Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Gohoos81 on February 10, 2010, 11:44:51 AM
-
Hi,
I've tested and scanned a good number of newer malware samples using avast! 5 free (5.0.396) and have noticed no "heuristic" detections when scanning static samples, even with heuristics set to "high" and "code emulation" option checked (PUP checked as well). Is this feature not implemented yet or are heuristic-based detections assessed as "malware-gen" and lumped into the same "malware-gen" category as signature-based detections?
Also, I noticed that the number of definitions sometimes decreases following a VPS update. For example, several days ago, the number of definitions was >2,286,000 and now is only >2,285,000. I assume this is because new detections are being added at the same time that generic detections are being consolidated, so the number of unique detections stays in flux even as new files are being detected/added.
Thanks for the help!
-
I (and others as well) asked about avast heuristic detection many times before , without any answer. Maybe this time somebody from ALWILL will look at this thread.
It's pity that ALWIL PR's are doing such bad job - instead of promoting new engine and its abilities, we have only laconic information about: behavioral shield (without single info about what it's have been doing except "Monitors activity on your computer using a number of sensors (file system, registry and network based) and reports/blocks any suspicious behavior"), about heuristic is the same, Behavioral Honeypots (avast! sensors identify and monitor suspicious file activity on selected computers, automatically submitting files to the Virus Lab for additional analysis.) -< what does it mind "selected computers"
There is no information about change in rootkit module (it's still based on GMER ???)... etc etc.
Regards
yaslaw
P.S some piece of information we can find on avast blog - but still not many - and It will be good for AVASt - to combine these information with the main page - simply because not many people will search through entire blog.
-
not always the new samples detected by the heuristics,may be all your sample dont match the heuristics rules in avast heuristics
and the heuristics is really running and that what say the report come from av-comparatives.com
and alwil and avast are not rogue anti virus so what they say is what they do
-
not always the new samples detected by the heuristics,may be all your sample dont match the heuristics rules in avast heuristics
and the heuristics is really running and that what say the report come from av-comparatives.com
and alwil and avast are not rogue anti virus so what they say is what they do
sorry no offence but this is nonsense ;-)
regards
yaslaw
-
a lot of things look like nonsense but you can wait the next tests and look to the reality
-
a lot of things look like nonsense but you can wait the next tests and look to the reality
use Google translate utility, thanks :D
...also, if samples had to match heuristics rules, why not get in touch with the hackers and ask them to provide more info about the samples, you know, to adjust heuristics ;D
-
not always the new samples detected by the heuristics,may be all your sample dont match the heuristics rules in avast heuristics
and the heuristics is really running and that what say the report come from av-comparatives.com
According first statemant. We seen almost NONE detection by heuristic (there was one raport on forum about suspicious sys file - warning probably from antrootkit module) - its not only me but others users also never reported any heuristic detection. I sent to ALWIL about 5 new samples not detected and never seen any heuristic warning.
Second statement: As I understood these malware cought in these test were cought by suberb generic detection, not by heuristic (you can check report from av comperatives ie. about reported fp) but maybe I'm wrong
regards..
yaslaw
-
use virtual machine and debuggers and hex tools and system monitors and............to know the rules your self,thanks
may be you should adjust your thoughts about me too.
4 yaslaw:
may be the files detected by the heuristic module named under generic or any virus name
-
4 yaslaw:
may be the files detected by the heuristic module named under generic or any virus name
Gohoos81 asked
Is this feature not implemented yet or are heuristic-based detections assessed as "malware-gen" and lumped into the same "malware-gen" category as signature-based detections?
Do you see some similarity??? It's why we asking again and again, because we DON'T known, and we would like to hear some answers.. I guess that we expressed our questions quite clearly, and you as a man of pure 0 and 1 logic shouldn't have any problem with understanding it ;D
-
ok ,vlk please answer us,plaese
-
ok ,vlk please answer us,plaese
Please not Plaese ;)
-
Regarding the disappearing definitions - yes, we occasionally do a cleanup. Sometimes even huge cleanup can happen - I have it prepared for next month, it will be a big difference in total numbers (which just proves that this number is a bit of nonsense).
