Author Topic: Heuristics  (Read 12864 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Heuristics
« Reply #15 on: April 27, 2005, 02:36:29 PM »
Well heuristics do produce some false positives,but look at signatures. Alwil had many problems with it and they don't even have heuristics in avast!.
And sooner they start using heuristic,better they'll act after some time. False positive reports will help them fine tune heuristics so they won't cause FPs later.
Visit my webpage Angry Sheep Blog

TAP

  • Guest
Re: Heuristics
« Reply #16 on: April 27, 2005, 03:34:57 PM »
Heuristics can be success at some level to catch unknown malware but it can be a very strong marketing point to facinating people as NOD32 advaned heuristcs and Norman Sandbox.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Heuristics
« Reply #17 on: April 27, 2005, 03:52:09 PM »
Yeah,well they can since AH and Sandxox are very effective. BitDefender HIVE will work the same way as Sandbox. I had doubts about it and thought it's only a marjketing trick,but it's not. I had several samples that were detcted only by heuristics before anyone else even made signatures.
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Heuristics
« Reply #18 on: April 27, 2005, 08:25:03 PM »
...more or less because the malware writer did a lousy job in this case.

The main problem with heuristics engines is that they are publicly available. That is, it's trivial for the virus author to fine-tune his/her masterpiece so that it slips thru. It's as easy as that, and it's somehow surprising for me that the punks don't currently do it so often (at least for the relatively unknown scanners such as nod32).

Otherwise, of course I agree heuristics methods are powerful and we're definitely taking them seriously. But it's probably too technical a thing to discuss here - I somehow don't like the screams for heuristics without deep technical background... :-\


Cheers
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Heuristics
« Reply #19 on: April 27, 2005, 08:34:11 PM »
Yeah,thats the main reason to use heuristics now. avast! is not as known as Symantec or McAfee,so there would be a very small chance that virii writers will fine tune it against avast!. Maybe more flexible Blocker could do half of this job,but in current form it simply fails to do anything. And finetuning virii to avoid heuristics is a time consuming thing. Source code for them is not available so you have to test every and each modification. And there is no 100% success rate in this.
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Heuristics
« Reply #20 on: April 27, 2005, 08:37:07 PM »
Beating any heuristics engine currently on the market is actually much easier than you might thing...
Fortunately for the planet, most of today's malware writers are not very good programmers. :)
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Heuristics
« Reply #21 on: April 27, 2005, 08:41:48 PM »
Ok,so if there won't be any heuristics,please think about this:
http://forum.avast.com/index.php?topic=13091.0
Visit my webpage Angry Sheep Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Heuristics
« Reply #22 on: April 27, 2005, 10:25:02 PM »
But if you can programm better than the virus makers then, why don't you provide avast! with an even better shield of heuristics?
If we won't have Heuristics, the virus samples must be faster analysed to have avast! at the same level of other antivirus programs.
Well, we realise you're on USA  ;)
The best things in life are free.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Heuristics
« Reply #23 on: April 28, 2005, 12:04:21 AM »
What I meant is that heuristics is by design weak in the sense that virus authors can freely test their code and tweak it in the way it slips thru, and that such a tweaking is very easy. That is, a CONTRARY of what Technical is suggesting - i.e. that building a reliable heuristics engine is easy. ;) :)
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Heuristics
« Reply #24 on: April 28, 2005, 09:01:12 AM »
Trust me,no one will tweak viriis against avast! for few more years,so take advantage of this when you can. avast! detection rates are good,but not excellent.
Visit my webpage Angry Sheep Blog

o2xygen

  • Guest
Re: Heuristics
« Reply #25 on: April 28, 2005, 10:09:00 AM »
We all realise thats its better to remove a virus asap. If you take a virus today lets say, that avast cannot recognize it, then in two days that the virus definitions are issued, you will be already in a big trouble...
here you realise the need of heuristics... Its better removing a potential virus and have false positives instead of detecting nothing

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Heuristics
« Reply #26 on: April 28, 2005, 03:00:53 PM »
That is, a CONTRARY of what Technical is suggesting - i.e. that building a reliable heuristics engine is easy. ;) :)
I was not suggesting this or being ironic.
I - the same as you - want avast! better and the Heuristic won't make it worse than now.
Elsewhere I suggested a beta update of the VPS (like we have into SpyBot). This way, only the beta testers will update the very new signatures, avoiding a huge number of false positives.
Like RejZor said, avast! detection rates are good,but not excellent.  :)
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Heuristics
« Reply #27 on: April 30, 2005, 09:25:38 AM »
I found this on Wilders...

Scan performed at: 29/04/2005 10:49:13
Scanning Log
NOD32 version 1.1083 (20050429) NT
Operating memory - probably unknown NewHeur_PE virus [7]

date: 29.4.2005 time: 10:50:07
Scanned disks, directories and files: C:
C:\pagefile.sys - error opening (file locked) [4]
C:\Documents and Settings\All Users\Application Data\mp3intrahelpsupport\bibblue.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\All Users\Application Data\mp3intrahelpsupport\Glue Web.exe - probably unknown NewHeur_PE virus [7]

C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\axsdoqdk.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\ewwnqxzy.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\Global Wipe Base.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\jcoxyzjq.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\qqdqjohm.exe - probably unknown NewHeur_PE virus [7]
C:\Documents and Settings\Nicholas\Application Data\BinBatDoes\saaqaawy.exe - probably unknown NewHeur_PE virus [7]

number of scanned files: 3827
number of viruses found: 103
time of completion: 10:51:34 total scanning time: 87 sec (00:01:27)

Notes:
[4] File cannot be open. It is being exclusively used by another application or operating system.
[7] File is probably infected with an unknown virus. Please send it to sample@nod32.com

Lots of heuristic detections? According to filenamings they are not false positives.
I'm talking about such situations.
Visit my webpage Angry Sheep Blog