I’ve tested and scanned a good number of newer malware samples using avast! 5 free (5.0.396) and have noticed no “heuristic” detections when scanning static samples, even with heuristics set to “high” and “code emulation” option checked (PUP checked as well). Is this feature not implemented yet or are heuristic-based detections assessed as “malware-gen” and lumped into the same “malware-gen” category as signature-based detections?
Also, I noticed that the number of definitions sometimes decreases following a VPS update. For example, several days ago, the number of definitions was >2,286,000 and now is only >2,285,000. I assume this is because new detections are being added at the same time that generic detections are being consolidated, so the number of unique detections stays in flux even as new files are being detected/added.
I (and others as well) asked about avast heuristic detection many times before , without any answer. Maybe this time somebody from ALWILL will look at this thread.
It’s pity that ALWIL PR’s are doing such bad job - instead of promoting new engine and its abilities, we have only laconic information about: behavioral shield (without single info about what it’s have been doing except “Monitors activity on your computer using a number of sensors (file system, registry and network based) and reports/blocks any suspicious behavior”), about heuristic is the same, Behavioral Honeypots (avast! sensors identify and monitor suspicious file activity on selected computers, automatically submitting files to the Virus Lab for additional analysis.) -< what does it mind “selected computers”
There is no information about change in rootkit module (it’s still based on GMER ???)… etc etc.
Regards
yaslaw
P.S some piece of information we can find on avast blog - but still not many - and It will be good for AVASt - to combine these information with the main page - simply because not many people will search through entire blog.
not always the new samples detected by the heuristics,may be all your sample dont match the heuristics rules in avast heuristics
and the heuristics is really running and that what say the report come from av-comparatives.com
and alwil and avast are not rogue anti virus so what they say is what they do
…also, if samples had to match heuristics rules, why not get in touch with the hackers and ask them to provide more info about the samples, you know, to adjust heuristics ;D
According first statemant. We seen almost NONE detection by heuristic (there was one raport on forum about suspicious sys file - warning probably from antrootkit module) - its not only me but others users also never reported any heuristic detection. I sent to ALWIL about 5 new samples not detected and never seen any heuristic warning.
Second statement: As I understood these malware cought in these test were cought by suberb generic detection, not by heuristic (you can check report from av comperatives ie. about reported fp) but maybe I’m wrong
use virtual machine and debuggers and hex tools and system monitors and…to know the rules your self,thanks
may be you should adjust your thoughts about me too.
4 yaslaw:
may be the files detected by the heuristic module named under generic or any virus name
4 yaslaw:
may be the files detected by the heuristic module named under generic or any virus name
Gohoos81 asked
Is this feature not implemented yet or are heuristic-based detections assessed as "malware-gen" and lumped into the same "malware-gen" category as signature-based detections?
Do you see some similarity??? It’s why we asking again and again, because we DON’T known, and we would like to hear some answers… I guess that we expressed our questions quite clearly, and you as a man of pure 0 and 1 logic shouldn’t have any problem with understanding it ;D
Regarding the disappearing definitions - yes, we occasionally do a cleanup. Sometimes even huge cleanup can happen - I have it prepared for next month, it will be a big difference in total numbers (which just proves that this number is a bit of nonsense).
Regarding heuristics: the engine is in there and is being tested. The detections for now are still done in the standard way. Code emulator works and is able to catch some modified samples.
Since it seems heuristics are not fully implemented per the statement above, when is the decided, or anticipated launch date for fully implementing this feature? Am I correct to assume that the release of avast! 5.1 is the intended launch date of a fully-operational heuristics engine?
@kubecj
Can we anticipate general and not family based heuristics? I’m talking about heuristics that could catch unknown samples on it’s own regardless of the family of the malware. Some AV’s seem to have this part pretty strong. I mean, by checking for common malware structure and behavior instead very specific one. I know this would increase FP rate slightly but detecting new junk better is imo more important.
@kubecj
Hi, I may have misunderstood your last comment. Could you clarify which is correct:
I took the “engine is in there and is being tested” to mean “The capability is present currently, but we are still ironing out the bugs and refining it” rather than “the capability is present currently and when heuristics are set, the engine is testing files accessed heuristically for malware characteristics”.
2, I also took “detections are being done in the standard way” to mean “we are only detecting malware using signature based detections, both specific and our well-known generic detections” rather than "When the heuristic engine detects malware heuristically, it is reported in the standard way as “malware-gen”, but this may be refined or separated from signatured based “malware gen” detections in the future to something like “Heur-malware”, etc
Based on your last post, it seems you are saying that heuristics are working in the publicly available build now, and adjusting the heuristic sensitivity WILL have an impact on how likely an unknown sample is to be reported as malware, but right now, heuristic detections are reported in a manner similar to generic detections, so the casual end-user would not know whether a sample is detected by heuristics or signature-based methods based solely on the name of the detection because both heuristic detections and signature based detections have indistinguishable detection names (e.g. heuristic detection of a sample with no matching generic signatures is reported as “malware-gen”, but also a detected based off a generic signature may be reported as “malware-gen”).
So, basically heuristics engine in avast! is there just for malware that cannot be effectively detected by signature alone.
You’re not planning any generic proactivity with heuristics engine. That’s a bummer…
It’s a bit more complicated. But if you want to test if the heuristics are doing anything, take binary editor and standard eicar and change few characters (you must not change the length) and then play with the heuristic level.
