Heuristics

Discussion in 'other anti-virus software' started by msingle, Jan 25, 2003.

Thread Status:
Not open for further replies.
  1. msingle

    msingle Registered Member

    Joined:
    Jan 25, 2003
    Posts:
    82
    This question is about whether heuristics really work. According to last summer's PC Magazine (yeah, yeah I know - please no flames) none of the AV tools tested picked up on new viruses after not being updated for a month and off the web (except for McAfee and NAV and they already had sigs on the new viruses somehow).

    The article basically said that it's nice to talk about but it doesn't actually work.

    I was reading at SANS.org the other day and they were saying how heuristics were basically the cause of a lot of false positives.

    Any thoughts?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Hi msingle,

    There is an excellent overview regarding the history and development of Anti-Virus products, posted by Technodrome, it is called the "History of Virii vs AntiVirus War!". See it here:

    http://www.wilderssecurity.com/showthread.php?t=2892;start=6

    It's very detailed, but, reply #6 (a little more than half way down) specifically discusses Heuristics. You should take a look at that, at least, as a start towards answering your question.

    Hope that helps,
    LowWaterMark
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Rodzilla just said something the other day about NOD32 picking up several viruses, before they had the signature files.
    I have DrWeb and they seem very proud of their Heuristics. I doubt they would say much about it if it didn't work at all.
    Haven't had a chance to prove one way or another though.
     
  4. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > Rodzilla just said something the other day about NOD32 picking up several viruses, before they had the signature files.

    Yep ... there's a l-o-n-g list. :)

    You may have noticed that sometimes several days elapse between NOD32 updates ... this is because viruses which are detected heuristically generally don't rate an immediate update ... but sometimes we release two or three updates within a few hours of each other, for new viruses which are not detected heuristically.

    > I have DrWeb and they seem very proud of their Heuristics. I doubt they would say much about it if it didn't work at all.

    DrWeb would also have a long "before they were written" hitlist ... its heuristics are also very powerful. There's no question that it's right up near the top in virus detection ... but I would have to seriously weigh its detection rate against its false positive rate if I was in the market for an antivirus program and I wasn't in the AV industry.
     
  5. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    I think DrWeb is more suited to an experienced user who analyse these false positives and act upon them without panic, I believe thats the way its reviewed also here at Wilders. No doubting though that its a fine av. :)
     
Thread Status:
Not open for further replies.