Heuristics in action

No AV is worth paying for when you have these for free and you are skilled enough to use them.
http://www.youtube.com/user/languy99#p/u/1/nPWLlF_bIC8

 

Avira has been great for me, as i love it's excellent heuristics, which is why i started this thread. They have every reason to be very proud of what the've achieved with its heuristics over the last few years, as proven in ALL the tests i've seen anyway. Nothing wrong with saying this, and hoping others appreciate it's achievements. The same goes for any other product that deserves praise, by me or anybody else.

Only been slightly infected once, and that was years ago before i used Avira. With Avira's great heurisitcs, and setting the AV to prompt me for action, i don't have any worries about visiting infected sites, just for the fun of it.

Even though Avira is constantly tops for detection in tests, and remember that's ONLY with default settings, NOT max heurisitcs etc, i do agree with several members who have accurately stated that, Avira "can" sometimes be somewhat lacking in clean up. Not sure why this should be but i feel sure they will only improve, why wouldn't they want to.

You can call me a fanboy if you like, i don't mind got every reason to be but i acknowledge both sides of the discussion.

 

Like I said, you can also use some kind of HIPS and sandboxing, which creates a totally different situation. And makes everything i said in the post redundant.

 

Future versions are irrelevant to the discussion at hand on current products. They could get better, but they could also get worse. Lets not jump to conclusions.

 

I'm sorry mr daily opinion, but your skating around the message you replied to,

Avira scored around 87% in the biggest dynamic test available from the biggest of testers with the most experience and money, match this with aviras completely useless removal and you have a poor product!

I don't know how you or any of the fanboys can argue against that, maybe you don't trust the test marx has done?

 

@PC__Gamer

If they don't get downloaded, they Can't infect. MAX settings and they won't, in my daily experience anyway

 

Will you get off of it? You hate Avira, you've made it crystal clear. I personally don't think 87% is too bad at all, but I'm not going to post that thought multiple times in the same thread. And really, where do you get "most experience and money" from? Have you been at any of these companies? Do you do their accounting? No? Then it's useless for you to bring it up. Seriously, give it up PC, we know your stance, you've left no room for doubt.

It's a bit amusing, if the subject at Wilders is either Avira or Opera, the thread is going to go to hell by the second page.

 

Your completely right, I've made my point very clear

If people didn't have such an affection with their antivirus, these theads wouldn't have such hostility in, people need to relax a little (you'll go grey before your time)

 

Your point being: "I argue for the sake of argument." Right?

 

PC, first you a good member here with some solid thoughts. Sometimes it is fun to bust your chops to get you going. No one can dispute Aviras ability. It was the one that got me here. I predicted this would be a down year for them in December and I stick to that. By down I dont mean crappy but more of a learning one that will only make them better. But yes, I love Prevx and Avira but in the past they have been the FP Kings. Things change.

So please dont take this the wrong way because we all come here and agree one day, and disagree the next. But trust me when I say personally, I learn quite a bit from your postings. And I can jab at Avira because Stefan is a dear friend I have never met. Avira is one of the best at maximizing the most from limited resources. Eset is learning that to.

And I do trust Marx, but I trust IBK more.

 

Hello Matthijs5nl,

I'm with you on this.

In all my time here, I've never participated in one of these "what's the best" threads - usually pointless and likely as not to degenerate into name calling. I do monitor them if I'm interested in a particular piece of software for info on updating frequency, support, ease of use, and the like.

To the people I advise on security, I make the points you did - the most important being making use of what's between the ears.

 

CloneRanger I have been an Avira customer for years and generally like the product. Here is an article on Avira heuristics which I think explains some of the false positives. It would appear that malware authors may be able to use this information to circumvent detection in certain cases: http://grack.com/blog/2010/03/17/the-sorry-state-of-avira-anti-virus-heuristics/

I thought the article was interesting and thought you may like to read it if you hadn't had a chance.

 

pasha101, don't confuse the Avira script heuristics with the binary malware heuristics/generic detections.

BTW, in those dynamic tests, products with behaviour blocker/HIPS (and some with reputation based detection) were compared against products without those features. Of course the prevention level is lower without those features, what you expect? I think, for not having a HIPS/behaviour blocker and not having reputation based detection, Avira did well in those tests.

So, slap ThreatFire and Sandboxie on top of Avira and you are better protected again as with those other products AND still paid nothing.

 

With soon-coming version 10, Avira's paid versions WILL have a behavior blocker, right?

 

Hi,

Yes, AntiVir ProActiv will be available in paid versions soon. ;-)

Source : http://lists.avira.com/archive/details.php?id=3988

 

AntiVir ProActiv sounds very interesting, and with cloud based interactivity.

>

@pasha101

Good to know you like it, generally I hadn't seen that article before, so thanks for sharing

Don't pretend to understand the code View attachment eval.txt



but i copied/pasted it into notepad and attempted to open it. Avira jumped right in



Obviously it's perfectly safe to do this, as it's just a js test, of which there are many.

Avira isn't the only one to detect it

AntiVir 8.2.1.194 2010.03.17 HTML/Crypted.Gen

McAfee-GW-Edition 6.8.5 2010.03.18 Heuristic.Script.Crypted

As long as people understand that Heuristics is a clever way of recognising potential malware, and realise that sometimes FP will naturally occur. One vendors Heuristics isn't the same as anothers, some will be more keen which can lead to detects that look like malware due to the code. Better safe than sorry though i think.

