...

 the panda antivirus and Fortinet  may be a good choice.
 
========================
Antivirus Version Actualización Resultado
AntiVir 6.35.0.24 24.07.2006 no ha encontrado virus
Authentium 4.93.8 24.07.2006 no ha encontrado virus
Avast 4.7.844.0 24.07.2006 no ha encontrado virus
AVG 386 24.07.2006 no ha encontrado virus
BitDefender 7.2 25.07.2006 no ha encontrado virus
CAT-QuickHeal 8.00 25.07.2006 no ha encontrado virus
ClamAV devel-20060426 25.07.2006 no ha encontrado virus
DrWeb 4.33 24.07.2006 no ha encontrado virus
eTrust-InoculateIT 23.72.77 25.07.2006 no ha encontrado virus
e Trust-Vet 12.6.2306 24.07.2006 no ha encontrado virus
Ewido 4.0 24.07.2006 no ha encontrado virus
Fortinet 2.77.0.0 25.07.2006 suspicious
F-Prot 3.16f 24.07.2006 no ha encontrado virus
F-Prot4 4.2.1.29 24.07.2006 no ha encontrado virus
Ikarus 0.2.65.0 24.07.2006 no ha encontrado virus
Kaspersky 4.0.2.24 25.07.2006 Trojan-Proxy.Win32.Horst.de
McAfee 4813 24.07.2006 no ha encontrado virus
Microsoft 1.1508 25.07.2006 no ha encontrado virus
NOD32v2 1.1677 24.07.2006 a variant of Win32/TrojanProxy.Horst.NAI
Norman 5.90.23 24.07.2006 no ha encontrado virus
Panda 9.0.0.4 24.07. 2006 Suspicious file
Sophos 4.07.0 25.07.2006 no ha encontrado virus
Symantec 8.0 25.07.2006 no ha encontrado virus
TheHacker 5.9.8.181 25.07.2006 no ha encontrado virus
UNA 1.83 24.07.2006 no ha encontrado virus
VBA32 3.11.0 25.07.2006 no ha encontrado virus
VirusBuster 4.3.7:9 24.07.2006 no ha encontrado virus
Title: Re: Why aren't you using more generic signatures?
Post by: RejZoR on July 25, 2006, 09:12:20 AM
They tag bunch of stuff with Suspicious. Plus this doesn't have much in common with generic detection either...
Title: Re: Why aren't you using more generic signatures?
Post by: polonus on July 25, 2006, 09:27:49 AM
Hi RejZoR,

Just another thing, but maybe related to this issue. You know I am spending an awful lot in the virus and worms, and see a lot of postings. Lately I see a lot of FP's in gamefiles etc. Is the number of FP's found by avast increasing? And why? Or is it flagged without the notion riskware, if one has downloaded it for good reasons and deliberately.

polonus
Title: Re: Why aren't you using more generic signatures?
Post by: RejZoR on July 26, 2006, 05:13:30 PM
No, i don't think so. Generic detections are usually very precise and they don't make mistakes too often since they are designed to target very specific range of malware. Those generically added samples however cause problems more often (Win32:Trojan-gen.). I'm not sure how they sort or analyze them but it appears to be some sort of inhouse automated system that helps analysts to speed up adding of samples.