Heuristics in action

[smage]

Quote:

Originally Posted by Matthijs5nl

Category A: ESET and Kaspersky (yes, these two are the only two worth paying for in my opinion)
=)

No AV is worth paying for when you have these for free and you are skilled enough to use them.
-http://www.youtube.com/user/languy99#p/u/1/nPWLlF_bIC8-

[CloneRanger]

Avira has been great for me, as i love it's excellent heuristics, which is why i started this thread. They have every reason to be very proud of what the've achieved with its heuristics over the last few years, as proven in ALL the tests i've seen anyway. Nothing wrong with saying this, and hoping others appreciate it's achievements. The same goes for any other product that deserves praise, by me or anybody else.

Only been slightly infected once, and that was years ago before i used Avira. With Avira's great heurisitcs, and setting the AV to prompt me for action, i don't have any worries about visiting infected sites, just for the fun of it.

Even though Avira is constantly tops for detection in tests, and remember that's ONLY with default settings, NOT max heurisitcs etc, i do agree with several members who have accurately stated that, Avira "can" sometimes be somewhat lacking in clean up. Not sure why this should be but i feel sure they will only improve, why wouldn't they want to.

You can call me a fanboy if you like, i don't mind got every reason to be but i acknowledge both sides of the discussion.

Quote:

Originally Posted by smage

No AV is worth paying for when you have these for free and you are skilled enough to use them.
-http://www.youtube.com/user/languy99#p/u/1/nPWLlF_bIC8-

Like I said, you can also use some kind of HIPS and sandboxing, which creates a totally different situation. And makes everything i said in the post redundant.

[whitedragon551]

Quote:

Originally Posted by smage

But a new version of Avira will soon be out. With its new proactive module combined with its good heuristics perhaps it will perform better in dynamic tests this time.

AV-C should really publish the number of clean files it uses to test for false positive, otherwise it will not be possible to draw meaningful conclusions from its tests.

Future versions are irrelevant to the discussion at hand on current products. They could get better, but they could also get worse. Lets not jump to conclusions.

[PC__Gamer]

Quote:

Originally Posted by trjam

Ah, now true colors and motive are shown. Stefan, dont waste good air even responding to this crap.

I'm sorry mr daily opinion, but your skating around the message you replied to,

Avira scored around 87% in the biggest dynamic test available from the biggest of testers with the most experience and money, match this with aviras completely useless removal and you have a poor product!

I don't know how you or any of the fanboys can argue against that, maybe you don't trust the test marx has done?

[CloneRanger]

@PC__Gamer

If they don't get downloaded, they Can't infect. MAX settings and they won't, in my daily experience anyway

[dw426]

Quote:

Originally Posted by PC__Gamer

I'm sorry mr daily opinion, but your skating around the message you replied to,

Avira scored around 87% in the biggest dynamic test available from the biggest of testers with the most experience and money, match this with aviras completely useless removal and you have a poor product!

I don't know how you or any of the fanboys can argue against that, maybe you don't trust the test marx has done?

Will you get off of it? You hate Avira, you've made it crystal clear. I personally don't think 87% is too bad at all, but I'm not going to post that thought multiple times in the same thread. And really, where do you get "most experience and money" from? Have you been at any of these companies? Do you do their accounting? No? Then it's useless for you to bring it up. Seriously, give it up PC, we know your stance, you've left no room for doubt.

It's a bit amusing, if the subject at Wilders is either Avira or Opera, the thread is going to go to hell by the second page.

[PC__Gamer]

Your completely right, I've made my point very clear

If people didn't have such an affection with their antivirus, these theads wouldn't have such hostility in, people need to relax a little (you'll go grey before your time)

[bellgamin]

Quote:

Originally Posted by PC__Gamer

Your completely right, I've made my point very clear

Your point being: "I argue for the sake of argument." Right?

[trjam]

PC, first you a good member here with some solid thoughts. Sometimes it is fun to bust your chops to get you going. No one can dispute Aviras ability. It was the one that got me here. I predicted this would be a down year for them in December and I stick to that. By down I dont mean crappy but more of a learning one that will only make them better. But yes, I love Prevx and Avira but in the past they have been the FP Kings. Things change.

So please dont take this the wrong way because we all come here and agree one day, and disagree the next. But trust me when I say personally, I learn quite a bit from your postings. And I can jab at Avira because Stefan is a dear friend I have never met. Avira is one of the best at maximizing the most from limited resources. Eset is learning that to.

And I do trust Marx, but I trust IBK more.