I've sent the eval.txt to Avira as a FP with the link, but due to the above scan and Stefan Kurtzhals input in here, they should already be aware of it. Having said that, he didn't seem too concerned when he posted about it

 

Stefan, your post seems to suggest that a whole-product dynamic test isn’t “fair” because different products have different anti-malware capabilities. However, that’s the point!

The question to be answered is not “Which product has the best detection capability?” but rather “Which product provides the best protection?”. Obviously, the objective of an anti-malware application is to protect against malware -- thus, why should a user care which piece of a product’s functionality (e.g., reputation-based analysis or signature-based detection) is delivering that protection at any one moment in time? It’s the whole product that matters -- and, as a consequence, it is only whole-product testing done in simulated real-world scenarios that allows a meaningful comparison of the differences in the quality of products’ performance, in my opinion.

 

Moreover, with the acquisition of CleanPort, Cloud technology will be more present in the future.

Source : http://www.avira.com/en/company_news/avira_extends_security_in_the_cloud.html

Please note that McAfee-GW-Edition (previously Secure Computing SecureWeb, acquired by McAfee) uses Avira engine. ;-)

 

1- Hmmm. Does anyone think that we should test (a) FW (firewalls) & (b) AV (antivirus apps) & (c) SB (sandboxes) & (d) HIPS-classic & (e) HIPS-BB (behavior blockers) & (f) suites of security apps -- all together in one amorphous group? I wonder.

BUT SERIOUSLY...

2- The trend nowadays seems to be in the direction of "security suites" having multiple components. Examples include but are not limited to A-squared, OA, KIS, & CIS, each of which includes two or more of the following components: AV + HIPS(classic or BB) + Firewall + Sandbox.

3- But some folks (me included) prefer to assemble their own set/layers of security apps instead of having some suite do it for them.

3a- One reason: taken INDIVIDUALLY, not every component within a given suite will necessarily be "best-in-class". For example, the AV in the CIS suite is a useful one, but some folks would say that it is, by no means, "best-in-its-class".

3b- Thus, it is possible to assemble a set of stand-alone security apps that are (individually & collectively) equal to or better than any security suite I am aware of.

4- When I am considering various AVs (e.g.) for a do-it-myself suite of cobbled-together stand-alone security apps, I want to see comparative tests of AVs with similar components. In other words, oranges compared to other oranges; NOT oranges compared to fruit salads.

5a- Consider (for example) a test which includes: (1) standalone AV apps <compared to> (2) AV+BB apps <compared to> (3) AV+HIPS apps.

5a- What can be learned from such a test? Basically, all we will *learn* is that (other factors being equal) an augmented AV will out-perform a stand-alone AV. Big deal! That no-brainer "lesson" can pretty much be stated a priori BEFORE conducting any appropriate test.

5b- In other words, mish-mash testing is pretty much useless, and can be very misleading.

6- Perhaps that is the point that Stefan was trying to make. If so, it is a good point IMO...

6a- Namely: test like against like -- oranges against oranges, not against fruit salads!

6b To wit: Test suites versus suites. Test AV+BB versus AV+BB. Test full-scope suites versus full-scope suites. Test specialized (single function) security apps versus apps with similar specialized (single function) capabilities.

 

@johnyjohn

Wasn't aware of that, but i am now, thanks

@bellgamin

.

I'm with you on this

 

The biggest issue from the originally linked article, is that there is some malware that uses the term eval in some form of malicious script. One way that the eval file in your previous post can stop triggering Avira is to insert the term google to the file. You can test that easily enough. The eval file you had posted was detected by Avira as you stated. I then added the term google to the last line of the file, no more detection. While the file you have is a harmless file that is reported as a false positive, I gather that there may be malicious scripts that may be able to get through Avira's heuristics by adding the term google to them. Of course I am only basing this off of the article which is fairly critical of Avira's heuristics.

 

Stefan, just a thought for you. I know most products are developed in-house, but if ThreatFire currently doesn't have a paid edition and are looking at receiving additional income for their product, you might look into a partnership with ThreatFire in the future.

No way?! Serious, it's one of the strongest behaviour blockers available, and works well with Avira. Us here like layers, but average users prefer one single program they recognize providing prompts/alerts. Could be something to consider in the future (considering pctools AV isn't so strong, spyware doctor has the 'spyware' name and to most users, is not an anti-virus and doesn't have the reputation as one).

 

Unfortunately it's the boss you have to convince not the developer

 

Very true.

I haven't used the premium edition, I'm just basing my comments off the free edition, and that instead of spending many hours developing something (behaviour blocker) you could utilize another program that could 'possibly' be available.

 

Are you aware that the whole-product dynamic tests conducted by AV-Comparatives and by AV-Test (both in December, 2009) actually did “test suites versus suites”? Within the set of security suites tested, capabilities differ. And, it is completely appropriate that the test results reflect those differences in capabilities, because a real-world user would experience differences in malware protection when using one suite versus another. For example, if Kaspersky Internet Security 2010 has capabilities that AVIRA Premium Security Suite 9.0 lacks, then so be it -- each is assessed in the same way in these dynamic tests.

Theoretically, nearly anything is possible. Unfortunately, there is no independent and rigorous comparison of a “build-your-own” security suite to those of the major vendors, and so it is not known which is actually the better approach. Logically, however, a security suite has a key advantage: the integration benefit. Components of a suite work together and complement one another, which is not possible when using a collection of isolated and non-integrated pieces.

Maybe some testing organization at some time in the future will explore this issue, but it would be a massive effort due to the combinatorial complexity of mixing and matching the "build-your-own" components.