Avira new heuristics

Discussion in 'other anti-virus software' started by MalwareDie, Jan 12, 2007.

Thread Status:
Not open for further replies.
  1. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    I heard from a post from stefan that there wil be new heuristics coming. I hope Avira keeps up the good work and the new heuristics not only improve detection but also reduces the amonut of Fp's produced
     
    Last edited: Jan 13, 2007
  2. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    New heuristic rules will always cause new false positives to some amount, you cannot avoid that. Of course we perform lots of tests in order to avoid false positives before the new version gets released.
    The release on 12th of december also made heuristic level 2 default for new installations, we got a bunch of false positives from that aswell that I am still working on.
     
  3. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    This is one of the drawbacks to heuristics. There will always some level of FPs, some more than others. In some ways, keeping up with and tweaking them is akin to standard signature updates.
     
  4. webster

    webster Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    285
    Location:
    Denmark
    I can live with a few false positives, as long as the heuristics catches real malware.

    Aviras heuristics is the best ATM IMHO, and now it`s getting better. Keep up the good work Stefan :thumb:
     
  5. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Cant argue that point. Good work Stephan.
     
  6. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    I Agree. Its got fantastic Heuristics and I know when I have sent somthing in which is detected by Heuristics to the Heuristic e mail submission address you normally get a reply from Stefan himself!

    I have been so impressed I have ditched Antivir PE and upgraded to Antivir Personal premium today and love it. The only problem I had with PE was somtimes difficult to update but premium edition logs on and updates from server really quickly.

    Superb product and I think the Heuristics are now as good as Bitdefender, Nod32, Dr Web and F-prot.

    Cheers

    Jlo
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Actually better.:rolleyes:
     
  8. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    What test(s) are you using to support this claim?
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Paternity? Ahh, I dont know. Heck, I use Kav anyway, in reality.:rolleyes:
     
  10. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    Is there any evidence that the lack of an http scanner causes any real danger? This is the one weakness I can see in what is otherwise an excellent product.
     
  11. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    trjam judged the last av-comparative retrospective test
     
  12. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    BitDefender and NOD32 scored the same as Avira in the November 2006 Retrospective Test and were superior in the May 2006 Retrospective Test.
     
  13. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    Avira scored 53% in the last one and caught a few more samples then even NOD32. i think that is why trjam said avira's are "actually better."
     
  14. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well AV-Comparatives test is not the only one showing that. I've scanned quiet few samples that are very new (i mean really very new) and it detected nearly all of them as HEUR/Crypted. It's really remarkable how such "low tech" heuristics can detect so much stuff. I mean "low tech" because there is no advanced tech like sandbox and advanced emulations involved.
     
  15. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    BTW, some of the latest malware development includes effective anti-sandboxing / emulation code. They obviously noticed how easy the engines of NOD32, BD, F-PROT6 (and all the others doing behaviour analysing using emulation) can penetrate the old anti-detection measures.
     
  16. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Does this mean that from now on it is not longer effective to have a sandbox?
     
  17. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Only very few malware strains use this, the vast majority of malware is "vulnerable" to these detection methods. So at the moment sandboxing/emulation is still very efficient.
     
  18. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Yeah at least until all the SDK's are spread among kiddies...
     
  19. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    A few days ago I was joking with a co-worker if there is a Antivirus-Research forum/group. :rolleyes:

    I bet there is one. :eek: :mad:
     
  20. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Hehe :D Though we can be well sure there is one...
     
  21. doctor IT

    doctor IT Registered Member

    Joined:
    Mar 4, 2006
    Posts:
    30
    I encountered a lot of FPs alarms especially for Nero 7 and one for Skype.exe and also for ole16.dll. It reports that these files contain a signature of W32/Saburex and for <<ole16.dll>>:W32/Saburex.A.DLL
     
  22. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    i wonder about the lack of http scanner being a issue as well.
    lodore
     
  23. doctor IT

    doctor IT Registered Member

    Joined:
    Mar 4, 2006
    Posts:
    30
    My mistake...I really was infected with this virus. Sorry :)
     
  24. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    nero and skype are clean,

    maybe the dll was a dodgy though.
     
  25. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    doctor, was that virus signature reported on Skype and Nero or heuristic detections? (HEUR/)
     
Loading...
Thread Status:
Not open for further replies.