AV's - Heuristics vs Signatures

[muf]

Firstly, i own licences for both NOD32 and KAV. Over the last two years i have used both as my resident AV(not at the same time). I use NOD32 resident with KAV on-demand or KAV resident with NOD32 on-demand. So my question's are obviously based on using these two AV's as the guide to my questions. But other AV's out there have similarities, so this comparison can be other AV's as well.

What made you choose the AV you use, and what is the most important aspect in your AV of choice. Basically, which of these do you believe are better.
1. Heuristics that can catch a decent amount of new malware, thus not relying on having a signature in it's database. This still leaves you vulnerable to what it can't detect heuristally. Using NOD32 as an example, you will approx catch 6 in 10, but fail 4 in 10.
2. Ultra fast addition of new malware into it's database. This ensures detection but leaves you vulnerable in the period where the malware needs to be added to the database.

Looking at question 1 firstly. The problem here is that even the best heuristics in an AV(currently NOD32) only catch 60% of new unknown malware. Where as in question 2 if the AV adds the malware to it's database every hour or two then you will only have a small time period where you are vulnerable.

Weighing question 1 against question 2. Heuristics have the advantage that they may save you where new malware attempts to infect you. But the downside is that there is still a 4 in 10 chance of infection(based on using NOD32). In favour of fast updating is that you have the latest detection's within an hour or two(the likes of KAV and DrWeb usually add a signature within two hours).

My own choice would be fast update. Only because that 4 in 10 chance is just too much relying on a heuristic detection. If i take for example my last detection on 8th December 2005. Only three days ago. KAV 5 intercepted two infection attempts. Trojan-Downloader.Win32.Zlob.cg and Exploit.JS.CVE-2005-1790.b. These were added to KAV's database on 8th December 2005. Yep, same day i nearly got them. Now i don't know if NOD32 would have detected these heuristically, or if these were in it's database. But it brought home one major point. If they weren't in it's database and it couldn't detect them heuristically then i would have had a problem. So this made me realise that currently getting the signature in the database is more important than relying on heuristics. This is only because heuristics are not good enough yet. If they could detect 90% then i would go with that. But 60% at best(remember that other AV's are far less) is not high enough IMHO.

muf

[Sputnik]

It's (like always) just personal preference. I prefer signature detection above heuristic detection. Others may think very different of that.

In my opinion the advantages of signature detection are:
1) You can directly see wich malware was found (name and most of the time, also a link to the website of the av vendor with extra information).
2) Signatures can offer cleaning methods, while heuristics can not.
3) Signatures have less chance of false positives (exept generic signatures ofcource).

The optimal scanner has both strong signatures as strong heuristics. But strong heuristics can't replace a fast updating of the signature database.
Currently I use Kaspersky, and Kaspersky is very strong in signature detection and in adding new signatures (updates). However their heuristcs capabilities are not top-notice according to the last AV-Comperatives test. Ofcource they're not bad, but they lack behind NOD32 and BitDefender.

If I should suggest an AV right now, I think BitDefender would be the choise. Since they have strong signature detection (and fast updates) and strong heuristcs. I think HIVE really has a future, since it showed very capable in real-life detection. Another advantage of BitDefender is it's price.

NOD32 is a nice product. But for some reason it never stole my hart. That's why I never bought it, and only used the trial a couple times. Their heuristcs are definitly the strongest around, but caused me many false postives. Also their signature addition is slower then BitDefender's. But at the end of the day NOD32 will protect you just fine, I'm sure of that.

And now were back were I started, it's all personal preferance.

[ronjor]

Excellent posts.

[tiagozt]

I agree!

See AV-comparatives:

"Please do not put to much attention to the precentages, as little differences in the percentages do not say much. It is better you rely on the levels (advanced+, advanced, standard) reached in this test"

In the last on-demand test, KAV and NOD32 won Advanced+. So, they have the same level of detection using signatures. KAV updates more, but NOD32 has the same level of detection rate.

Now see the last proactive test. NOD32 - Advanced+, KAV - Advanced.

On-demand:

NOD32: Advanced+
KAV: Advanced+

Proactive:

NOD32: Advanced+
KAV: Advanced.

[Sputnik]

Quote:

Originally Posted by MON

KAV updates more, but NOD32 has the same level of detection rate.

