Antivirus heuristics VS behavior blocker?

Discussion in 'other anti-virus software' started by bellgamin, Aug 23, 2007.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    In a separate thread I asked whether or not Avast has heuristics. Rejzor's answer to that question was as follows...

    I found it interesting that Rejzor used the term "behavior detection" in reference to the heuristics of an antivirus program.

    Accordingly, I have three questions...

    Q1- What is different between what an AV program's heuristics does COMPARED WITH what a behavior blocker does?

    Q2- What sort of threat might be detected by strong heuristics (such as those of NOD32 or Avira) that would NOT cause a notification to be issued by a behavior blocker program (such as System Safety Monitor, ProSecurity, or Threatfire)?

    Q3- If someone is INTELLIGENTLY using a good behavior blocker, as an added layer to an antivirus program, is it true (or false) that antivirus heuristics are NOT all that important?
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    In vastly simplified terms, heuristics inspects the CODE of a file and tries to guess what that code does, and/or checks it for similarities with already known malware to detect new variants. A behavior blocker monitors the ACTIONS performed by a program in real-time like a HIPS does, and steps in when it detects potentially malicious behavior. There is a grey area between the two, as some AVs' heuristics are somewhat behavior-blocker-like (using emulation).

    Generally speaking, heuristics are vulnerable to code obfuscation (strong packers, random code sequences etc) while behavior blockers fail to non-standard behavior. For instance, instead of mass-deleting files at once, a trojan could slowly delete .doc files one at a time over a certain period. Again this is very general.

    Given the current trend of malware, this is currently true. Most malware focus on tricking antivirus scanners nowadays, while behavior blockers are largely ignored.
     
  3. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Plenty of differences:
    - There are heuristics that will not try to directly analyze the behavior of the malware in details. This is static analysis: it can take into account information about the functions imported by the program, the fact that the file is compressed or crypted, etc.
    - "Behavioral" heuristic analysis may present some similarities with behavior blockers: the executable is emulated, calls to functions that could be suspect are recorded (operations with files, processes, registry keys, etc.) are recorder and a weight or rule-based system is used to decide wether the file should be classified as malware. However, the "behavioral analysis" could also work as an integrity checker (this is the "sandbox" concept): compare final system state with initial state after the analyzed executable has performed its actions.

    The fundamental difference is: with heuristics, the code does not run on the real operating system.

    There are drawbacks: emulation is much slower than execution, and it is almost impossible to create an emulated virtual machine that mimics perfectly the real operating system (see http://pferrie.tripod.com/papers/attacks2.pdf ). But there are also advantages: when emulating the code, you could decide to explore both branches of a conditionnal expression, you could have several CPU registers or file attributes that the emulated executable will never be able to see. You can control and observe everything from inside the VM.

    The other fundamental difference is: the behaviour blocker does not rely on the skills of the user.

    Typically programs that tries to fool the user (and the operating system) by letting him think that this is a trusted application (e.g. explorer.exe) that is performing an action. Most common example concerns trojan horses that try to bypass a personnal firewall. From a technical point of view, my favourite trick is this one: http://www.matousec.com/info/adviso...fication-serveral-personal-firewalls-HIPS.php
    (I wrote a small PoC using that principle, with no API calls, back in 2004).

    Provided both your conditions are fulfilled (Intelligent/skilled user + good/reliable software), I think this is mostly true.
     
  4. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Good answer as usual Tweakie. And more importantly the answers concur with my meager understanding of the issues. :D

    Now my turn. In the thread about AVAST! , I seem to get a sense that there are actually two different types of heuristics , one which is "generic" which is pretty much a wild guess at detecting totally new malware (packed with x and code function that does X) and another more reliable type of 'normal' heuristic designed for detecting similar strains of the same family of malware.

    Is such a distinction meaningful? Or have I being misled?

    Assuming such a distinction to be meaningful, when one says NOD32 has good heuristics we are normally referring to heuristics of the 2nd kind?
     
  5. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Actually generic signatures are more for modified versions of existing stuff, while heuristics have the same rules plus they have far greater chance of detecting completelly new stuff that includes just parts of existing malware.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Very well answered Solcroft, Tweakie.:thumb:

    I think passive heuristics (checking known sequences of code or "sniplets") and behavior blockking go well alongside. Also AV's which have strong packed file inspection (e.g. the free Antivir), also tend to be stronger on heuristics. Stronger paid AV's also have the active heuristics (simulation of code as explained by Tweakie).

    I used the terms passive and active, because the marketing messages of the stronger AV's use them, although it is a trivial difference.

    Regards Kees
     
    Last edited: Aug 24, 2007
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.