Heuristics in action

With all the programs with Heuristics in action , I'd like to know how many can we use at once?

 

I played BF2, BC2, MW1 & 2. Avira never detected any FP there for me. It's very odd indeed. Perhaps there's a difference between Steam-bought games and others.

 

Possibly. I hate Steam with a passion so all my games are retail either bought new on eBay or in stores local.

 

I've never seen an attempt by Avira to delete Windows files.

And even if Windows files would show up as false positives, they wouldn't necessarily be deleted. I run the Avira suite in interactive mode, so I just get a prompt when it detects anything, false positive or not.

Safer than AVs that automatically delete/clean detections.

Of course, Avira is not for everyone.

 

BTW, it is technically impossible that Avira has a false positive and kills an active original Windows OS file. This method for avoiding false positives on OS files is used by several other AV products aswell.

Cracks and keygens so often really contain malware these days, I regulary farm them in order to pickup the latest malware! The ratio of really infected cracks & keygens is very high, and I noticed they switched over from trojanizing the keygen/patcher to trojanizing the installer of the program itself. So sandboxing the crack/keygen won't protect you anymore.

With the next engine update, Avira will report pirated licenses of a known protector, like many other AV do (KAV, NOD). It will be interesting to see how many users will complain that we suddenly detect their "legal" software. But the detection ratio on real malware clearly justifies this detection method.

I made several detections with each of them catch more than 100.000 malware samples but have like 10-20 false positives 2-3 months after release of the detection. I think that ratio is acceptable, protection of the customer from malware comes first! Especially when those false positives are usually cracks, keygens, strangely patched/packed software or very exotic programs that are 8+ years old.

 

Can you please explain this a bit more....Here i guess you waana say that keygens and Patches are very much infected then earlier days or you are trying to say that the software packages which comes with keygens and patches are infected...

What i have heard or learned that now a days keygens and patches are VM aware and Sandbox aware so they don't do any malicious activities while running on VMWare Machines or Sandbox environment. So how they will gonna affect any machine while running on these environments? Even i have analyzed many of keygen on CIMA and Sunbelt Sandbox Analyzer but found many of them non-malicious. Might be i was wrong or might be i am right somewhere, but it will be highly appreciated if you could please explain a bit more....

 

Could you explain a bit more, so if a person as a pirated license of another security software on his/her computer, Avira will detect it and then do what, report it silently to Avira, give a warning to the user that it is pirated, or just detect it as malware? Also there are not many people with other security software alongside with their main AV on their computers, so I don´t think it will have a big effect, or does it also detected licenses from other sorts of software instead of only protection software?

 

I guess they will inform user that they are running pirated softwares...and all. But still its a big question how they will detect pirated serials those are generated from keygens....how they'll gonna detect its serial?

 

That's a very strange viewpoint.

 

Most keygens arent viruses. They get flagged as false positives because of the way they are packed. A true AV such as KAV will almost always flag a keygen as a virus if it truly is a virus.

 

That's what i am trying to say...But as per Stefan its vice-versa..

 

Bringing keygens into this discussion isn't valid at all. I was referring to the AVC FP's which are all valid and legal files.

 

No a few people did when they started throwing accusations out the window. Here are a few that brought it up in the last 2 pages: icr, shadek, Stefan Kurtzhals.

Sad thing is none of it has any basis or even truth and its totally off topic. Thank them Elapsed.

 

You're the one sitting around playing cracked games. Don't throw rocks when you're inside a green house.

 

Its glass house not green house. And reading > you.

 

The detection will be like Black.A of Kaspersky, like every other malware detection. The goal is *not* to detect pirated software, we don't care about that. On the other hand, if we have false positives on pirated software, it has a very low priority for us to fix aswell.

It depends on the source of the cracks/keygens how high the trojan ratio is. From some sources, it became almost impossible to get non-trojanized programs. In the past, cracks and keygens were reported because of they were packed. That is no longer really a big problem. BTW, how do you know that the cracked software is really clean? Only because every scanner reports so? You are aware that the malware writers test around until they managed to bypass all current detection before they seed the trojans/trojanized programs?
Beside exploits (browser, JavaScript, Flash, PDF) I would say trojans in cracks/keygens are one of the major infection vectors these days.

