Advanced Heuristics

Discussion in 'NOD32 version 2 Forum' started by Shelb, Feb 10, 2004.

Thread Status:
Not open for further replies.
  1. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    Hi,
    I have a couple of questions. If these have been covered before, please accept my apologies in advance :D I tried a quick search, but could not find my answer.

    -First, what is the difference between deep heuristics and advanced heuristics? I noticed that deep heuristics may be enable in IMON, AMON and the NOD32 scanner. Advanced heuristics only shows up in IMON.

    -Also curious why advanced heuristics only in IMON?

    -I have noticed in the registry that there are switches to use advanced heuristics in AMON, NOD32, and NMS. First what is NMS?

    -If I were to enable these switches....Are there any advantages to enabling advanced heuristics in AMON, NOD32, and NMS? Any disadvantages? I assume more disadvantages than advantages, or else it would be included as a gui option. Just want to best educate myself as to what the most effective setup might be for my uses :D

    -Which of these switches, if any, does the shell extention (offered in a previous post) alter?

    Thanks,
    Shelb
     
  2. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Advanced Heuristics reportedly is better, more powerful than the other traditional heuristics provided by the AMON/NOD scanners' GUI's. Perhaps someone else can provide you with a more informative answer but that's the general impression of AH. ;)

    Paolo's shell extension allows you to right click and scan an individual file using advanced heuristics from the explorer context menu.

    As you noted, AH is enabled by default in IMON so it can scan email and reportedly it has been able to catch some new email worms before specific signature definition updates for the worms were available and/or downloaded by the user. The newer version of IMON also has some newer functionality but I'm a bit fuzzy on that at the moment.

    One can also scan using NOD's on demand scanner from the command line using AH (the last I looked this was an undocumented feature) but it isn't built into the GUI. Why isn't it? I've asked and didn't get a response from anyone associated with ESET.

    ESET has said that it didn't make AH available in AMON the resident real time monitor because it would impact PC performance. People have requested that it be included as an option in AMON GUI so users could decide for themselves whether they wanted to use it or not. I think I recall ESET has said it has no plans to do so.

    NMS? Not sure what that refers to and wouldn't want to hazard a guess. Perhaps someone else can respond more fully to your excellent questions.
     
  3. swoop

    swoop Registered Member

    Joined:
    Feb 5, 2004
    Posts:
    44
    Location:
    The Netherlands
    NMS = NOD Mail Scanner
    It is former name of EMON... As NOD v2 beta was evolving name NMS was changed into EMON... (I suppose)
     
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I do wish they'd include an option to enable AH for AMON. Two reasons I'm guesing they don't are (1) CPU overhead, and (2) False positives. Since I already have two FPs whenever I use AH, I'm not in any real hurry to have AH work through AMON. But I like to have the option. It can't possible make NOD32 demand more CPU than KAV!

    I've often wondered if there was any point to using the standard heuristics along with AH (for example, using the command line "/ah /heur+ /heurdeep").
     
  5. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Hello!

    Could you please tell me how can I enable AH in AMON.

    izi
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    http://www.wilderssecurity.com/showthread.php?t=9776

    download and install the shell extention from the link in the first post of that thread
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Using advanced heuristics by default in email is ok because emails generally are small in size and will be scanned quickly

    using it for a full system scan slows down tremendously and uses a lot more overheads

    if you have a very powerful processor yopu might get away with it, but for normal use it's a no no

    one of NODs selling points sis it's speed, using a normal deep heuristics scan of my computer with about 10 gig of files takes about 20 minutes or so
    and I can still do other things with it at the same time if i want to

    using advanced heuristics, takes for ever, I gave up after 3 hours, I only use it for single files or single folders and it takes 100% of cpu power
     
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    The shell extension is not the same thing as AMON. I believe the original reference was for this registry key and value:

    HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Scanner

    "adv_heur_enable" (REG_DWORD)


    By default, this value is set to 0 (zero). There is no way to change it via the NOD32 interface. I haven't played with that registry setting, and I won't.
     
  9. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    This is for NOD32 scanner, not for AMON!!!
    I think that i find answer:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Modules\AMON\Settings\Config000\Scanner]

    "adv_heur_enable"=dword:00000000 (disable AMON) default settings
    "adv_heur_enable"=dword:00000001 (enable AMON)

    izi
     
  10. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Paolo's shell extension doesn't enable AH in AMON. As I noted above, it adds an entry into the explorer context menu so when you right click on a file you can scan th file with AH. This uses a functionality of NOD's on demand scanner. It doesn't add AH to AMON the real time monitor.

    Somewhere (I don't recall which thread specifically) I did see a reg "hack" that purports to add AH functionality to AMON. I don't know about that. But the shell extension itself doesn't do it.

    edited: I see other posters beat me to it. I'd just advise caution for people not familiar with reg editing before considering trying such things. Certainly at least make a good backup of the registry prior to changing things. (And always good to make sure there's a general backup of the system or a good restore point before getting too creative. ;) )
     
  11. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    The same keys exist for IMON, NOD32, and NMS as mentioned previously.

