Research: 80% of Carberp infected computers had antivirus software installed

There is a paradox in this statement.

First hueristics use algorithms to determine behavior. If the AV hasn't been updated, neither have the hueristic algorithms. So in this situation, your as vulnerable to new threats as you are with using outdated signatures.

Then there is the issue of hueristic analysis overall. Scans are being performed for a predetermined period of time. The shorter the scan, the less likely the malware will be discovered but the lesser impact on system performance. The "low", "medium", and "high" settings for hueristics scanning used by AVs equates to the amount of time the object in question is being scanned.

-Edit- Think of the duck analogy; if it looks, smells, and walks like a duck, it has to be a duck. If it looks like a duck, probability that it isn't malware is low. If it looks and smells like a duck, probability it isn't malware is 50/50 i.e. medium. If it looks, smells, and walks like a duck, probability is high that it isn't malware. Is it duck? Could be a small goose

Behavior analysis i.e. host intrusion prevention system(HIPS) is much more effective in detecting new malware because it is watching access to protected areas in your system. If an unknown process is accessing protected system and user areas in your system, there is a high likelihood that the process is malware.

Sandboxing is a form of HIPS in that the unknown process is isolated and it's privledges reduced so that it cannot access critical areas. Edit - sandboxing is not foolproof. Malware have in the past "jumped" sandboxes and infected systems.

 

Hi:

No such thing as a DA question only DA answers:

1) WSA? Don't know ask WSA vendor if it would have "held"
2) EMET (latest version of course!) might very well have blocked Carberp "IF" it attempted to use one of the baddies EMET blocks.

EMET 3.0 has blocked a "bad" unsigned Outlook component for me once.

 

I see no paradox.

 

Are you sure about? I have not done any recent reading on the subject, so things may well have changed. However going back a number of years the heuristic scan reamained the same no matter what level of heursitics you chose. There would be a number of factors which could indicate that a file was suspicious. In order to reduce false posatives there have to be several suspicious factors found before a file was flagged as being a potential threat by the antivirus. The number of suspicious factors found before alerting the user would be decreased with a high heuristic setting (greater chance by finding suspicious files - but more false posatives), and reduced with a low setting.

 

Depending on the security app used, the process will be isolated and it's behavior observed. High hueristics will cause more tests to be performed hence the longer scan times and the higher likelihood of a false positive i.e. that process is safe but is flagged as malware. False positives are caused by faulty scanning algorithms hence the heavy penalty assessed by the AV test labs. Note however the likelihood that high hueristics will find malware is also highest.

In my opinion hueristic is a classic example of "what is the greatest evil."