Best Heuristics: NOD32 2.5 vs Bitdefender 9

Firefighter, it seems Panda only detected some left-over registry keys.
So no worries. ;-)

In my experience with lots of collections and new malware scanned, NOD32 has the better heuristics over Bitdefender. Bitdefender is lacking more rules for better heuristics, they can emulate pretty well so they actually could achieve the same detection rate as NOD32's heuristics.

 

HiVE is not fully impliemnted yet,so they still have time and space for improvements. I just wonder how is HiVE compared to Norman Sandbox...

 

Best Heuristics: NOD32 2.5 vs Bitdefender 9?
Well my opinion is NOD32 still is best when it comes to Heurisitcs, Bitdefender 9 is good but not as good as NOD32

My opinion is that SandBox isent that good anymore so it will probably beet it like NOD32 do

 

Is there any test other than that one for Zotob variants that tests the HiVE ?
I'd like to know how effective really is and so on...

 

@Firefighter: As Mr.Kurtzhals said, Panda only deleted some leftover registry entries (Panda is good at these things).

@RejZoR: Time will tell, but I still think NOD32 is better than BD in terms of heuristics.

 

Well as far as i know these virual environments can only run Win32 like executables. HTML files,BAT files and VBS (i'm not 100% about these).
At least Norman Sandbox rejected many such files as they can't be run in Sandbox. While on the other hand NOD32 heuristics work different and they can inspect any file with all heuristics strenght.

 

There are 4 factors that will influence the performance of this kind of heuristics/generic detection :

- The quality of the emulator itself (floating point, MMX instructions and more, structured exceptions handling, weird PE file structures, ...)
- The quality of the virtual environment (emulation of the windows API)
- The quality of the rules that have been defined for recognizing the behaviour of malware (e.g it is not easy to find a rule that will detect keylogers and that will not produce any false positive)
- The quality of the link between emulation and signature scanning.

I think Norman Sandbox emulation of the malware and environment are very good. It probably lacks some behavioral rules for detecting some types of malware, but its main weakness is that there is no link between sandbox emulation and signature scanning.

In Bitdefender, this coupling between emulator and signature scanning is visible through the flags "Dropped :" and "GenPack :" for example. I think that NOD32 (detections of "a variant of...") has implemented something similar. And I hope that they will finaly implement it inside Norman.