Among the famous AVs,which is the best in heuristic detection?

the more mathematical foundations of heuristics?
Do you mean the algorithm of heuristic?

 

Does anyone know if Dr Web's free Cureit provides the same heuristic detection as the main scanner?

Regards

 

im gonna scare everyone here and recommend the panda TruPrevent software for heuristics, i find it works well, but pandas overall 'here is what you get for your money' is just not good ebough for me.

no point mentioning nod as we know about their heuristics, bitdefenders HIVE is good too, but does create a few FP's in my opinion.

im more curious about avgs now, as they clearly now state a big improvment on heuristic detection and something to do with ntfs data streams too.

 

If there is an option for heuristic analysis in CureIT, then it is the same detection as the paid version of Dr.Web.

The Dr.Web 4.x engine does not offer much flexibility in heuristics - either it is enabled or disabled (except for generic signatures which always remain enabled)

 

Thx Firecat

Londonbeat

 

To talk about the characteristic among all the AVs,you should give us the details in technology,but not only unilateral introduction as advertisements.

 

eh? ... what in the world are you talking about.

heuristic thread, of which i gave my opinion and comments on, dont understand this reply of yours, maybe a faulty keyboard?

 

oh,what i said is want to acquire some programme details in heuristic,but not only the conclusion of them:A is strong than B,B is 200% that of C.

 

In other words,i'm about to try to code a programme depending on heuristic technology,are there some references?

 

Dr.Web Antivirus and Nod32 have the better heuristics in my opinion.

 

So they are.

But do you have some evidences in technology details?

 

Check anti-virus vendor’s sites. I am sure you will find something related to heuristics engine. Something like this http://download.norman.no/whitepapers/whitepaper_Norman_SandBox.pdf



tD

 

I have no technology details, sorry. My opinion is based solely on my own experiences with these two programs as compared to others I have used. Like Technodrome suggested, you might inquire with the various av vendors concerning their heuristics technology and application.

 

Thanks,i had it

Norman can always offer something useful

 

yes ,of course
Thank you all the same

 

You need to focus mainly on the principal things and then you can go more deeply.

What you should really understand is that heuristic technique is only a way to catch new malware before a own signature is released (I mean a specific signature for a specific malware). Then you can use every way you want, even asking with a chat to the malware if it's a malware. Normally, we can mainly recognize two ways to act (they aren't exclusive, they can be used together too obviously): static heuristic way and dynamic heuristic way (I know, this isn't a fully correct way to define all heuristic techniques, but to explain the concept it can be enough).

Static heuristic way: in this field you can find for example generic signatures (a really easy example could be a signature with wild bytes) merged to geometric scanning (studying PE structure of a bunch of malware coming from one malware family looking for common characteristics). So, for example, if you know that Trojan.EraserHW.A, Trojan.EraserHW.B, Trojan.EraserHW.C and Trojan.EraserHW.D have some common bytes and they have almost the same pe structure - it can be size of some section or number of sections combined with same exe packer or some strange EP that point to the last section - you can write a generic signature, because with high probability, Trojan.EraserHW.E would have the same characteristics.

Dynamic heuristic way: in this field you can find emulation of files. Static way could be useful if we already have some samples of a specific malware, but what if the malware is unknown? We can emulate the malware in a sandbox and looking what does it do to the system. To do this you have to understand how to run an executable file in a sandbox, and, mainly, how to develop a sandbox. The first thing you've to understand is that you've to give to the executable all it needs to run and execute. So, basically, emulate a PC. How deeply emulating file is a your choose. For example Norman sandbox fully emulates a complete virtual OS, some other heuristic scan engines developed by other companies emulate file only until xxx lines of code and can understand if the file could be a malware.
What do you have to study? How emulate a OS, so you can study BOCHS, that's a free open source emulator.
Another interesting way is using Dynamic Code Translation, you can read a document HERE.
Another way is implementing a HIPS concept, and so hooking some Windows API and analyze what a file is doing and block if it uses a combo of API that can be combined to a possible malware.

What I've written here is only a LITTLE part of what heuristic world is, it's incomplete but it should give you a more clear idea of what it is.

Good luck

Best Regards,

Marco

 

truprevent is closer to being a behavioral blocker than the file heuristics used by other av.

 

Marco

 

quoted before you changed your post

 

and i just saw your post explaining the various forms of heuristics

 

Not only that. I sent you a somewhat detailed PM regarding heuristics.

Dave
The guy who got Dana Scott and Robin Gandy to join the short-lived Balkan Logical Society, a society in which forcing semantics reigned supreme!

 

I would definitely agree with that statement. Any if you look at the May 2006 retrospective test from avcomparatives (see here) you would get further confirmation that VBA32 does indeed have great heuristics. It achieved 56% heuristic detection, which was second only to NOD32's 58%. Keep an eye on this one and keep your fingers crossed that they can get their act together.

 

Check out Mike's (aka Inspector Clouseau) future books on the subject when they are published. Should contain plenty of useful information on the subject

 

How can i get the book,please?

 

It's not out yet!