Heuristics in ESS... false sense of security!?

Eset Smart Security's heuristics analysis is giving us false sense of security when it comes to detecting new and unknown viruses.

Compared to other AV's heuristics analysis technique, ESET is much inferior (though Advanced Heuristics is capable of detecting the same virus). Given a new and unknown virus, heuristics analysis alone of ESET cannot detect it. Pls see my comparison:

Sample: a virus that duplicates using filename similar to that of a folder name where it (virus) resides

Modes are: No Heuristics; Heuristics; Advanced Heuristics

1. ESET Smart Security - no detection; no detection; probably unknown NewHeur_PE virus
2. Dr. Web CureIt - no detection; probably WIN.SCRIPT.VIRUS; N/A

Both AVs have the same date of definition files (September 17, 2007), outdated

Guys! If ESS Advanced Heuristics == other AV's Heuristics, then what's the use of ESS's inferior heuristics?

This is just my obeservation. And I believe using Heuristics Analysis alone (not Advanced Heuristics) will give us a false sense of security, especially for a new and unknown viruses. And hey! dont forget that the default setting of 'Real-time file system protection' is set to Heuristics analysis only.

Note: Im using CureIt only as a "First Aid Kit"

 

I absolutely don't see any sense of what you've been trying to say The heuristics never catches 100% of all threats. Needless to say that the heuristic and signature based detections are complementary and together they give a high probability of detecting new malware. By the way, I don't understand why you differenciate between the heuristics and advanced heuristics.

 

Because advanced heuristics isn't turned on by default in the resident module?

While we're at it, judging by how heavily Eset relies on its advanced heuristics to catch variants, leaving it off by default could be a mistake. Personally I hope this gets fixed in the ESS final release.

 

AH is enabled by default for newly created/modified files

In ESS/EAV you can enable it even on access.

 

Okay, sweet.

 

that's good news - it's something we mentioned as a possible improvement ages ago!

 

It isn't actually as good idea as it might appear at the first sight.

 

do you mean in a corporate environment Marcos?

I did suggest two downloads - one maxxed out in settings and protections, and one dumbed down for corporate deployment... but I doubt it went any further than the staff I mentioned it to...

 

In my version 3.0.414.0 Advanced Heuristics is turned on by default.

 

It would be best if only AH is used by ESET. For me, if there is AH there will be no more need for Heuristics alone. In fact the Heusristics used by ESET is inferior compared to other Heuristics used by other AV. No question about the AH!

AH will do the job. Anyway, if ESS is configured properly, it will give an excellent result.

 

Because heuristics alone cant detect the virus sample I used, while other AV's heuristics can! AH does.

 

But it doesn't matter what module,component,part of the product detected the threat . This is one system and all modules work as one , as a team to reach the best possible effect .

 

Heuristcs can detect stuff that AH cannot and vice-versa, so they are COMPLEMENTAL and do not do the same things.

 

Nicely said Marcos...

 

But youre not totally safe there Marcos! The name (Advanced Heuristics) speaks for itself. If you say complemental, then why leave an option? Why is it also the AH is unmarked by default? Why is it not created as one? Surely the level of AH is much higher compared to its basic heuristics. Or maybe the heuristic is somewhat weak

 

Heuristics and advanced heuristics are two different things. "Normal" heuristics does static analysis of code looking for specific code patterns. It's very fast, but it's bypassed by code obfuscation.
Advanced heuristics does dynamic analysis, looking for malware behaviour. It creates a virtual machine and emulates the code inside it. This is slow, but it's more resistant against code obfuscation.
This paper (PDF) by Symantec does a fine job at explaining heuristics.