[zcv]

Quote:

Originally Posted by Matthijs5nl

1. there are a lot of good antivirus programs (no perfect one ofcourse) and you can't say one is better than another one. You can only place programs in categories based on the test results (there are like 3 reliable tests) of like the last 5 years.
Actually Av-comparatives does this, a good thing.

2. people only trust on tests which proofs they made the right choice buying a certain program. Something called Cognitive Dissonance.

3. next to that the people here should realise they are not very likely to get infected, since they know the dangers of viruses, and what are the ways you get infected.
I mean: no one here will click on a link stating they are the 100th visitor and win money.
So many here (including me) are malware-free because of using their brains and not using a certain program.

I also think that some people are using way too many security programs, like running 3 in realtime and using all available on-demand scanners. (What is your security setup topic). In my eyes a total misunderstanding of "layered setup"
In my eyes a layered setup means:
- using a operating system and in the OS included security options (and keeping the OS updated)
- using reliable software and keep it updated
- using ONE firewall (Windows firewall is a great option )
- using ONE realtime program
- using max TWO on-demand programs.

Or you can ofcourse use a setup with sandbox/Host-based Intrusion Prevention System. People using this kind of programs will never get infected because they know what viruses are, no matter what software they use, like i said under point 3.

So what I would like to say: don't feel personally attacked if people say something bad about your antivirus, use your brains and keep it simple =)

Hello Matthijs5nl,

I'm with you on this.

In all my time here, I've never participated in one of these "what's the best" threads - usually pointless and likely as not to degenerate into name calling. I do monitor them if I'm interested in a particular piece of software for info on updating frequency, support, ease of use, and the like.

To the people I advise on security, I make the points you did - the most important being making use of what's between the ears.

[pasha101]

Quote:

Originally Posted by CloneRanger

Avira has been great for me, as i love it's excellent heuristics, which is why i started this thread.

CloneRanger I have been an Avira customer for years and generally like the product. Here is an article on Avira heuristics which I think explains some of the false positives. It would appear that malware authors may be able to use this information to circumvent detection in certain cases: http://grack.com/blog/2010/03/17/the...us-heuristics/

I thought the article was interesting and thought you may like to read it if you hadn't had a chance.

[Stefan Kurtzhals]

pasha101, don't confuse the Avira script heuristics with the binary malware heuristics/generic detections.

BTW, in those dynamic tests, products with behaviour blocker/HIPS (and some with reputation based detection) were compared against products without those features. Of course the prevention level is lower without those features, what you expect? I think, for not having a HIPS/behaviour blocker and not having reputation based detection, Avira did well in those tests.

So, slap ThreatFire and Sandboxie on top of Avira and you are better protected again as with those other products AND still paid nothing.

[bellgamin]

Quote:

Originally Posted by Stefan Kurtzhals

I think, for not having a HIPS/behaviour blocker and not having reputation based detection, Avira did well in those tests.

With soon-coming version 10, Avira's paid versions WILL have a behavior blocker, right?

[johnyjohn]

Hi,

Yes, AntiVir ProActiv will be available in paid versions soon. ;-)

Quote:

AntiVir ProActiv

AntiVir ProActiv sets up tiny sensors on your PC to continuously monitor the system. Any unusual activity triggers an alarm, meaning that attacks and harmful content can be detected and prevented even when the actual code is so new that it has not yet been identified. This means detection of and protection against tomorrow's security threats, even if they're mutated versions that have never before been seen in the wild.

Avira ProActiv community: Working together to tackle cybercrime with Version 10

Do you know the secret of our success? The answer is: you, our user. As an Avira user, you are part of a community of more than 100 million people worldwide. Whether at home or in the office, and whether you use the Personal, Premium or Professional version, every virus you intercept and every attack you fend off helps bring more security to the web.

For us, the absolute highlight in working together to tackle cybercrime is the Avira AntiVir ProActiv Community which is included in our Premium and Professional editions. If Avira security software detects an anomalous file, the new ProActiv function stops this immediately, even if the detection pattern is not yet included in the virus definition file. The suspect file is automatically sent to our virus labs for analysis, and when new threats are found, virus definitions are immediately updated and sent out to more than 100 million Avira users.

This new functionality means that everyone can play their part in making the web more secure for all. To enable this function, use expert mode during configuration, activate AntiVir ProActiv under "ProActiv" and click the "Take part in Avira ProActiv Community" checkbox.

Version 10 also marks the further expansion of the Avira virus-fighting community by enabling you to provide direct feedback, for example to request specific functions in your Avira product.

