Author Topic: Generic detection Vs Heuristics?  (Read 5304 times)

0 Members and 1 Guest are viewing this topic.

Offline Tonanet

  • Sr. Member
  • ****
  • Posts: 353
  • I'm a llama!
Generic detection Vs Heuristics?
« on: April 29, 2006, 06:56:54 PM »
Hello guys!

I am not sure about one thing...

I know that Avast doesnt have any heuristics in scanning ( only in email), but I have seen a lot of detections with "-gen" sufix, that makes me believe that is a generic detection for a specific family virus... Is it right?

But generic detection and heuristics arent more or less the same thing? They are both pro active, right?

May I assume that Avast have generic detection and have a level of pro active detection?

Thanks for your time,

Elminster

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1791
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re: Generic detection Vs Heuristics?
« Reply #1 on: April 29, 2006, 07:31:54 PM »
i try keep it simple,

while generic detection usually catchs same family or similar subfamilies of same virus ...

so called heuristic goes beyond that and is capable to detect even unknown threat using possible dangerous code ...

but there are heated discussion on who using what type of heuristic plus sometime it can be really vulnerable to cause tons of false alarms (some AVs offers multiple levels of heuristic analysis which multiply scan times and false positives)
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Generic detection Vs Heuristics?
« Reply #2 on: April 29, 2006, 07:35:26 PM »
Yes, that is correct. What the industry calls "heuristics" is usually code emulation + evaluation of what the program is doing (e.g. if it's infecting other executable files).

Generic detection uses a slightly different approach - it uses the fact that whole classes of malware (e.g. *bots) have certain standard structure, and can be identified this way. Avast is actively using this technology.

And, yes, both approaches are pro-active.
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9385
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Generic detection Vs Heuristics?
« Reply #3 on: April 29, 2006, 07:41:05 PM »
Generic detection relies on similarities between malware samples, while heuristics prefer to do the good/bad thresholding and determin whether file is bad or good.

So heuristics may detect malware from scratch, while for generics you first have to know specific similarities. Not always, but this applies most of the time.

avast! didn't rely on either too much before, but in last few months there were larger numbers of generic signatures added to database. I just hope Alwil guys will extend this even further because technology is there avaialble to use, while heuristics aren't available yet. So far they sem to do a good job :)
Visit my webpage Angry Sheep Blog

Offline Tonanet

  • Sr. Member
  • ****
  • Posts: 353
  • I'm a llama!
Re: Generic detection Vs Heuristics?
« Reply #4 on: April 29, 2006, 08:18:23 PM »
Thanks all for the answers! :)

I was asking it, because I see that avast is detecting a lot of spybot variants with the gen detection... I believe its making a very good work on this area...
I confess that I am surprised with the return that this generic detections are giving to the detection rate of avast.

Its is still not the top, but I believe it has being increased a lot.

I hope to see more things like that in the future, for other families... Afer so many complains about the detection rate, this is one of the paths that leads to a better detection.

Thanks all for your time,

Elminster