PDA

View Full Version : trend micro heuristic?

AMRX
March 31st, 2007, 05:26 AM
Pattern Version: 4.381.00
Release Type: New Malware Threat
Notes: WORM_WOMBLE.AB

March 30, 2007, 13:03:07 (GMT - 08:00)

---------------------
New Virus Detected:
---------------------
There are [426] new virus detected by the pattern file.
All detailed virus names please refer to the list below.

BKDR_AGENT.LQX
BKDR_AGENT.LZL
BKDR_AGENT.MBP
BKDR_AGENT.MID
BKDR_BIFROSE.VR
BKDR_BIFROSE.VU
BKDR_BIFROSE.WE
BKDR_DELF.EHF
BKDR_GRAYBIRD.RS
BKDR_HEURISTI.AL
BKDR_HEURISTI.AM
BKDR_HUPIGON.CWH
BKDR_HUPIGON.CXP

This is a part from the page (http://www.trendmicro.com/ftp/products/pattern/whatsnew.txt) which gets updated with every virus pattern file update. Now the virus information page says nothing much about this bug. So is it their new heuristics or just some fancy bug named heuristik and its variants? If its heuristics then why they don't bother letting the users know about the feature?

Yeah yeah I know about the av-comparatives result but its a simple question so product bashers stay out.
Sjoeii
March 31st, 2007, 07:04 AM
The new heuristic engine is being tested as we speak. It is being tested by a few named testers all over the world. I have to say it works great .
Sputnik
March 31st, 2007, 07:45 AM
{QUOTE-> The new heuristic engine is being tested as we speak. It is being tested by a few named testers all over the world. I have to say it works great . <-QUOTE}
Agreed here, also I'm one of the testers. Especially the false positives rate is very low, and I see more and more heuristic detections.
AMRX
March 31st, 2007, 09:06 AM
Thats excellent news! Well now I remember IBK saying this longtime ago about Trend Micro's heuristics based detection. I simply forgot it. Now I looked carefully and found some heuristic detection for trojans, dialers, packed malwares and password protected malwares. So its in the current engine version 8.320.1004. What is the version you guys are testing? Whats new in that?
Sputnik
March 31st, 2007, 12:16 PM
We (currently) use the same engine, though we use custom signatures.
mrhero
March 31st, 2007, 12:34 PM
Hi sputnik, In my system new heuristics flags packed crack files as malware. But I know they aren't malware only keygens, cracks, etc. This type of behavior likes Sophos, Quickheal and Fortinet and not a good behavior IMO.
Sputnik
March 31st, 2007, 02:22 PM
@mrhero
True, on some more "exotic" packers it will cause false positives. Please notice that most of these packers are used on cracks, keygens, hacktools and stuff like that. So it shouldn't be any problem for most Trend Micro users.

Though I'm in touch with the beta team regarding exe-packers for some months now, and they are working on it.