Nonsense. NOD32 may have the same level of detection in an virus archive, but that doesn't say anything of the respond time. For example when a new worm comes out, BitDefender and Kaspersky bring out updates within 2/4 hours when it started to spread.
With NOD32 (if the heuristics doesn't catch it, but that's the case with all three of them) you've to wait maybe 6 hours or longer. All those hours cause extra time getting infected. So your statement is wrong in this context.

[ellison64]

How does heuristics fare against adware/spyware or doesnt it?.Im a registered user of nod and quite a few others , and personally while nod might perform good on the professional tests ,it hasnt performed very much to my liking regarding the detection of ad/spyware which to me is just as valid as the virus detection as it can cause as many problems..Yet again nod has missed malware ..and personally i feel a little bit disappointed.
ellison

[Firefighter]

Quote:

Originally Posted by MON

See AV-comparatives:

In the last on-demand test, KAV and NOD32 won Advanced+. So, they have the same level of detection using signatures. KAV updates more, but NOD32 has the same level of detection rate.

NOD's delay to add signatures is far below acceptable. Why? Let's start from the + and - of NOD.

Plus :

- Absolutely the first class ProActive methods.

- Advanced + in Av-Comparatives av-test 08-2005 in total detection rate.

Minus :

- The delay to add signatures is far below acceptable.

- a sample submitted to DrWeb took less than 90 min, when it was in their database. The same sample submitted to ESET took about 13 DAYS, when it was in their database and NOD was capable to detect that nasty.

- in Jotti's snapshots, where we can met MOSTLY new nasties where people have met problems, NOD detected 38 % of their OWN detections by signature.

In the contrary the TOP 7 in Jotti's, Fortinet detected 98 % of their OWN detections by signature, Kaspersky detected 97 % of their OWN detections by signature, Vba32 detected 91 % of their OWN detections by signature, AntiVir detected 87 % of their OWN detections by signature, DrWeb detected 78 % of their OWN detections by signature, BitDefender detected 76 % of their OWN detections by signature etc.

- Just before the Av-Comparatives av-test 08-2005, NOD added about 2 months worth of their defs [NOD32 - v.1.1185 (20050801)] to their own database to patch their own signatures database.

Because we don't know the actual database of NOD, we can take a correlation of DrWeb's 2 months updates recently. The latest 2 months updates are now in DrWeb 4.33's database over 8 % from their OWN total defs. How good DrWeb should be in that test, when it had done that kind of face-lift? Or, more precisely, how good NOD was in detection rates a week BEFORE that Av-Comparatives 08-2005 test, which shows more accurate NOD's real detection rate any day measured?

I'm not against NOD because of it's excellent ProActive methods, just wishing about the same update delays that DrWeb has. After that NOD will be the best combo of ProActive methods and signatures detecting ever made!

Best regards,
Firefighter!

[tazdevl]

Quote:

Originally Posted by ellison64

How does heuristics fare against adware/spyware or doesnt it?.Im a registered user of nod and quite a few others , and personally while nod might perform good on the professional tests ,it hasnt performed very much to my liking regarding the detection of ad/spyware which to me is just as valid as the virus detection as it can cause as many problems..Yet again nod has missed malware ..and personally i feel a little bit disappointed.
ellison

That doesn't make much sense. Every antivirus product misses baddies.

I think the thing to remember is that NOD32 has been doing a pretty decent job with signatures of late, also it might not be nailing something because it's in an archive. Perhaps a big part of the perceived "delay" with their adding of signatures is that in many cases they only add signatures that pose a threat. Doesn't make much sense to add a signature for something that in reality can't damage your system.

I chose something that provides good detection, doesn't drag my system to a crawl, doesn't take hours to scan and offers good, responsive support. I could care less if it uses heuristics, signatures or widgets. That being said, I have licenses to 10 AVs and have tested many more in the last year or so.

[RejZoR]

As mentioned in some ESET interview...
Today you need both, signatures and heuristics. Optionally heuristics relaying on signatures for variant based detection. And i can confirm that this is true.
Also this way you increase variant detection chances with every sample added to signatures.

[ellison64]

Quote:

Originally Posted by tazdevl

That doesn't make much sense. Every antivirus product misses baddies.

I think the thing to remember is that NOD32 has been doing a pretty decent job with signatures of late, also it might not be nailing something because it's in an archive.

I chose something that provides good detection, doesn't drag my system to a crawl, doesn't take hours to scan and offers good, responsive support. I could care less if it uses heuristics, signatures or widgets. That being said, I have licenses to 10 AVs and have tested many more in the last year or so.

