about F-PORT heuristics

Discussion in 'other anti-virus software' started by yanzilme, Apr 5, 2008.

Thread Status:
Not open for further replies.
  1. yanzilme

    yanzilme Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    13
    hi

    Can anyone clarify the heuristics capabilities for F-PORT ?
    What technology uses?(gen?emu?)
     
  2. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Search engine is your friend :)
     
  3. yanzilme

    yanzilme Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    13
    Thank you for you

    But in this discuss,i don`t see any about emulator/heuristics with F-PORT.
     
    Last edited: Apr 5, 2008
  4. JimGoo

    JimGoo Guest

    Try a Google or a Yahoo search on . . .

    F-Prot heuristics

    Be inventive and let us know what you find.

    Regards,
    jim
     
  5. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    i dont even understand the question lol
     
  6. yanzilme

    yanzilme Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    13
    I want to know that f-port does have looks like nod32 the simulator engine.
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Seriously, what does it matter?

    All I know is that F-PROT's heuristics don't produce that infuriating 100% CPU lock when scanning heavily packed/obfuscated files. That, and they seem quite effective against some polymorphic packed variants like Swizzor, while NOD32 fails against every sample I've run across.

    Maybe F-PROT has an emulator, maybe not. It doesn't matter. Just take a look at Avira's emulator and see what it's good for, for instance.
     
  8. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    That's why I haven't replied then :D
     
  9. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Fridrik did the static (non polymorphic) DLL's with Eldorado Generic and i wrote the swizzor maximus detection for the polymorphic droppers. Both together scoring quite good in all kinds of variants and they are lightning fast.

    All heuristic (and ofc normal signatur scanning) is using emulation for unpacking purposes besides other information gathering.
     
  10. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The thing about NOD32's heuristics is their varying effectiveness against different strains. They can have flawless heuristic detections for almost every single variant in a family, and almost completely miss in another. And of course, there's the ever-present 100% CPU lock problem which has gone unfixed for ages. F-PROT has a steadier performance in this regard, I suppose - not that I've experimented extensively with it.

    A representative on Avira's forum mentioned once that their emulator isn't used for unpacking. And as far as their heuristics go, I think it's safe to say that emulator technology is almost, of not entirely, uninvolved, since what they seem to do is include packed variants in their sig database due to poor unpacking ability, detection for custom hand-modified packers, and static analysis.

    Maybe Stefan can comment on this.
     
Loading...
Thread Status:
Not open for further replies.