4 Detection Methods of Antivirus used Today. An Explanation?

Discussion in 'other anti-virus software' started by ultragunnerdcl, Nov 20, 2007.

Thread Status:
Not open for further replies.
  1. ultragunnerdcl

    ultragunnerdcl Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    Location:
    Philippines
    Can anyone pls explain, give pros & cons, comparisons & which is the best detection methods between the ff.? preferably in layman terms...

    1)Signature based Detection
    2)Heuretic based Detection
    3)Suspicious file based Detection
    4)Packer/Cryptor based Detection
    :rolleyes:
     
  2. Xenophobe

    Xenophobe Registered Member

    Joined:
    May 26, 2007
    Posts:
    174
    Suspicious and Heuristic are the same thing, aren't they? Also, I would say packer detection falls under the signature based detection.
     
  3. Don johnson

    Don johnson Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    77
    ;) ;) ;) Suspicious doesn't mean the heuristic detection,may be packer detection.
     
  4. ultragunnerdcl

    ultragunnerdcl Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    Location:
    Philippines
    I think all 4 are distinct from one another.They are totally different. A Computer virus expert or a computer virulogist pls for explanationo_O?
     
  5. Xenophobe

    Xenophobe Registered Member

    Joined:
    May 26, 2007
    Posts:
    174
    Packer detection depends on signatures to detect them; Unless they use a generic packer detector.
     
  6. ultragunnerdcl

    ultragunnerdcl Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    Location:
    Philippines
    Actually according to virusinfo. They are totally different.

    a) signature detection (detecting already known malware by the signature method)

    b) heuristic detection (detecting yet unknown malware by the method of emulation / code analysis / etc. Examples: "Heur.Trojan.Generic"; "a variant of: XXXXX")

    c) detection of suspicious file (detecting yet unknown malware by the method of informing the user about suspicious characteristics of a sample under analysis. Examples: "Suspicious file"; "VIPRE: Suspicious")

    d) detection of suspicious cryptor / packer (detecting yet unknown malware by the method of informing the user about the unknown / rare / suspicious packer / cryptor or about the fact of multiple packing / crypting. Example: "HEUR/Crypted").

    Still need a layman explanation of suspicious packer/cryptor detection & detection of suspicious file. Direct comparision between the two & are they better than signature based detection & heureticso_O?
     
  7. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    The point is, the tester is unable to distinguish between the detection methods. Even when an antivirus program reports an "exact" detection with a family name and variant letter, it might be a "packer" based detection.
    The detection of Storm/Zhelatin/Peed/Tibs is an example for this.
    To judge the detection method by the name the antivirus product is reporting is outright naive, if you ask me.

    There is no difference between "suspicious" and "heuristic". The tester introduced "suspicious" for detections where he couldn't derive from the name if the detection is code analysing based or packer detection based.

    In the end, does the user really care about the detection method? As long as (s)he is protected from malware and the antivirus program produces no/very little false positives everything is fine.
     
  8. Don johnson

    Don johnson Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    77
    :rolleyes: :rolleyes: :rolleyes: Well,I think the user care about the fp.Packer detection will cause many fps,now the people have can't understand if it is real malware.Don't say normal software can't use packers.Because of packer detection,not malware detection,so has very poor cleaning ability.
     
  9. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Well, didn't Andreas said that most false positives in his new retroactive tests are signature false positives? If you do a total paranoid packer detection, of course you will have many FP. But you can balance that.

    The detection method has nothing to do with the cleaning ability. Also I think, the best "cleaning" is to not let the malware install in the first place.
    What's worse? A few false positives, mostly on cracks and keygens, which the support can handle - or an undetected and then active malware like Vundo which even experts have a very hard time to cleanup? Plus the stolen personal data (logins, accounts, credit card numbers etc.). No antivirus program can "clean" stolen personal data...
     
  10. Don johnson

    Don johnson Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    77
    I think IBK should add more fp samples from users/business.When you have infected with fujacks/viking,you have many important files/documents,but your AV can't clean,only delete,it will be a serious thing to business.To user,they can re-install their OS.
     
  11. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Actually, our corporate customers mostly have no interest in cleaning at all. They do have backups, just wipe out the hdd and restore it.

