avg heuristics

Hi,how good are they now.Was they improved with 7.5,and if so how do they compare,
Thanks

 

Honestly , they are poor . They have never been good . Even the latest AV-Comparatives.org test proves that

 

As far as I know, the latest av-comparatives test, didnt test the 7.5 version, wich are way better than the 7.1 last tested.

 

If they've never been tested, then how do you know they are 'way better'?

 

We won't know until next years AV Comparitives, but I am personally hoping Grisoft is right about it.

 

Waiting for the next AV-Comparatives

 

I can't say its "way better", but indeed it is better. It probably won't be anywhere near NOD32 at the AV-comparatives proactive test though. AVG's heuristics is based on a Sandbox, and though some detections appear as heuristics, it seems they are not because Grisoft doesn't always add signatures for such detections. Based on the treatment of files detected by heuristics by Grisoft, and by personal experience (as well as some small snippets from support), I made the below conclusion. You will find 3 types of heuristic detections from AVG:

1) "Could be infected..." detections: These are a kind of variant detection ability. Not sure if it can be counted as heuristic, but they serve as detecting new strains/modifications of an existing malware.

2) "Suspicion: <Malware Type>" detections: These are heuristic detections in the normal sense, detected by the suspicious behaviour of files not linked particularly to any other malware. This is the kind of detection which should be sent for further analysis to Grisoft.

3) "May be infected by unknown virus ...." detections: These are a kind of generic detections which base their detection on the behaviour of the malware which pertains to specific malware category (HackTool.XXXX, Riskware.XXXX, Exploit.XXXX, Worm.XXXX, Virus.X etc.)

4) Also there is Ewido's heuristics engine, but rarely have I seen this in action. How effective this is I do not know.

I could be wrong in the above theory, but from what I've seen while sending such files to Grisoft, only the "suspicion:" detections seem to require analysis (and signatures are added only for these "suspicion" detections). AVG's heuristics is still not all that clear to me though, but with time I hope to find out more.

 

avg has always had poor heuristics. The Ewido engine may strengthen the heuristics in AVG AM but i am not that sure. I wouldn't count on AVG pro or free having very good heuristics.

 

But I think the improvements in AVG 7.5 are at least enough to make AVG pass the retrospective tests this time.

I do not expect the heuristics engine to be very good, mainly because Grisoft has been focusing on other things such as Anti-Rootkit technology and polymorphic detection (Almost every recent program update for AVG has had "Improved polymorphic virus detection" in its changelog).