Source : http://lists.avira.com/archive/details.php?id=3988

[CloneRanger]

AntiVir ProActiv sounds very interesting, and with cloud based interactivity.

>

@pasha101

Good to know you like it, generally I hadn't seen that article before, so thanks for sharing

Don't pretend to understand the code eval.txt



but i copied/pasted it into notepad and attempted to open it. Avira jumped right in



Obviously it's perfectly safe to do this, as it's just a js test, of which there are many.

Avira isn't the only one to detect it

AntiVir 8.2.1.194 2010.03.17 HTML/Crypted.Gen

McAfee-GW-Edition 6.8.5 2010.03.18 Heuristic.Script.Crypted

As long as people understand that Heuristics is a clever way of recognising potential malware, and realise that sometimes FP will naturally occur. One vendors Heuristics isn't the same as anothers, some will be more keen which can lead to detects that look like malware due to the code. Better safe than sorry though i think.

I've sent the eval.txt to Avira as a FP with the link, but due to the above scan and Stefan Kurtzhals input in here, they should already be aware of it. Having said that, he didn't seem too concerned when he posted about it

[Pleonasm]

Quote:

Originally Posted by Stefan Kurtzhals

BTW, in those dynamic tests, products with behaviour blocker/HIPS (and some with reputation based detection) were compared against products without those features. Of course the prevention level is lower without those features, what you expect? I think, for not having a HIPS/behaviour blocker and not having reputation based detection, Avira did well in those tests.

Stefan, your post seems to suggest that a whole-product dynamic test isn’t “fair” because different products have different anti-malware capabilities. However, that’s the point!

The question to be answered is not “Which product has the best detection capability?” but rather “Which product provides the best protection?”. Obviously, the objective of an anti-malware application is to protect against malware -- thus, why should a user care which piece of a product’s functionality (e.g., reputation-based analysis or signature-based detection) is delivering that protection at any one moment in time? It’s the whole product that matters -- and, as a consequence, it is only whole-product testing done in simulated real-world scenarios that allows a meaningful comparison of the differences in the quality of products’ performance, in my opinion.

[johnyjohn]

Quote:

Originally Posted by CloneRanger

AntiVir ProActiv sounds very interesting, and with cloud based interactivity.

Moreover, with the acquisition of CleanPort, Cloud technology will be more present in the future.

Quote:

“By establishing Avira Managed Security Services, we open up an extended range of services based on tried-and-tested technology to our over 100 million users worldwide. This will allow a multi-layered defense offering of Avira security products in our customers IT environments; locally installed solutions and online managed security services. In addition, we are confident that our acquisition of CleanPort will put us in a good position to penetrate new markets.” said Tjark Auerbach, founder and CEO of Avira GmbH.

Source : http://www.avira.com/en/company_news...the_cloud.html

Quote:

Originally Posted by CloneRanger

Avira isn't the only one to detect it

AntiVir 8.2.1.194 2010.03.17 HTML/Crypted.Gen

McAfee-GW-Edition 6.8.5 2010.03.18 Heuristic.Script.Crypted

Please note that McAfee-GW-Edition (previously Secure Computing SecureWeb, acquired by McAfee) uses Avira engine. ;-)

[bellgamin]

Quote:

Originally Posted by Pleonasm

Stefan, your post seems to suggest that a whole-product dynamic test isn’t “fair” because different products have different anti-malware capabilities. However, that’s the point!

1- Hmmm. Does anyone think that we should test (a) FW (firewalls) & (b) AV (antivirus apps) & (c) SB (sandboxes) & (d) HIPS-classic & (e) HIPS-BB (behavior blockers) & (f) suites of security apps -- all together in one amorphous group? I wonder.

BUT SERIOUSLY...

2- The trend nowadays seems to be in the direction of "security suites" having multiple components. Examples include but are not limited to A-squared, OA, KIS, & CIS, each of which includes two or more of the following components: AV + HIPS(classic or BB) + Firewall + Sandbox.

3- But some folks (me included) prefer to assemble their own set/layers of security apps instead of having some suite do it for them.

3a- One reason: taken INDIVIDUALLY, not every component within a given suite will necessarily be "best-in-class". For example, the AV in the CIS suite is a useful one, but some folks would say that it is, by no means, "best-in-its-class".

3b- Thus, it is possible to assemble a set of stand-alone security apps that are (individually & collectively) equal to or better than any security suite I am aware of.