    Cleaning malware is often not complete and not reliable. Why putting resources into that?
     
  12. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376
    But where is generic detection? :cautious:
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Not good Stefan, most home users dont have that ability or knowledge.o_O :thumbd:
     
  14. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    971
    Location:
    Paris
    You could also have a trojan that either lay dormant or wasn't noticed for a while and is also on the backup.
     
  15. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    A number of file infectors are bugged samples that corrupt infected files. What about this? :)

    You could try for example with Virut. Even if it's a relative simple file infector and it's not as complex as other file infectors, system could become unstable.

    Indeed, cleaning routines are not easy to develop and they must handle with tons of different kind of infections of the same virus and, often, same infected files are simply unrecoverable and corrupted.

    We can write removal routines, yes, but it's not as trivial as everyone could think and files could be already corrupted because of virus code bugs.

    When a file infector hits, that's not always our fault that system can't be recovered, often is virus writer's fault :)
     
  16. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    I'll try to reply as simple as I can :)

    If almost all anti-malware softwares make use of all of those listed above techniques, then it would mean that every single one is needed to the other ones :) Mix of these methods is what we can actually offer as the best detection way to intercept malware :)
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    The problem I have is not from the consumer side but from the corporate customers side. If a vendors malware expert proclaims we are going to provide you with total detection, but just in case the malware detected causes a problem, just wipe the HD clean and all with it, well, it just doesnt sit well with me as a consumer. Not that others dont, but stating it in a consumers forum really says alot about your product.
     
  18. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    have you fallen out with avira again jeff? :rolleyes:

    lol :)
     
  19. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Now, I'm not Stefan's lawyer of course (he doesn't need it :D ) but I think he would say that yes, cleaning routines are developed, but when a file infector hits then it's really difficult to guarantee total recover of files due to different causes, most of which are not vendor's fault. Best way would always be to have backup copies of important files and documents. :)
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    It may be, but most average consumers trust in the product they buy, and most have never even heard of a feature called "System Restore"

    yeah chris. I am tired of the "canned answer". I feel for Eset and also think they given a little time, are going to get this right. I still would wager they rank high at reputable sites, so version 3 is working fine for me.
     
  21. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Failing to repair infected files due to corruption and not even bothering to try are two very things, I think.

    This is just pure speculation, but there's another reason why Avira doesn't handle cleaning, I think. When all you do is detect packers, I'd say it becomes somewhat of a dilemma to incorporate a cleaning routine, be it for removal of malware code from host files, or restoration of modified reg entries and/or system settings.
     
  22. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Don't missunderstand me - I did not say we don't care about cleaning. I had a meeting yesterday and we talked several hours about how to improve our cleaning ability. And you can expect that the Avira cleaning ability will improve!

    My point is, the users believe that you can 100% clean a system and then just forget about the infection. This might be true for a simple trojan downloader, that just creates a run reg key, so you wipe that and the file and you are fine. But what about the passwort stealer trojan, that just send your XP serial, your Ebay account and your credit card number to some server in China or Russia? Will deleting the malware file fix the problem of stolen private data? The users simply ignore the implication of the infection!

    As for cleaning viruses (file infectors). They are very often buggy and damage the infected files in a way that they don't run at all or cannot be restored 100%. That means, the "repaired" program is not 100% identical to the original file. Well, you can be lucky that a 99% cleaned program still *seem* to work as you are used, but it could possibly crash later at any point!

    You have to keep in mind that malware writing is a commercial business now! The latest breed of malware is constantly being improved in terms of avoiding detection and making removal as difficult as possible - if not impossible.

    BTW, packer based detection is no problem for cleaning, if you do the proper approach.
     
  23. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    This is a very interesting remark. Could you possibly comment more? :)
     
  24. Xenophobe

    Xenophobe Registered Member

    Joined:
    May 26, 2007
    Posts:
    174
    I suppose it's because unpacking (most) packers is relatively easy.
     
  25. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Well, maybe you don't need to unpack the malware to clean it from the system, depending your approach of cleaning.
     
Loading...
Thread Status:
Not open for further replies.