Heuristics

Discussion in 'other anti-virus software' started by ajcstr, Jul 12, 2007.

Thread Status:
Not open for further replies.
  1. ajcstr

    ajcstr Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    183
    Is it generally a bad idea to set heuristics to low on an AV to reduce the possibility false positives (the default setting is medium)? My thinking is the signature files should catch the known stuff.
     
  2. ASpace

    ASpace Guest

    It depends on the product - some are known to produce more FP alarms than others .


    Yeah , the signature file should detect known threats but cathing unknown malicious code is one of the most important things nowadays . All threats can be unknown and none can be known (hope you understand) . Humans beings can see tons of new threats everyday and the better the heuristics , the better the protection
     
  3. ajcstr

    ajcstr Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    183

    Ok, the product is AntiVir - BUT PLEASE, NO COMPARISONS TO OTHER PRODUCTS.

    I am installing the classic version on a friend's pc and if they like it I would tell them to get the premium version to include the spyware. But I don't want to risk them deleting something they need because they thought it was a virus but I don't want to open the flood gates either.

    Asked another way, would I in effect cripple the product by lowering the sensitivity level?
     
  4. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    I wouldn't have thought so, I think Antivir's heuristic is still powerful on the medium setting, FWIW I've used it on two setups with heuristics on High and have only had one FP a few months ago (which was fixed when I emailed Avira). Antivir does not give you the option to delete heuristic detections, you have to ignore or quarantine them, so you can always restore something from quarantine later, if it was an FP.

    Londonbeat
     
  5. Thug21

    Thug21 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    141
    Location:
    Illinois
    I have used Antivir on 2 pc's for several months now. At first, I had some (about 6) FP's with the scanner set on "high." Only one would have happened with the "medium" setting, however. All FP's were fixed asap when I submitted them.


    The good news is that I haven't seen more than 1 FP in the last few months. :)

    Perhaps just tell your parents to always quarantine instead of deleting. As posted, which regards to HEUR detections, a delete isn't even possible - just in case it's a false detection.

    I think the best combination might be to leave the guard on a higher level and the scanner on a lower one. In my experience, all FP's were produced by the scanner since it goes through many, many files. Medium and Medium should be fine, though.
     
  6. ajcstr

    ajcstr Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    183
    Did not know that - just learning the product and I appreciate the help !
     
  7. ASpace

    ASpace Guest

    Did I say something ?

    Leave it the default Medium
     
  8. ajcstr

    ajcstr Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    183
    Not at all, but I got accused of spamming last time I posted asking for opinions and I know the forum frowns on "which is better" type posts
     
  9. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Please forgive my post but I need to use other products as a reference because I know little about Avira. I use VBA32, and they have it possible to configure it to where any threat can be moved to quarantine. If that is possible with Avira then I see no problem with setting heiristics on high and then sending them everything in your quarantine. False positives will then be corrected, if need be, and then they can be restored. As was said earlier, it is important to catch the mosr malware you can. I think another important questiion, that you did not ask, is: how much emphasis does Avira place on heuristics versus signatures? That I do not know.
     
  10. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    From AVPE's help...
    Note that "Interactive" is the default setting, & that's where I leave it set. Therefore, AVPE always asks me what to do before taking any action after detecting possible malware.

    Good indicators of answers to those questions can be had at AV-Comparatives.

    For 2007 thus far...
    In Feb's on-demand tests, AVPE scored very high based on sigs.

    In May's Retrospective/ProActive tests, AVPE scored highest on detection, but with high FPs, & with Heuristics on "High".

    IMO those results indicate a good combo of (1) rapidly updated, broad-scope sigs & (2) strong heuristics that need to be tempered with judgment.
     
    Last edited: Jul 12, 2007
  11. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    That is a good point. That's where I leave my settings too. However, for someone that might not be as knowledgeable that might not be a good idea. Take for instance my mother, she starts ranting and raving at me from the first sign of trouble or anything out of the ordinary. So, in that case, having an AV be as quiet as possible is best.
     
  12. ajcstr

    ajcstr Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    183
    BINGO - my goal exactly
     
  13. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    The guard in the Classic version is only interactive
     
  14. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I had Avira's heuristics set at Medium usually.
     
  15. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i always think, highest settings!!!

    if it produces false alarms, i can judge myself if they are or not, but id rather it have a greater detection of new threats.
     
  16. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    That all depends on the user.
    False Positives wouldn't bother me personally.I have no problem with investigating them.
    With a less experienced user I wouldn't advise it.
     
  17. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    basically, if you are worried about false alarms.

    get norton 2007, its light, friendly gui for beginners, default settings are max security, 99% or near enough detection rate, and ZERO false alarms for most users.
     
  18. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    849
    Location:
    Melbourne, Australia
    does the high setting (guard and scanner) impact system speed? Or, doesn't matter what setting you use?

    Ian
     
  19. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    The high heuristics setting has NO discernible impact on system speed on my computer. She zooms right along as usual.

    The main impact on speed doesn't depend on the heuristics setting. Instead, the greatest impact on system speed results from the setting for the Guard's scan mode. The Guard's scan mode has 3 optional settings: (1) Scan when reading, (2) Scan when writing, (3) Scan when reading & writing.

    Option #3 is the default. It is the most secure setting, & is also the slowest.

    I use Option #1 (scan when reading), which is significantly faster.

    However, Option #1 has a drawback. Namely, the Guard (Real Time Monitor) only scans files at the moment when they are read or executed by the application or the operating system. This works fine until you miss a virus definitions database update, or turn the Guard off for some time. In such situations, your system MIGHT get infected.

    Therefore, if you use Option #1, you should be sure to do immediate scans of all downloads, as well as frequent full scans. In my case, the extra speed is worth it because I get that speed gain while I am actually using the computer, and the full scans are done while I'm in bed sleeping.
     
  20. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    849
    Location:
    Melbourne, Australia
    bellagim,

    Thanks for the informed reply.

    Ian
     
  21. ajcstr

    ajcstr Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    183
    I went with low heuristics on the realtime scanner and medium on the on-demand scanner.

    Thanks for all the suggestions !
     
  22. ajcstr

    ajcstr Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    183
    I have heard that Norton 360 is a total rewrite and is very light and quiet. This is true for NIS 2007 also? I thought NIS was still "Norton as usual"
     
  23. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    Apparently it's true for NIS 2007 also.
     
  24. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    yep its true.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.