Regarding heuristics: the engine is in there and is being tested. The detections for now are still done in the standard way. Code emulator works and is able to catch some modified samples.
-
Regarding heuristics: the engine is in there and is being tested. The detections for now are still done in the standard way
Thx for the answer..So we will wait to see when it will be done..
Regards
yaslaw
-
What do you want Vlk to answer?
I am having issues following what the issue or misunderstanding that needs addressed.
Not to mention a lot of pettiness.
-
Regarding heuristics: the engine is in there and is being tested. The detections for now are still done in the standard way.
Thanks for your response kubecj,
Since it seems heuristics are not fully implemented per the statement above, when is the decided, or anticipated launch date for fully implementing this feature? Am I correct to assume that the release of avast! 5.1 is the intended launch date of a fully-operational heuristics engine?
-
@kubecj
Can we anticipate general and not family based heuristics? I'm talking about heuristics that could catch unknown samples on it's own regardless of the family of the malware. Some AV's seem to have this part pretty strong. I mean, by checking for common malware structure and behavior instead very specific one. I know this would increase FP rate slightly but detecting new junk better is imo more important.
-
Nope. There is no big heuristic launch prepared. The engine is in there and will be used when needed.
-
Nope. There is no big heuristic launch prepared. The engine is in there and will be used when needed.
@kubecj
Hi, I may have misunderstood your last comment. Could you clarify which is correct:
1. I took the "engine is in there and is being tested" to mean "The capability is present currently, but we are still ironing out the bugs and refining it" rather than "the capability is present currently and when heuristics are set, the engine is testing files accessed heuristically for malware characteristics".
2, I also took "detections are being done in the standard way" to mean "we are only detecting malware using signature based detections, both specific and our well-known generic detections" rather than "When the heuristic engine detects malware heuristically, it is reported in the standard way as "malware-gen", but this may be refined or separated from signatured based "malware gen" detections in the future to something like "Heur-malware", etc
Based on your last post, it seems you are saying that heuristics are working in the publicly available build now, and adjusting the heuristic sensitivity WILL have an impact on how likely an unknown sample is to be reported as malware, but right now, heuristic detections are reported in a manner similar to generic detections, so the casual end-user would not know whether a sample is detected by heuristics or signature-based methods based solely on the name of the detection because both heuristic detections and signature based detections have indistinguishable detection names (e.g. heuristic detection of a sample with no matching generic signatures is reported as "malware-gen", but also a detected based off a generic signature may be reported as "malware-gen").
Thanks for your help so far.
-
So, basically heuristics engine in avast! is there just for malware that cannot be effectively detected by signature alone.
You're not planning any generic proactivity with heuristics engine. That's a bummer...
-
It's a bit more complicated. But if you want to test if the heuristics are doing anything, take binary editor and standard eicar and change few characters (you must not change the length) and then play with the heuristic level.
-
So, basically heuristics engine in avast! is there just for malware that cannot be effectively detected by signature alone.
You're not planning any generic proactivity with heuristics engine. That's a bummer...
I did not say anything like that and I mean the clear opposite of what you wrote.
-
I have a question on clarifying heuristics (see the below). Thanks!
-
It's a bit more complicated. But if you want to test if the heuristics are doing anything, take binary editor and standard eicar and change few characters (you must not change the length) and then play with the heuristic level.
@kubecj
It seems to me like you are saying that the heuristics are active and adjusting the sensitivity level will impact how likely it is for avast's engine to report a file as malware when that file has similar, but not identical, characteristics to a previously known malware signature/sample.
Is this correct, more or less?
**If this is more or less correct, why not change the detection name to "Heur-malware" for all "malware" sample that would NOT be detected if the sensitivity bar were set to "off"?** --> Doing this will reassure users that the product is working as intended (many of us were concerned because we had not seen a "heuristic" detection yet) and will enable better FP management, as users are more likely to report false positives they believe are clean files when the detection is heuristic ("educated guess" in layman's terms) than one based on a complete signature. Better FP reporting to avast enables cleaner signatures, improves the revision process to the heuristic engine(s_ by eliminating heuristic rules that generate excessive FP's, and improves the user experience as fewer FP are generated overtime due to more accurate feedback of FP.