4 Detection Methods of Antivirus used Today. An Explanation?

Can anyone pls explain, give pros & cons, comparisons & which is the best detection methods between the ff.? preferably in layman terms...

1)Signature based Detection
2)Heuretic based Detection
3)Suspicious file based Detection
4)Packer/Cryptor based Detection

 

Suspicious and Heuristic are the same thing, aren't they? Also, I would say packer detection falls under the signature based detection.

 

Suspicious doesn't mean the heuristic detection,may be packer detection.

 

I think all 4 are distinct from one another.They are totally different. A Computer virus expert or a computer virulogist pls for explanation?

 

Packer detection depends on signatures to detect them; Unless they use a generic packer detector.

 

Actually according to virusinfo. They are totally different.

a) signature detection (detecting already known malware by the signature method)

b) heuristic detection (detecting yet unknown malware by the method of emulation / code analysis / etc. Examples: "Heur.Trojan.Generic"; "a variant of: XXXXX")

c) detection of suspicious file (detecting yet unknown malware by the method of informing the user about suspicious characteristics of a sample under analysis. Examples: "Suspicious file"; "VIPRE: Suspicious")

d) detection of suspicious cryptor / packer (detecting yet unknown malware by the method of informing the user about the unknown / rare / suspicious packer / cryptor or about the fact of multiple packing / crypting. Example: "HEUR/Crypted").

Still need a layman explanation of suspicious packer/cryptor detection & detection of suspicious file. Direct comparision between the two & are they better than signature based detection & heuretics?

 

The point is, the tester is unable to distinguish between the detection methods. Even when an antivirus program reports an "exact" detection with a family name and variant letter, it might be a "packer" based detection.
The detection of Storm/Zhelatin/Peed/Tibs is an example for this.
To judge the detection method by the name the antivirus product is reporting is outright naive, if you ask me.

There is no difference between "suspicious" and "heuristic". The tester introduced "suspicious" for detections where he couldn't derive from the name if the detection is code analysing based or packer detection based.

In the end, does the user really care about the detection method? As long as (s)he is protected from malware and the antivirus program produces no/very little false positives everything is fine.

 

Well,I think the user care about the fp.Packer detection will cause many fps,now the people have can't understand if it is real malware.Don't say normal software can't use packers.Because of packer detection,not malware detection,so has very poor cleaning ability.

 

Well, didn't Andreas said that most false positives in his new retroactive tests are signature false positives? If you do a total paranoid packer detection, of course you will have many FP. But you can balance that.

The detection method has nothing to do with the cleaning ability. Also I think, the best "cleaning" is to not let the malware install in the first place.
What's worse? A few false positives, mostly on cracks and keygens, which the support can handle - or an undetected and then active malware like Vundo which even experts have a very hard time to cleanup? Plus the stolen personal data (logins, accounts, credit card numbers etc.). No antivirus program can "clean" stolen personal data...

 

I think IBK should add more fp samples from users/business.When you have infected with fujacks/viking,you have many important files/documents,but your AV can't clean,only delete,it will be a serious thing to business.To user,they can re-install their OS.

 

Actually, our corporate customers mostly have no interest in cleaning at all. They do have backups, just wipe out the hdd and restore it.

Cleaning malware is often not complete and not reliable. Why putting resources into that?

 

But where is generic detection?

 

Not good Stefan, most home users dont have that ability or knowledge.

 

You could also have a trojan that either lay dormant or wasn't noticed for a while and is also on the backup.

 

A number of file infectors are bugged samples that corrupt infected files. What about this?

You could try for example with Virut. Even if it's a relative simple file infector and it's not as complex as other file infectors, system could become unstable.

Indeed, cleaning routines are not easy to develop and they must handle with tons of different kind of infections of the same virus and, often, same infected files are simply unrecoverable and corrupted.

We can write removal routines, yes, but it's not as trivial as everyone could think and files could be already corrupted because of virus code bugs.

When a file infector hits, that's not always our fault that system can't be recovered, often is virus writer's fault

 

I'll try to reply as simple as I can

If almost all anti-malware softwares make use of all of those listed above techniques, then it would mean that every single one is needed to the other ones Mix of these methods is what we can actually offer as the best detection way to intercept malware

 

The problem I have is not from the consumer side but from the corporate customers side. If a vendors malware expert proclaims we are going to provide you with total detection, but just in case the malware detected causes a problem, just wipe the HD clean and all with it, well, it just doesnt sit well with me as a consumer. Not that others dont, but stating it in a consumers forum really says alot about your product.

 

have you fallen out with avira again jeff?

lol

 

Now, I'm not Stefan's lawyer of course (he doesn't need it ) but I think he would say that yes, cleaning routines are developed, but when a file infector hits then it's really difficult to guarantee total recover of files due to different causes, most of which are not vendor's fault. Best way would always be to have backup copies of important files and documents.

 

It may be, but most average consumers trust in the product they buy, and most have never even heard of a feature called "System Restore"

yeah chris. I am tired of the "canned answer". I feel for Eset and also think they given a little time, are going to get this right. I still would wager they rank high at reputable sites, so version 3 is working fine for me.

 

Failing to repair infected files due to corruption and not even bothering to try are two very things, I think.

This is just pure speculation, but there's another reason why Avira doesn't handle cleaning, I think. When all you do is detect packers, I'd say it becomes somewhat of a dilemma to incorporate a cleaning routine, be it for removal of malware code from host files, or restoration of modified reg entries and/or system settings.

 

Don't missunderstand me - I did not say we don't care about cleaning. I had a meeting yesterday and we talked several hours about how to improve our cleaning ability. And you can expect that the Avira cleaning ability will improve!

My point is, the users believe that you can 100% clean a system and then just forget about the infection. This might be true for a simple trojan downloader, that just creates a run reg key, so you wipe that and the file and you are fine. But what about the passwort stealer trojan, that just send your XP serial, your Ebay account and your credit card number to some server in China or Russia? Will deleting the malware file fix the problem of stolen private data? The users simply ignore the implication of the infection!

As for cleaning viruses (file infectors). They are very often buggy and damage the infected files in a way that they don't run at all or cannot be restored 100%. That means, the "repaired" program is not 100% identical to the original file. Well, you can be lucky that a 99% cleaned program still *seem* to work as you are used, but it could possibly crash later at any point!

You have to keep in mind that malware writing is a commercial business now! The latest breed of malware is constantly being improved in terms of avoiding detection and making removal as difficult as possible - if not impossible.

BTW, packer based detection is no problem for cleaning, if you do the proper approach.

 

This is a very interesting remark. Could you possibly comment more?

 

I suppose it's because unpacking (most) packers is relatively easy.

 

Well, maybe you don't need to unpack the malware to clean it from the system, depending your approach of cleaning.