Its true very av misses baddies...however every av doesnt doesnt use its adware /spyware detection as a bonus selling point.But the point of my post is that nods advanced heuristics seems pretty useless against that sort of malware ,and its signature base obviously hasnt detected that file...which isnt in an archive but a .exe file.Ive found this to be the case quite often with nod.That file isnt uncommon either but on a known "adware" site that is blocked by agnis and many other adblocking sig lists.
ellison

Quote:

Originally Posted by ellison64

Its true very av misses baddies...however every av doesnt doesnt use its adware /spyware detection as a bonus selling point.But the point of my post is that nods advanced heuristics seems pretty useless against that sort of malware ,and its signature base obviously hasnt detected that file...which isnt in an archive but a .exe file.Ive found this to be the case quite often with nod.That file isnt uncommon either but on a known "adware" site that is blocked by agnis and many other adblocking sig lists.
ellison

Bonus selling point? NOD32 has a WestCoast Labs Checkmark on Spyware detection.

[RejZoR]

But honestly that doesn't mean anything. Some companies simply can't afford that certificat and they don't have it although they provide same level of adware/spyware protection...

All you guys are talking like this: "and if the heurístics don´t catch it?"

But, and if the virus is spreading fast and there is no time for an update? A lot of computers are infected before the update! Exemple: Zotob infected CNN, New York Times, ABC... nod32 heurístics catched the Zotob virus.

[ellison64]

Well that doesnt mean much in this case does it?
ellison

[RejZoR]

Well it does actually. Sobers,Mytobs,Beagles etc are getting nailed by NOD32 almost each and every time. I don't really know any specific sample of the mentioned ones that got past NOD32 lately without getting nailed by AH...

[ellison64]

sorry rejzor my post was directed at POS post , but you guys are too quick for me on the post button .Its just annoying for me when it doesnt detect common adware/spyware files either by design ...or choice.A few avs seem to be far superior in that avenue.
ellison

[tuatara]

First i am a licensed NOD32 and Kaspersky user.

To be honest, i don't think it is fair to compare both products.
Because they are completely different.
It is just like which car is best ' Ferarri or Rolls Royce"

Let's asume that there were only two virusscanners
1 Heuristics-only
2 Signatures-only

1) Will be faster in scanning, uses less system resources
up to 40 times on a full scan.
And the chance of being infected is less then with signatures.
2) Signatures only can give you more details on the malware
they find., less FP's etc.

But this doesn't say anything regarding the quality of the implementations.

Now regarding Kaspersky and NOD32.

I use both of them on a daily basis, and test a lot of software
with them.

1 Kaspersky can find more malware especially regarding
non-virus malware
2 Nod32 finds about the same amount of Virusses but is uncompareable faster. A full system scan of 800 Gigabytes data, can't be done
with Kaspersky within the time periode i have for that.

3) The performance impact of Kaspersky is heavy,
try to scan the C: disk of your system if this is your only disk!
It slows down your system.

So the negative things.
1) Nod32 finds less non-virus malware compared with Kasperky
2) Kaspersky takes very long time to scan your system.

Then regarding the heuristics again.
1) Kasperksy has faster updates on sigs, but heavily depends on those!
2) Nod32 is slower in updating their sigs, but doesn't depend on those that way.

And regarding new malware, in most cases Kaspersky users ARE infected
because of new malware, when NOD32 can detect those while they have to change nothing for it. So NOD32 users have less change being the first to be infected with new malware.

If you look at the speed of new malware coming out
(one of the reasons DiamondCS stopped with TDS3)
it is a good thing to have better heuristics.

Certainly if you asume that the top3 scanners can find about
85 percent of the In the Wild Malware.

So if you have performance problems, or don't want to slow down your system, want less chance to be the first ones to be infected by NEW malware : choose NOD32

If you want to have better detection on other (non-virus) malware
then NOD32, want fast sigs upadates : choose Kaspersky.

Personally i think they are by far the best two AV's out there..

[tazdevl]

Quote:

Originally Posted by ellison64

sorry rejzor my post was directed at POS post , but you guys are too quick for me on the post button .Its just annoying for me when it doesnt detect common adware/spyware files either by design ...or choice.A few avs seem to be far superior in that avenue.
ellison

I think the issue is that you're expecting that from an AV. Yes they are moving towards detection of most forms of malware, some are futher along than others... but I do think you have to keep expectations reasonable. Bottom line, if you want excellent spyware protection, get decent AS product.

