Author Topic: Avast 5 heuristic and disappearing virus defintions  (Read 7288 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9399
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Avast 5 heuristic and disappearing virus defintions
« Reply #15 on: February 11, 2010, 07:57:54 AM »
@kubecj
Can we anticipate general and not family based heuristics? I'm talking about heuristics that could catch unknown samples on it's own regardless of the family of the malware. Some AV's seem to have this part pretty strong. I mean, by checking for common malware structure and behavior instead very specific one. I know this would increase FP rate slightly but detecting new junk better is imo more important.
Visit my webpage Angry Sheep Blog

kubecj

  • Guest
Re: Avast 5 heuristic and disappearing virus defintions
« Reply #16 on: February 11, 2010, 09:36:14 AM »
Nope. There is no big heuristic launch prepared. The engine is in there and will be used when needed.

Gohoos81

  • Guest
Re: Avast 5 heuristic and disappearing virus defintions
« Reply #17 on: February 11, 2010, 10:12:22 AM »
Nope. There is no big heuristic launch prepared. The engine is in there and will be used when needed.

@kubecj
Hi, I may have misunderstood your last comment.  Could you clarify which is correct:

1. I took the "engine is in there and is being tested" to mean "The capability is present currently, but we are still ironing out the bugs and refining it" rather than "the capability is present currently and when heuristics are set, the engine is testing files accessed heuristically for malware characteristics". 

2, I also took "detections are being done in the standard way" to mean "we are only detecting malware using signature based detections, both specific and our well-known generic detections" rather than "When the heuristic engine detects malware heuristically, it is reported in the standard way as "malware-gen", but this may be refined or separated from signatured based "malware gen" detections in the future to something like "Heur-malware", etc

Based on your last post, it seems you are saying that heuristics are working in the publicly available build now, and adjusting the heuristic sensitivity WILL have an impact on how likely an unknown sample is to be reported as malware, but right now, heuristic detections are reported in a manner similar to generic detections, so the casual end-user would not know whether a sample is detected by heuristics or signature-based methods based solely on the name of the detection because both heuristic detections and signature based detections have indistinguishable detection names (e.g. heuristic detection of a sample with no matching generic signatures is reported as "malware-gen", but also a detected based off a generic signature may be reported as "malware-gen").

Thanks for your help so far.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9399
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Avast 5 heuristic and disappearing virus defintions
« Reply #18 on: February 11, 2010, 10:17:20 AM »
So, basically heuristics engine in avast! is there just for malware that cannot be effectively detected by signature alone.
You're not planning any generic proactivity with heuristics engine. That's a bummer...
Visit my webpage Angry Sheep Blog

kubecj

  • Guest
Re: Avast 5 heuristic and disappearing virus defintions
« Reply #19 on: February 11, 2010, 10:19:17 AM »
It's a bit more complicated. But if you want to test if the heuristics are doing anything, take binary editor and standard eicar and change few characters (you must not change the length) and then play with the heuristic level.

kubecj

  • Guest
Re: Avast 5 heuristic and disappearing virus defintions
« Reply #20 on: February 11, 2010, 10:20:01 AM »
So, basically heuristics engine in avast! is there just for malware that cannot be effectively detected by signature alone.
You're not planning any generic proactivity with heuristics engine. That's a bummer...

I did not say anything like that and I mean the clear opposite of what you wrote.

Gohoos81

  • Guest
Re: Avast 5 heuristic and disappearing virus defintions
« Reply #21 on: February 11, 2010, 10:34:17 AM »
I have a question on clarifying heuristics (see the below).  Thanks!
« Last Edit: February 12, 2010, 01:56:08 AM by Gohoos81 »

Gohoos81

  • Guest
Re: Avast 5 heuristic and disappearing virus defintions
« Reply #22 on: February 12, 2010, 01:55:05 AM »
It's a bit more complicated. But if you want to test if the heuristics are doing anything, take binary editor and standard eicar and change few characters (you must not change the length) and then play with the heuristic level.

@kubecj
It seems to me like you are saying that the heuristics are active and adjusting the sensitivity level will impact how likely it is for avast's engine to report a file as malware when that file has similar, but not identical, characteristics to a previously known malware signature/sample.

Is this correct, more or less?

**If this is more or less correct, why not change the detection name to "Heur-malware" for all "malware" sample that would NOT be detected if the sensitivity bar were set to "off"?**  --> Doing this will reassure users that the product is working as intended (many of us were concerned because we had not seen a "heuristic" detection yet) and will enable better FP management, as users are more likely to report false positives they believe are clean files when the detection is heuristic ("educated guess" in layman's terms) than one based on a complete signature.  Better FP reporting to avast enables cleaner signatures, improves the revision process to the heuristic engine(s_ by eliminating heuristic rules that generate excessive FP's, and improves the user experience as fewer FP are generated overtime due to more accurate feedback of FP.