Hello,

can I rely on the ThreatSense naming of viruses that are detected by heuristics?

I am very concerned with viruses names, but I have recently found that sometimes there is essential difference between their names whether they are detected by signatures or by heuristics!

This means, there is a possibility that the names of viruses that are detected by heuristics (passive heuristic, active heuristic, generic signatures) are wrong and not accurate! And every time I see "a variant of", "probably" or "Gen." I should bear in mind that there is big chace that detection name to be fault!

Here are some examples of viuses that have different names according to the detection method (signature or heuristic) :

-C:\Users\stimulator32\Desktop\555\Net-Worm.Win32.Mytob.ay.zip » ZIP » Net-Worm.Win32.Mytob.ay - Win32/Mytob.GT worm
When I disable the detection by signatures:
-C:\Users\stimulator32\Desktop\555\Net-Worm.Win32.Mytob.ay.zip » ZIP » Net-Worm.Win32.Mytob.ay - probably a variant of Win32/Mydoom.CP worm

-C:\Users\stimulator32\Desktop\555\Trojan-Banker.Win32.Banker.aajq.zip » ZIP » Trojan-Banker.Win32.Banker.aajq - Win32/TrojanProxy.Small.NBG trojan
When I disable the detection by signatures:
-C:\Users\stimulator32\Desktop\555\Trojan-Banker.Win32.Banker.aajq.zip » ZIP » Trojan-Banker.Win32.Banker.aajq - a variant of Win32/Injector.FP trojan

-C:\Users\stimulator32\Desktop\555\Trojan-Banker.Win32.Banker.aarp.zip » ZIP » Trojan-Banker.Win32.Banker.aarp - Win32/Spy.Delf.NNB trojan
When I disable the detection by signatures:
-C:\Users\stimulator32\Desktop\555\Trojan-Banker.Win32.Banker.aarp.zip » ZIP » Trojan-Banker.Win32.Banker.aarp - a variant of Win32/Spy.Banker.AEMZ trojan

-C:\Users\stimulator32\Desktop\555\Virus.Win32.Sality.o.zip » ZIP » Virus.Win32.Sality.o - Win32/Sality.O virus
When I disable the detection by signatures:
-C:\Users\stimulator32\Desktop\555\Virus.Win32.Sality.o.zip » ZIP » Virus.Win32.Sality.o - a variant of Win32/Kryptik.DF trojan


(The viruses can be sent only to moderators for ascertainment).

I suppose when the detection of a virus by heuristics is "a variant of Conficker worm" or "PE NewHeur virus" and after added to signature database became "Win32/Conficker AA worm" is acceptable and normal issue ..

But when the issue was like my examples above, is it acceptable?

Many Thanks in advanced ..

The point is to detect malicous files regardless how they are named. With the current number of threats counting in dozens of millions it's impossible to create a separate signature for every single threat. No AV company is doing that and will never do, otherwise they couldn't use heuristics and 99,99% would be undetected.

-{ Quote: "The point is to detect malicous files regardless how they are named. With the current number of threats counting in dozens of millions it's impossible to create a separate signature for every single threat. No AV company is doing that and will never do, otherwise they couldn't use heuristics and 99,99% would be undetected." }-

Hello Marcos,

Kaspersky company gives a specific signature for every single threat ..

Avira do that else ..

Look at Kaspersky's signatures:

214753

and Avira:

214754

Every threat has a signature!!

This is absolutely not true. I've checked a buch of today's samples, more than 6000 were detected by Antivir as generic (according to their names, but that doesn't mean signatures without "gen" are necessarily not generic). Just to name some of them:

TR/Crypt.ASPM.Gen
TR/Crypt.CFI.Gen
TR/Crypt.EPACK.Gen2
TR/Crypt.FKM.Gen
TR/Crypt.FSPM.Gen
TR/Crypt.Morphine.Gen
TR/Crypt.MWPM.Gen
TR/Crypt.NSAnti.Gen
TR/VB.Downloader.Gen
TR/Vundo.Gen
BDS/Hupigon.Gen
DR/Delphi.Gen

Similar situation with Kaspersky as well as any other AVs:
Backdoor.Win32.IRCBot.gen
Backdoor.Win32.Rbot.gen
Backdoor.Win32.VB.gen
Email-Worm.Win32.generic
Heur.Backdoor.Generic
Heur.Trojan.Generic
Heur.Worm.Generic
Trojan-Spy.Win32.Zbot.gen