NOD32 and how heuristics work

I thought signatures don't make any difference in what the heuristics will detect. If you read this post by tazdevl, it seems like it might matter after all?

To explain it better; how can the number of "probably unknown NewHeur_PE virus" reports increase from 2 to 4 with just a signature change? Wouldn't the advanced heuristics module have to be "improved" too?

 

Heuristics can work together with signatures to detect modified malware based on existing malware that is already known. This is basically a generic detection.

 

RejZoR, are you own3d?
Your post is correct

 

Hehe,i was writting from school PC. I was too lazy to log in

 

It seems that there are at least two kinds of heuristics. The first seems to be some sort of emulation a la sandboxing or similar technique. That is, runninng an emulation of the file in a safe environment and seeing if it does something malware like. The other is what was just referred to as generic signatures, seeing if the code in a file bears a similarity to other known malware. I believe that NOD32's heuristics utilize both methods. Am I correct in these suppostions?

 

Thanks for the reply and reference to the Extreme Tech article. So, does NOD32 use both static and dynamic heuristics?

 

It appears so. If you disable signatures and try with several malware types,there is a great chance that you'll encounter "Probably modified malware_name (probable variant)".
Probably variant is added if the heurstics decide that there is a very very high chance that the file is really malware. Otherwise you get name without (probable variant).
There is also a difference between Probably new heur_PE detection and Probably modified Lowzones trojan.
First one detects a completely new malware (or based on know parts of file via heuristics and/or emulation),while second one detects a modification of Lowzones trojan (in this example) or other malware containing parts of Lowzones trojan.

 

Thanks for the replies. I understand it a bit better now

 

If signatures can work together with heuristics to make better results, then will the signatures also help to perform a somewhat limited disinfection of the malware modification that was found?

Just curious