AntiVir Heuristics on the right track!

Discussion in 'other anti-virus software' started by RejZoR, Feb 8, 2005.

Thread Status:
Not open for further replies.
  1. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    http://img216.exs.cx/img216/2889/antivirheuristics2no.png

    Check NOD32 and Norman. And this isn't the first case. AntiVir appears to have similar heuristics to NOD32 because i have seen many such scenarios where all AntiVir,NOD32 and Norman have detected same sample with heuristics.
    So conclusion is that H+BEDV guys did a good job but they still need to support some more packers and move some more resources and staff into Heuristics developement (also don't forget about incrimental auto-updater ;) ).
    What do you think?
     
  2. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
  3. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    Hi RejZor. I use antivir as one of my on demand scanners, along with bitdefender free, and avg free. I have antivirs heuristics set to "medium" It picked up a false positive in my trend micro installer.lol. That same installer has been scanned by a lot of different antivirus products. None showed it to be infected. I scanned a few days later with antivir, and it didn't pick up anything. The trend micro installer was still there.

    I like antivir as a on demand scanner, but I would never trust it to be resident. I just don't like false positives, even though there will always be some now and then. Just my opinion.
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Every antivirus can produce false positives,even without heuristics. It's impossible to remove all possibilities when there is milions of terabytes of data out there. I always set Heuristics in all antiviruses to Highest possible and i never had any problems. It's better to block one good program from time to time than not blocking bad ones... Alwil and H+BEDV teams were always very fast on false positives so they were usually fixed the same day or even within few hours. I just wanted to point out that there is a potential in AntiVir heuristics.
     
  5. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    If you run across a false positive with AntiVir's heuristic, please send the file to heuristik@antivir.de so the heuristic can be fixed.

    AntiVir's current heuristic is quite old and not very defined, a new version is in development with much better detection but it's still a while until release.
    Also note that AntiVir's regular detection got a boost recently. :D
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Are you from H+BEDV team? Sounds like that :D I'm looking forward in testing new AntiVir heauristics :)
     
  7. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    One thing that has always held me back from AntiVir is the lack of email scanning.
     
  8. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    I agree that every antivirus can produce false positives. I do like antivir. It's super fast in scanning, even faster than avg. and I've never had any trouble updating it as some people have. The updates are big, but that is a non issue, as I'm on high speed cable.

    When I think of false positives. The first thing that comes in my mind is panda titanium 2004. I downloaded it last year. It started scanning my computer, and cleaned and deleted some files that were necessary for my operating system. When I rebooted, I got the blue screen of death :mad: The only thing that saved me from a format was winrescue. I managed to boot into safe mode and delete panda. And restore the registry :D

    I'm getting off topic here. I do like antivir, and I think it has great potential. :D
     
  9. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    Hi Stefan. If I get anymore false positives with antivir. I will send the file to the email you have listed :D
     
  10. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Hi,

    AntiVir is growing in detection rate and this is very good for an AV :)

    It's nice to see that they are developer a new heuristic version and the so wanted incremental updates :D

    It's seems that only the pro version have a quarantine. It will be great if the free version also have it to later send the false positive through AntiVir...

    I like AntiVir a lot :D

    Regards
     
  11. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    How good is Norman's Sandbox? Does detect all major viruses with Sandbox?
     
  12. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    Also don't forget some false positive that may occur by heuristics too. :D
     

    Attached Files:

  13. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    Unfortunately, judging by what I've seen from Jotti's, Norman is next to useless. It routinely misses what nearly all the other AV's are able to catch, including AVG, avast! and AntiVir.
     
  14. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    I find Dr. Web and Antivir are very effective at catching viruses/trojans. ;)
     
  15. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Well, I heard it can be done and because of this thread i'm doing it. It's amazing that I can run NOD32 and Avast as resident together without any conflict. (just can't run IMON - I guess because Webshield is running)
     
  16. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    I find Norman's Sandbox quite impressive, but it is too slow. VB stopped scanning with Norman in one of their tests because Norman took too long (over 3 days ;-) ). Detection doesn't look that bad:

    http://sandbox.norman.no/live_2.html

    Of course, it always depends on what kind of malware you are scanning.

    Currently, AntiVir's heuristic is no match at all against either NOD32 or Norman, but I am quite satisfied with the current internal tests of AntiVir's Heur 2.0.

    If you are going after freeware, use Bitdefender (free edition has no guard but excellent detection) + AntiVir or BD+Avast. Avast has nice protection modules which AntiVir Personal Edition is missing, but Avast's detection is not so good.
     
  17. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well i have access to Jotti statistics and i can say Norman has the biggest signatures to heuristic ratio. This means that difference between signature and heuristic detections is the biggest among all AVs. Norman and NOD32 are switching places,but main problem is that Norman lacks signatures...
     
    Last edited: Feb 9, 2005
  18. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    RejZoR, are those statistics available to the public?

    Both VirusTotal and Jotti could publish very interesting statistics.
     
  19. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    As i can see you are AntiVir developer so that should be no problem. Just contact Jordi and he will enable you statistics. Just tell him that you work for H+BEDV (AntiVir).
     
  20. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Hello guys!!

    I've been following up on this thread for some time now...Well it seems AntiVir is fast becoming a very good Antivirus scanner; if there was an email scan with incremental update, then I might even consider the paid version (Vexira I think) in the future. AntiVir's detection is also increasing rapidly. Keep up the good work, H+BEDV!!

    I see that the free version currently lacks a quarantine. Does this mean that free versions delete suspicious files. If so, I feel suspicious files must be renamed, NOT deleted (or no action should be taken).

    And yes, the heursitics have amazing potential!

    All of you, have a good day, don't get too serious and have some fun too!

    Regards,
    Firecat
     
  21. Unity

    Unity Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    112
    Location:
    Toulouse ~ France
    There are actually 2 paid versions of Antivir if i'm not mistaken.

    One is Antivir professionnal and the other one is Avira (www.avira.com ).

    Vexira is not using Antivir engine anymore i think.

    I do believe that the paid versions have an e-mail scanner.

    The only thing that i miss with antivir free edition is the lack of knowledge of
    what has been updated in each program version or in each virus DB update.
     
  22. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Well, I made a mistake...Thanks for that Unity!! But I'll wait for my eScan and McAfee to expire first...
     
  23. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I agree,Quarantine is a must have,especially if product supports heuristic detection. Just moving file to some folder and attaching .vir extension to it isn't enough, because if you use On-Access set to check all files you'll fall into infinite loop of detections (not good).
     
  24. AntiVir Guard and Bit Defender Scheduled Scan thats exactly what I do. I agree its quite a good freebie combination.
     
  25. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    I agree, but so is email scanning, which this product(free at least) lacks. I use safe surfing habits, so the only way anything virus wise tries to sneek into my system is through email.
     
Thread Status:
Not open for further replies.