Heuristics can improve malware detection ???

As new Malware are constantly Rising some Antivirus vendors such as BitDefender have developed Heuristic Detections which greatly improved their detection rates. Do you think that Avast should develop heuristics as well in order to increase its detection rate ??

Share your thoughts :wink:

Al968

As good as Heuristic Detection might be, it also greatly increases the number
of false positives. :frowning:

Hi al968,

I agree with bob3160 here. Heuristics are something for a HIPS program or an Intrusion Detection program. HIPS can be very annoying. FPs can be a real pain in the proverbial behind, because if they are for data that are essential for the functioning of your Operational System, you have a problem.
If you like to check something that runs in the background, that you wanna check upon, use KLDetector ( http://dewasoft.com/privacy/kldetector.htm ) to find keyloggers or other trojaned processes that may run in the background.
Inside the browser you can use the DrWeb anti virus link checker.
If you insist on a heuristical av non-resident solution take F-Prot for DOS aboard, it even comes with an automatic updater now. That is the best heuristical scanner I know about, better then the ones that incorporated it at some time (DrWeb CureIt).

Stay malware free is the wish of,

polonus

Not necessarly, Let say you have a detection of a program that mass maills himself to every contact in the adress book, is there any legitimate reason to do that ?

Also Heuristics don’t have to come with the false possitive, look at bitdefender :wink:

Thanks

Al968

I have the on demand module of Command AV (Based on F-Prot engine) and I use it as a backup scanner and I can say herustics DO cause false positives, perhaps Bitdefender is just been lucky so far

How about Norton with BloodHound ???

Al968

Sorry but to me, Norton is for the dogs maybe that’s why they call it “BoodHound” ;D

Yes I don’t like Norton either but you have to admit thatnow this bloodhound technology may improve their detection :frowning: and like BitDefender it has few if any false possitive.

Al968

I think proactive detections (e.g. heuristics, generic detections, behavior blocking, policy-based mathods, etc.) are very important for today’s antivirus solutions, it can be increased the protection level, make users more safer, let the vendors have more time to adding other malware signatures or doing any other important things. Otherwise, proactive detections can also be a very good marketing tools. ;D

I think false positives can be greatly reduced by skill/knowledge/resource of the vendors, some vendors may have more skill/effort on heuristics than others, it’s not mean introducing every type of proactive detections would make an unacceptable false positives to every antivirus software, it’s based on their skill/knowledge/resource/philosophy/needs, even signature can produce a false positives.

AVG has the heuristic detection too, but it does not do better than Avast! in most of the recognized malware tests.

;D

I think AVG’s heuristic is nothing but marketing tools. IMHO ;D

I have always been amazed by AVG’s heuristic, as far as I’ve seen, AVG’s heuristic is not better than avast! (who doesn’t have heuristic), even AVG seems to have all needed state-of-the-art heuristic technology, at least on its product detailed page.

http://www.grisoft.com/doc/39/lng/us/tpl/tpl01

I hope the new AVG 7.5’s heuristic would make any improvements.

To quote Vlk

http://forum.avast.com/index.php?topic=21098.0

To prevent speculations, let me just say that enhanced proactive detection (I intentionally don't use the word "heuristics" here, as it usually has a more specific meaning) is something we're definitely looking at, and moving forward, plan to spend considerable time on.

It just needs some time (as other things): currently, I somehow prefer to give up bringing big new features in interim builds (currently released approx. bi-monthly) and favor the “accumulate all big new features for the next major release” model…

Yes, I’m talking about avast 5.

I apologize if this post sounds cryptic.

I don’t know if this is still on the table or not but I think if anyone can get it right alwil can (or at least if it isn’t right it won’t be released).

In another thread on the subject Dwarden mentions that some AVs allow multiple levels of heuristic detection. If avast! does incorporate some form of heuristics I would love to see this option, including an option to turn heuristics completely off if desired.

I somehow prefer to give up bringing big new features in interim builds (currently released approx. bi-monthly) and favor the "accumulate all big new features for the next major release" model...
Alwil, and Vlk, definitivelly changed their mind. Now, we're waiting for a new, big, major release and not avast 4.8 and 4.9.

This was discussed a lot in the past: generic detection is being improved. Not “heuristics” like posted in the poll.

Vlk has also posted in the past about how easily a good malware writer can defeat heuristics, but this part about “enhanced proactive detection” still intrigues me

let me just say that enhanced proactive detection (I intentionally don't use the word "heuristics" here, as it usually has a more specific meaning) is something we're definitely looking at
Dynamic Heuristic analysis - code emulation: this means the file is started inside the protected environment of a virtual computer inside AVG Anti-Virus. The file is analyzed for actions typical for viruses. An example being an application which when run looks for other executable files in order to modify them.

That sounds like the Norman SandBox

Norman is known for its FPs, isn’t it?

Where can I get this, Mac?

keith…this could be it or maybe not ??? ???

http://www.f-prot.com/products/

http://www.commandondemand.com/
this one takes a while to load ::slight_smile:

You can get the Command AV app at http://www.authentium.com or use the command on demand link drhayden posted

Thank you both.

Well, I believe we would include even a bigger feature if it’s easily implementable - but features like heuristics require significant changes through the [existing code of the] whole program; so it might be better to rewrite some parts than change them piece by piece and introduce strange bugs this way.