Author Topic: Confused about...  (Read 5592 times)

0 Members and 1 Guest are viewing this topic.

codexaenir

  • Guest
Confused about...
« on: March 01, 2003, 03:18:05 PM »
Quote
Yes and no. The avast! engine traditionally didn't use any heuristics (in the classical sense of word). However, some of the scanning methods, that could be called 'heuristics', were added to the engine couple of years ago. These are used primarily for generic malware and Trojan detection.

I'm a little confused about the heuristics engine that Avast! 4 uses(not the email one).
First of all... what is the classical sense of word in heuristics?
How does the scanning methods called "heuristics" used by Avast! differ from the classical sense.
Which is technically better?

If you could, could you explain a little more in detail?



Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Confused about...
« Reply #1 on: March 03, 2003, 11:04:18 AM »
Quote
First of all... what is the classical sense of word in heuristics?

As an introduction (pretty thorough, though), I recommend reading an excellent article written by Technodrome for Wilders Security forum: http://www.wilderssecurity.com/index.php?board=24;action=display;threadid=2892 . "Reply" #6 specifically discusses heuristics in the classical sense of word. Classical heuristics usually involves some code emulation (i.e. execution of the code that is being analysed, of course in an isolated box). It can be useful mainly for the detection of new/yet-unknown viruses. However, it is never possible to exactly identify the malware with such an approach and is also traditionally prone to false positives. avast! doesn't have any such functionality - it basically relies on its virus database. On the other hand, the way some parts of the avast virus database are constructed (the pre-processing done on our machines) could actually be called "heuristics"...

Maybe Pavel (our virus guru) could explain this in more detail...?

Quote
Which is technically better?
In my opinion, in present time heuristics is just a marginal technique whose importance rapidly decreased when most of the AV's made their databases so good that they actually contain virtually all the virus samples. And with avarage response times in the magnitude of hours rather than days/weeks, the need for generic detection without a record in the virus database went down, too...

Vlk
If at first you don't succeed, then skydiving's not for you.

Pavel Baudis

  • Guest
Re:Confused about...
« Reply #2 on: March 03, 2003, 11:20:12 AM »
Quote
Maybe Pavel (our virus guru) could explain this in more detail...?
:) avast! of course contains the code emulator - it is a must in today's antivirus technologies. It only does not try to decide if something is unknown virus based on the emulation results - there are too many "side effects" and as Vlk correctly mentioned such method can cause many false alarms. Also - with modern viruses which are quite long and are usually written in High Level Languages, the traditional heuristics can't be used. You can see its fail during many recent virus outbreaks. On the other side the generic detection which is based on similarities of virus families is very successful and is of course used by avast! in large scale.

Hope this helps

Pavel