    I have been predisposed since my original post so I haven't got to test their effects on PC performance yet. However, I gave a quick run in AMON with advanced heuristics last night, but really need to put it through the motions before I can make any conlusions. I mainly wanted to gather some more information first. The question I am most interested in learning is the technical differences in the algorithms for deep and advanced heuristics. Not the greuling specifics, but things like: Should they be run concurrently, or is this redundant? These answers coupled with their overall effect on my pc's performance will determine if I enable AH for on demand or resident scanning. Initially, it seems sufficient to run AH in IMON followed by a periodic manual scan utilizing AH. Seems as though it may take some playing around with the settings for me to better understand whats going on.
     
  12. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Could you let us know, when you know more

    Ruben
     
  13. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    All modules use the same registry template, therefore an entry reading advanced heuristics appears in all modules. Since not all the modules support it, this setting is ignored in the case of AMON and EMON.
     
  14. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    I played around a bit last night scanning several directories on my pc manually with and without AH. At least on my home computer, there was a noticable slowdown of up to 20% of scan completion time. Keep in mind this was a very unscientific test with many unspoken for variables. This may also change depending on what you are scanning. I should also like to experiment some more while monitoring the cpu's rescources.

    As stated by others here, AH seems to affect PC performance. I certainly understand why Nod developers include it in IMON, but not AMON, as speed and rescource usage are a very nice bonus to its protection. IMON is more of the first line of defense against any malware entering the computer. I do not nessecarily see a lot of benefit in enabling AH in AMON, so long as I have the ability to manually scan anything I am suspicious of with AH, before I run it. No need for AH to watch over trusted executions.

    It is very nice to be able to use AH via Paolo's shell extenstion, so long as you are willing to accept the longer scan times. Whether these sacrifices are worthwhile depend upon AH's effectiveness over of that of deep heuristics. That is what I would have hoped to have quantified in some form or fashion through this forum, if someone from Eset is willing to chime in. Particularly to answer whether there are any advantages in running deep heuristics alongside AH.


    *Another quick note: I noticed while scanning directories last night, that NOD32 seems to have a feature that reduces scan time the second time it scans a directory. For example, the first time I scan C:\Windows might take somewhere around ~175 seconds. On subsequent scans, the time is reduced to ~35 seconds. I have to completely restart NOD's shell and kernal for the longer time to reappear. I haven't checked the logs in detail, but I am curious as to why this occurs? Just thought I'd mention it in case someone tries to test the on demand scanner comparitively with the shell extention.
     
  15. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Using AH with the shell extension is not a complete solution. Consider the scenario in which you install software from a compressed executable setup file. You can't possibly scan the contents of the setup file prior to installing the software. You might be able to scan with AH manually afterward, but is that always feasible? I don't think so. The software may have put files under the Windows directory, under "Program Files", under "Documents and Settings", on alternate partitions, you name it.

    What are you going to do--scan the entire system with AH every time you install software? That's not very convenient, and definitely prone to error (such as if you scan only "Program Files", not realizing that executable code under the Windows directory was also added).

    What if the setup routine automatically launches the new software, without warning, when it completes? (This is a capability that setup packages can have.) Manual scanning just went out the window.

    Besides that, there are some systems--particularly servers--that don't need ultimate performance. They need ultimate protection. I truly fail to see how an option to enable AH in AMON would be such a terrible thing.
     
  16. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    Hopefully, thats where the layered defense kicks in! All good points, though. I agree, it should be up to the end user to decide. It wouldn't be the worst thing to sacrifice some speed, I merely stated that I respect Eset's motives for not including it. I think the AV industry is a volatile place where they are always facing scrutiny for performance. A good thing in one respect, bad when you lose the right to configure your system fully.

    When you look at it relatively, it would still be way faster than KAV!

    I wish I had a sample that I knew deep heuristics would miss, and AH would catch. That way I could test the registry entry to see if it will really enable AH in AMON. Even a false alarm sample would suffice :)
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've got a sample of a new one that deep misses, but ah finds

    pm me with your email adress and I will send it to you

    it's a new version of winpup from http://forums.techguy.org/t201771/s.html

    be quick though because it's been sent to NOD and will possibly be in the next update due soon

    I found your email address in your profile and sent you a copy it's a zip called OUHIDM.zip

    let us know whether the experiment works
     
  18. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    dvk01,
    Thanks for the sample.
    Pretty cool to see AH catch this one while the deep heuristics scan right over it!

    Unfortunately, I am afraid the registry key is simply ignored by AMON. After changing the registry entry discussed earlier, AMON still scans right over it :(

    I am at school, so I had to install and test with the trial version of NOD32 on my workstation here, but I will try again with the registered version at home this evening.
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    AH can pop up with a great deal of false positives from what I have read in previous posts, this is why it is not added into Nod itself, and remains as a add-on through this forum.

    Cheers :D
     
  20. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I agree that is a possibilty with AH, But I can guarantee that the file I sent him isn't a false positive,
     
  21. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Yes, AH certainly is prone to FPs. I have two of them now, which I just sent to Eset and have had confirmed as FPs. I despise FPs!
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    LOL, better safe than sorry though :)

    Cheers :D
     
Thread Status:
Not open for further replies.