4- When I am considering various AVs (e.g.) for a do-it-myself suite of cobbled-together stand-alone security apps, I want to see comparative tests of AVs with similar components. In other words, oranges compared to other oranges; NOT oranges compared to fruit salads.

5a- Consider (for example) a test which includes: (1) standalone AV apps <compared to> (2) AV+BB apps <compared to> (3) AV+HIPS apps.

5a- What can be learned from such a test? Basically, all we will *learn* is that (other factors being equal) an augmented AV will out-perform a stand-alone AV. Big deal! That no-brainer "lesson" can pretty much be stated a priori BEFORE conducting any appropriate test.

5b- In other words, mish-mash testing is pretty much useless, and can be very misleading.

6- Perhaps that is the point that Stefan was trying to make. If so, it is a good point IMO...

6a- Namely: test like against like -- oranges against oranges, not against fruit salads!

6b To wit: Test suites versus suites. Test AV+BB versus AV+BB. Test full-scope suites versus full-scope suites. Test specialized (single function) security apps versus apps with similar specialized (single function) capabilities.

[CloneRanger]

@johnyjohn

Quote:

Please note that McAfee-GW-Edition (previously Secure Computing SecureWeb, acquired by McAfee) uses Avira engine. ;-)

Wasn't aware of that, but i am now, thanks

@bellgamin

Quote:

not every component within a given suite will necessarily be "best-in-class"

.

Quote:

single function) security apps

I'm with you on this

[pasha101]

Quote:

Originally Posted by CloneRanger

I've sent the eval.txt to Avira as a FP with the link, but due to the above scan and Stefan Kurtzhals input in here, they should already be aware of it. Having said that, he didn't seem too concerned when he posted about it

The biggest issue from the originally linked article, is that there is some malware that uses the term eval in some form of malicious script. One way that the eval file in your previous post can stop triggering Avira is to insert the term google to the file. You can test that easily enough. The eval file you had posted was detected by Avira as you stated. I then added the term google to the last line of the file, no more detection. While the file you have is a harmless file that is reported as a false positive, I gather that there may be malicious scripts that may be able to get through Avira's heuristics by adding the term google to them. Of course I am only basing this off of the article which is fairly critical of Avira's heuristics.

[Saraceno]

Quote:

Originally Posted by Stefan Kurtzhals

So, slap ThreatFire and Sandboxie on top of Avira and you are better protected again as with those other products AND still paid nothing.

Stefan, just a thought for you. I know most products are developed in-house, but if ThreatFire currently doesn't have a paid edition and are looking at receiving additional income for their product, you might look into a partnership with ThreatFire in the future.

No way?! Serious, it's one of the strongest behaviour blockers available, and works well with Avira. Us here like layers, but average users prefer one single program they recognize providing prompts/alerts. Could be something to consider in the future (considering pctools AV isn't so strong, spyware doctor has the 'spyware' name and to most users, is not an anti-virus and doesn't have the reputation as one).

[funkydude]

Quote:

Originally Posted by Saraceno

No way?! Serious

Unfortunately it's the boss you have to convince not the developer

[Saraceno]

Very true.

I haven't used the premium edition, I'm just basing my comments off the free edition, and that instead of spending many hours developing something (behaviour blocker) you could utilize another program that could 'possibly' be available.

[Pleonasm]

Quote:

Originally Posted by bellgamin

To wit: Test suites versus suites.

Are you aware that the whole-product dynamic tests conducted by AV-Comparatives and by AV-Test (both in December, 2009) actually did “test suites versus suites”? Within the set of security suites tested, capabilities differ. And, it is completely appropriate that the test results reflect those differences in capabilities, because a real-world user would experience differences in malware protection when using one suite versus another. For example, if Kaspersky Internet Security 2010 has capabilities that AVIRA Premium Security Suite 9.0 lacks, then so be it -- each is assessed in the same way in these dynamic tests.

Quote:

Originally Posted by bellgamin

it is possible to assemble a set of stand-alone security apps that are (individually & collectively) equal to or better than any security suite

Theoretically, nearly anything is possible. Unfortunately, there is no independent and rigorous comparison of a “build-your-own” security suite to those of the major vendors, and so it is not known which is actually the better approach. Logically, however, a security suite has a key advantage: the integration benefit. Components of a suite work together and complement one another, which is not possible when using a collection of isolated and non-integrated pieces.

Maybe some testing organization at some time in the future will explore this issue, but it would be a massive effort due to the combinatorial complexity of mixing and matching the "build-your-own" components.