 

This isnt about keygens, cracks, etc. Its about Aviras Heuristics and its insane detection of false positives. Sure malware writers use those to spread the infections because they are so prominent, but thats irrelevant to this thread.

 

Stefan's scenario is different from what you think.

Imagine:

100.000 malware files and 5 'clean' files are packed using the same commercial packer/protector, with the same stolen/cracked license (the runtime packer).

What would you do?

IMHO: blacklisting the whole license is valid. It immediately offers detection for 100.000 malware files. The 'cost' may be "FP"s on files who infringe the copyright of the protector vendor. Personally, I can live with that.

Your opinions?

 

It's not our job to prevent copyright infringement. Our job is to prevent people from getting infected. However, pampering infringers and wasting our research time on removing detection on illegal software isn't really a top priority for us either, especiall if it does come at the cost of user security.

I'm pretty darn sure at least 90% of AV researchers are with me on that.

 

so your saying, if i user gets infected by a crack/keygen, then its the users fault, and not the responsibility of the anti-virus that is supposed to be protecting them?

I understand, users who use such things have a risk of getting a virus or some spyware to boot, but to label these as you have, i find just plain wrong.

Most people know by now, this is how many people end up getting infected.

vendors have a responsibilty to have good detection for these, even if they dont like the idea of it.

... that is, if they really do care about protecting its customers.

 

Exactly my thoughts. If a crack, keygen, patch, etc has a virus in it and the software isnt made to detect it then who is to say a website cant have the same infection and because the vendor failed to detect it anyone using that specific product that goes to that given site can get infected not just people who use pirated software patching methods.

Marcus Matten that would be protecting users from getting infected like you said you do, but yet you refuse to. What company do you work for?

 

I thought by reading the above comments, Marcus was striving for a stronger product with better detection rates.

I thought what was inferred was that they would prefer a security product to raise the alarm on a handful of clean files that are packed with the same packer used for malicious files, rather than spending research time analysing a handful of clean files to satisfy those who may have a clean keygen, a clean but possibly cracked program, or relatively unknown/not-so-popular software (you can always exclude these files from scanning by the way)? It doesn't need hours of research time 'white listing' these files most users wouldn't ever come across, at the sacrifice of white listing files that closely relate to possible malware.

Everyone is bringing up some valid points. elapsed is mentioning legitimate software being detected as malware, while others mentioning some games.

Me personally, I would prefer 'over-active' detection and have many more malicious files detected, rather than software that is 'safe' on all games etc, but significantly behind in detection rates.

 

Then would you please send me those insane amounts of false positives on legal, valid applications to heuristik2@avira.com? As the maker of that "insane amount of false positives" I really would like to fix them.
Of course you know better what kind of false positives the Avira heuristics have than the author of this heuristics, right?

No, of course Avira detects this normally. I said we don't give much focus on fixing false positives on not-malicious cracks/keygens. Why should we waste support time for not-so-legal software?

 

Actually if you see the complete AV-comparative report you will find that Avira had about the same number of FPs as other 4 products and about 40% more than the median or the geometric mean. Most likely it would be reported as having an average number of FPs if AV-Comparatives didn't switch directly from "few FP's" to "many FP's".

 

Keep in mind that AV-C is scanning 20 000+ viruses. It's logical false positives would arise. 21 false positives from that many viruses, that's nothing - to me anyway.

I assume even if a user had 20 000+ viruses on their machine, they wouldn't worry that Avira detected 17 000+ viruses, and gave them 21 false positives. Actually, I don't think the user would complain at all or say it was a massive amount of false positives given the amount of viruses detected.

A regular user scanning a system of 100 000 files, would most likely see zero false positives, but anything found would most likely be malware.

Us here downloading all sorts of programs, games, utilities, from softpedia, download.com, others, yeah we'll see a few FPs from time to time.