Antivirus heuristics VS behavior blocker?

[bellgamin]

In a separate thread I asked whether or not Avast has heuristics. Rejzor's answer to that question was as follows...

Quote:

Heuristics in the right meaning of the word, no. But they do have and use quite some generic detection tecniques which can partially be classified as heuristics. You can check AV-Comparatives Proactive test to see how well it fared... Behavior detection may come in avast! 5.x

I found it interesting that Rejzor used the term "behavior detection" in reference to the heuristics of an antivirus program.

Accordingly, I have three questions...

Q1- What is different between what an AV program's heuristics does COMPARED WITH what a behavior blocker does?

Q2- What sort of threat might be detected by strong heuristics (such as those of NOD32 or Avira) that would NOT cause a notification to be issued by a behavior blocker program (such as System Safety Monitor, ProSecurity, or Threatfire)?

Q3- If someone is INTELLIGENTLY using a good behavior blocker, as an added layer to an antivirus program, is it true (or false) that antivirus heuristics are NOT all that important?

[solcroft]

Quote:

Originally Posted by bellgamin

Q1- What is different between what an AV program's heuristics does COMPARED WITH what a behavior blocker does?

In vastly simplified terms, heuristics inspects the CODE of a file and tries to guess what that code does, and/or checks it for similarities with already known malware to detect new variants. A behavior blocker monitors the ACTIONS performed by a program in real-time like a HIPS does, and steps in when it detects potentially malicious behavior. There is a grey area between the two, as some AVs' heuristics are somewhat behavior-blocker-like (using emulation).

Quote:

Originally Posted by bellgamin

Q2- What sort of threat might be detected by strong heuristics (such as those of NOD32 or Avira) that would NOT cause a notification to be issued by a behavior blocker program (such as System Safety Monitor, ProSecurity, or Threatfire)?

Generally speaking, heuristics are vulnerable to code obfuscation (strong packers, random code sequences etc) while behavior blockers fail to non-standard behavior. For instance, instead of mass-deleting files at once, a trojan could slowly delete .doc files one at a time over a certain period. Again this is very general.

Quote:

Originally Posted by bellgamin

Q3- If someone is INTELLIGENTLY using a good behavior blocker, as an added layer to an antivirus program, is it true (or false) that antivirus heuristics are NOT all that important?

Given the current trend of malware, this is currently true. Most malware focus on tricking antivirus scanners nowadays, while behavior blockers are largely ignored.

[Tweakie]

Quote:

Originally Posted by bellgamin

Q1- What is different between what an AV program's heuristics does COMPARED WITH what a behavior blocker does?

Plenty of differences:
- There are heuristics that will not try to directly analyze the behavior of the malware in details. This is static analysis: it can take into account information about the functions imported by the program, the fact that the file is compressed or crypted, etc.
- "Behavioral" heuristic analysis may present some similarities with behavior blockers: the executable is emulated, calls to functions that could be suspect are recorded (operations with files, processes, registry keys, etc.) are recorder and a weight or rule-based system is used to decide wether the file should be classified as malware. However, the "behavioral analysis" could also work as an integrity checker (this is the "sandbox" concept): compare final system state with initial state after the analyzed executable has performed its actions.

The fundamental difference is: with heuristics, the code does not run on the real operating system.

There are drawbacks: emulation is much slower than execution, and it is almost impossible to create an emulated virtual machine that mimics perfectly the real operating system (see http://pferrie.tripod.com/papers/attacks2.pdf ). But there are also advantages: when emulating the code, you could decide to explore both branches of a conditionnal expression, you could have several CPU registers or file attributes that the emulated executable will never be able to see. You can control and observe everything from inside the VM.

The other fundamental difference is: the behaviour blocker does not rely on the skills of the user.

Quote:

Q2- What sort of threat might be detected by strong heuristics (such as those of NOD32 or Avira) that would NOT cause a notification to be issued by a behavior blocker program (such as System Safety Monitor, ProSecurity, or Threatfire)?

Typically programs that tries to fool the user (and the operating system) by letting him think that this is a trusted application (e.g. explorer.exe) that is performing an action. Most common example concerns trojan horses that try to bypass a personnal firewall. From a technical point of view, my favourite trick is this one: http://www.matousec.com/info/advisor...walls-HIPS.php
(I wrote a small PoC using that principle, with no API calls, back in 2004).

Quote:

Q3- If someone is INTELLIGENTLY using a good behavior blocker, as an added layer to an antivirus program, is it true (or false) that antivirus heuristics are NOT all that important?

Provided both your conditions are fulfilled (Intelligent/skilled user + good/reliable software), I think this is mostly true.

[LUSHER]

Good answer as usual Tweakie. And more importantly the answers concur with my meager understanding of the issues.

Now my turn. In the thread about AVAST! , I seem to get a sense that there are actually two different types of heuristics , one which is "generic" which is pretty much a wild guess at detecting totally new malware (packed with x and code function that does X) and another more reliable type of 'normal' heuristic designed for detecting similar strains of the same family of malware.

Is such a distinction meaningful? Or have I being misled?

Assuming such a distinction to be meaningful, when one says NOD32 has good heuristics we are normally referring to heuristics of the 2nd kind?

[RejZoR]

Actually generic signatures are more for modified versions of existing stuff, while heuristics have the same rules plus they have far greater chance of detecting completelly new stuff that includes just parts of existing malware.

[Kees1958]

Very well answered Solcroft, Tweakie.

I think passive heuristics (checking known sequences of code or "sniplets") and behavior blockking go well alongside. Also AV's which have strong packed file inspection (e.g. the free Antivir), also tend to be stronger on heuristics. Stronger paid AV's also have the active heuristics (simulation of code as explained by Tweakie).

I used the terms passive and active, because the marketing messages of the stronger AV's use them, although it is a trivial difference.

Regards Kees