[ellison64]

Quote:

Originally Posted by tazdevl

I think the issue is that you're expecting that from an AV. Yes they are moving towards detection of most forms of malware, some are futher along than others... but I do think you have to keep expectations reasonable. Bottom line, if you want excellent spyware protection, get decent AS product.

Well thats a point ,however why run 2 programes when kav and many other avs have excellent spyware/adware detection ?.The more i test , the more im coming to the conclusion that its pretty pointless using a multitude of programes (or plugins) to do (though many cant) the same thing that my av can do.I guess when it comes to adware and spyware then advanced heuristics lose out to sig updates?
ellison

[tazdevl]

Quote:

Originally Posted by ellison64

I guess when it comes to adware and spyware then advanced heuristics lose out to sig updates?
ellison

Yup... at this point at least... the other thing to remember is that there's identifying the spyware... and REMOVING it. In my experience, KAV does ID more spyware/malware than other AVs... but it doesn't necessarily do a good job removing it.

SpySweeper is by far the best that I've found when it comes to removing rather tenacious forms of malware. Most AS products also offer a greater degree of protection when it comes to keeping the baddies off your system as well.

The other benefit of running an additional program or two is that if one program has some form of deficiency ... as long as it doesn't add complexity from an end user perspective or significantly impact stability and performance, probably worth it in the end given how quickly new threats seem to be popping up.

Anyway I digress... back on topic... good post tu, glad someone verbalized something I couldn't put to words.

[ellison64]

Yeah , i agree about the removal and avs not currently as good as dedicated AS, and if infection does occur then its probably wiser to use one of the more reputable AS scanners.However it shouldnt get installed in the first place if its detected.The outpost spyware plugin doesnt detect that file either.Its a shame there isnt a jottis or virus total for all the ad/spyware programes out there.
ellison

[muf]

Nice post tuatara. One thing i've seen mentioned though that has me baffled. NOD is faster at scanning than KAV. Well i use KAV 5 and yesterday i scanned my whole system took 28 mins for 230,000 files. I then scanned with NOD32 and it took 52 minutes. My system is nothing special. I have both AV's set to scan max with all files, archives, e-mail etc. So for me KAV is much quicker.

I like both AV's very much and it was a difficult call on which i preferred. But NOD32 takes simply too long to add signatures. KAV is so quick. Advanced Heuristics are really useful but i'm not happy about pinning my hopes on the AH of NOD32 catching something. It's a bit like playing Russian Roulette. Empty chamber, fine. Occupied chamber and it's goodnight Vienna.

If only NOD32 updated as fast and often as KAV. Now there's a perfect combination...

muf

[tuatara]

i agree, AS like Spybot S &D , Adaware, Spy Sweeper, Counterspy
(all in random order)
Always find more then the any AV , it would be nice if it was so that
you could have one (1) Anti Malware product that could PREVENT
or REMOVE all malware, but that sadly isn't available yet.

[tazdevl]

Quote:

Originally Posted by muf

Nice post tuatara. One thing i've seen mentioned though that has me baffled. NOD is faster at scanning than KAV. Well i use KAV 5 and yesterday i scanned my whole system took 28 mins for 230,000 files. I then scanned with NOD32 and it took 52 minutes.
muf

Definitely agree that NOD32 scans have gotten longer... 42 mins versus 22 mins back in the day i.e. before 2.5.

If I had to guess... I'd say that NOD32 (2.xx) isn't as efficient when it comes to unpacking as KAV (and KAV obviously supports a ton more unpackers than NOD32). People bitched that NOD32 didn't unpack (it nailed the baddies when they were unpacked), so they added the functionalty which caused scans to take longer. I think the whole EICAR test was another reason. Tough to market an AV when it doesn't catch a test file on the download like EICAR when every other AV on the market did.

KAV initial scans take forever due to iChecker or whatever it's called scanning all the files. Once that gets populated, scans speed up appreciably. Although it also does depend what level you have KAV set at.

Be nice if NOD32 added in something similar.

Other nice thing about and a criteria I use is multitasking... I can use my comp when NOD32 scans, doesn't work too well with KAV (2.0GHZ Pentium M, 1GB RAM, 5400 RPM Momentus HD doesn't work too well when it comes to multitasking).

So in a long, multipost kind of way what I'm getting to is that folks evaluate on a fair bit more than signatures vs heuristics.