Author Topic: Standard Shield and Heuristic detection  (Read 4862 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Standard Shield and Heuristic detection
« on: March 12, 2004, 03:03:25 PM »
I was just wondering how is with this in avast!. I saw such options in NOD32,McAfee,Norton,but there is none for avast!.
Is there heuristic scanning enabled by default with default sensitivity because i don't see any sliders or anything for this.
Otherwise i don't have any complaints about avast! detection rate :D

Thx
Visit my webpage Angry Sheep Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Standard Shield and Heuristic detection
« Reply #1 on: March 12, 2004, 03:31:56 PM »
I was just wondering how is with this in avast!. I saw such options in NOD32,McAfee,Norton,but there is none for avast!.
Is there heuristic scanning enabled by default with default sensitivity because i don't see any sliders or anything for this.
Otherwise i don't have any complaints about avast! detection rate :D

Thx

If you mean the Standard Shied, no, there is not an Heuristic module for on-access scanning files.
If you mean in e-mails proccessing, I can see the slider:
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Standard Shield and Heuristic detection
« Reply #2 on: March 12, 2004, 03:43:28 PM »
Do you think Alwil team will impliment it for On-Access scanner too in near future? I think this would push detection rate even further.
Visit my webpage Angry Sheep Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Standard Shield and Heuristic detection
« Reply #3 on: March 12, 2004, 03:58:38 PM »
This was discussed a lot in the past...
Some think that this will be the future of detection: generic detection of viruses.
Some are afraid of false positives and the silly fact that virus makers will find a way to pass from generic detection...
You can make a search in the forums for this theme...  ;)
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Standard Shield and Heuristic detection
« Reply #4 on: March 12, 2004, 04:07:38 PM »
Ok thanks i will. Im currently working on a research (for myself) about heuristic detection methods,so i have many questions...

Here's another question hehe...
Would be possible for avast! to detect mailing mechanism in mass-mailing worms so it could detect it even if the worm is not in VPS list? And than only checks other factors for EXE like size that usually never exceeds 200KB for such worms,so FP would be very low.

Ok now i need to read some more (hundred ;) ) PDFs about this on Google hehe and search this forum...
Visit my webpage Angry Sheep Blog

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Standard Shield and Heuristic detection
« Reply #5 on: March 12, 2004, 07:45:52 PM »
What about virus targeting and scanning option by extension/content for Standard Shield (SS)? Is this enabled by default for SS or this could be a new feature for faster scanning,especially virus targeting (by extension is probably already implimented,because you can set which extensions to scan...)?
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Standard Shield and Heuristic detection
« Reply #6 on: March 13, 2004, 01:28:53 AM »
Would be possible for avast! to detect mailing mechanism in mass-mailing worms so it could detect it even if the worm is not in VPS list?

In that case, MS Outlook would also be detected as a virus (I know, it may be correct, actually ;D). How do you distinguish "legal" mailing code from malicious? Besides, the mailing code may be crypted or packed by an obscure packer...

And than only checks other factors for EXE like size that usually never exceeds 200KB for such worms,so FP would be very low.

The problem is that "never" is never 100% correct here.  First, even if 200kB may be rare today, it won't be in a short future; second, even today there are worms that e.g. append some files/data after their main file - so they can be rather long.