Heuristics in action

Discussion in 'other anti-virus software' started by CloneRanger, Mar 11, 2010.

Thread Status:
Not open for further replies.
  1. smage

    smage Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    378
    No AV is worth paying for when you have these for free and you are skilled enough to use them.
    http://www.youtube.com/user/languy99#p/u/1/nPWLlF_bIC8
     
    Last edited: Mar 17, 2010
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Avira has been great for me, as i love it's excellent heuristics, which is why i started this thread. They have every reason to be very proud of what the've achieved with its heuristics over the last few years, as proven in ALL the tests i've seen anyway. Nothing wrong with saying this, and hoping others appreciate it's achievements. The same goes for any other product that deserves praise, by me or anybody else.

    Only been slightly infected once, and that was years ago before i used Avira. With Avira's great heurisitcs, and setting the AV to prompt me for action, i don't have any worries about visiting infected sites, just for the fun of it.

    Even though Avira is constantly tops for detection in tests, and remember that's ONLY with default settings, NOT max heurisitcs etc, i do agree with several members who have accurately stated that, Avira "can" sometimes be somewhat lacking in clean up. Not sure why this should be :( but i feel sure they will only improve, why wouldn't they want to.

    You can call me a fanboy if you like, i don't mind got every reason to be :p but i acknowledge both sides of the discussion.
     
  3. Matthijs5nl

    Matthijs5nl Guest

    Like I said, you can also use some kind of HIPS and sandboxing, which creates a totally different situation. And makes everything i said in the post redundant.
     
  4. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
    Future versions are irrelevant to the discussion at hand on current products. They could get better, but they could also get worse. Lets not jump to conclusions.
     
  5. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    I'm sorry mr daily opinion, but your skating around the message you replied to,

    Avira scored around 87% in the biggest dynamic test available from the biggest of testers with the most experience and money, match this with aviras completely useless removal and you have a poor product!

    I don't know how you or any of the fanboys can argue against that, maybe you don't trust the test marx has done?
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @PC__Gamer

    If they don't get downloaded, they Can't infect. MAX settings and they won't, in my daily experience anyway :D
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Will you get off of it? You hate Avira, you've made it crystal clear. I personally don't think 87% is too bad at all, but I'm not going to post that thought multiple times in the same thread. And really, where do you get "most experience and money" from? Have you been at any of these companies? Do you do their accounting? No? Then it's useless for you to bring it up. Seriously, give it up PC, we know your stance, you've left no room for doubt.

    It's a bit amusing, if the subject at Wilders is either Avira or Opera, the thread is going to go to hell by the second page.
     
  8. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    Your completely right, I've made my point very clear :)

    If people didn't have such an affection with their antivirus, these theads wouldn't have such hostility in, people need to relax a little (you'll go grey before your time)
     
    Last edited: Mar 17, 2010
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,352
    Location:
    Hawaii
    Your point being: "I argue for the sake of argument." Right? ;)
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    PC, first you a good member here with some solid thoughts. Sometimes it is fun to bust your chops to get you going. No one can dispute Aviras ability. It was the one that got me here. I predicted this would be a down year for them in December and I stick to that. By down I dont mean crappy but more of a learning one that will only make them better. But yes, I love Prevx and Avira but in the past they have been the FP Kings. Things change.

    So please dont take this the wrong way because we all come here and agree one day, and disagree the next. But trust me when I say personally, I learn quite a bit from your postings. And I can jab at Avira because Stefan is a dear friend I have never met. Avira is one of the best at maximizing the most from limited resources. Eset is learning that to.;)

    And I do trust Marx, but I trust IBK more.;)
     
    Last edited: Mar 17, 2010
  11. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Hello Matthijs5nl,

    I'm with you on this.

    In all my time here, I've never participated in one of these "what's the best" threads - usually pointless and likely as not to degenerate into name calling. I do monitor them if I'm interested in a particular piece of software for info on updating frequency, support, ease of use, and the like.

    To the people I advise on security, I make the points you did - the most important being making use of what's between the ears.
     
  12. pasha101

    pasha101 Registered Member

    Joined:
    Nov 28, 2009
    Posts:
    34
    CloneRanger I have been an Avira customer for years and generally like the product. Here is an article on Avira heuristics which I think explains some of the false positives. It would appear that malware authors may be able to use this information to circumvent detection in certain cases: http://grack.com/blog/2010/03/17/the-sorry-state-of-avira-anti-virus-heuristics/

    I thought the article was interesting and thought you may like to read it if you hadn't had a chance.
     
  13. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    pasha101, don't confuse the Avira script heuristics with the binary malware heuristics/generic detections.

    BTW, in those dynamic tests, products with behaviour blocker/HIPS (and some with reputation based detection) were compared against products without those features. Of course the prevention level is lower without those features, what you expect? I think, for not having a HIPS/behaviour blocker and not having reputation based detection, Avira did well in those tests.

    So, slap ThreatFire and Sandboxie on top of Avira and you are better protected again as with those other products AND still paid nothing.
     
  14. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,352
    Location:
    Hawaii
    With soon-coming version 10, Avira's paid versions WILL have a behavior blocker, right?
     
  15. johnyjohn

    johnyjohn Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    126
    Hi,

    Yes, AntiVir ProActiv will be available in paid versions soon. ;-)

    Source : http://lists.avira.com/archive/details.php?id=3988
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    AntiVir ProActiv sounds very interesting, and with cloud based interactivity.

    >

    @pasha101

    Good to know you like it, generally :D I hadn't seen that article before, so thanks for sharing

    Don't pretend to understand the code View attachment eval.txt

    eval.gif

    but i copied/pasted it into notepad and attempted to open it. Avira jumped right in

    avev.gif

    Obviously it's perfectly safe to do this, as it's just a js test, of which there are many.

    Avira isn't the only one to detect it

    AntiVir 8.2.1.194 2010.03.17 HTML/Crypted.Gen

    McAfee-GW-Edition 6.8.5 2010.03.18 Heuristic.Script.Crypted

    As long as people understand that Heuristics is a clever way of recognising potential malware, and realise that sometimes FP will naturally occur. One vendors Heuristics isn't the same as anothers, some will be more keen which can lead to detects that look like malware due to the code. Better safe than sorry though i think.

    I've sent the eval.txt to Avira as a FP with the link, but due to the above scan and Stefan Kurtzhals input in here, they should already be aware of it. Having said that, he didn't seem too concerned when he posted about it :D
     
  17. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Stefan, your post seems to suggest that a whole-product dynamic test isn’t “fair” because different products have different anti-malware capabilities. However, that’s the point!

    The question to be answered is not “Which product has the best detection capability?” but rather “Which product provides the best protection?”. Obviously, the objective of an anti-malware application is to protect against malware -- thus, why should a user care which piece of a product’s functionality (e.g., reputation-based analysis or signature-based detection) is delivering that protection at any one moment in time? It’s the whole product that matters -- and, as a consequence, it is only whole-product testing done in simulated real-world scenarios that allows a meaningful comparison of the differences in the quality of products’ performance, in my opinion.
     
  18. johnyjohn

    johnyjohn Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    126
    Moreover, with the acquisition of CleanPort, Cloud technology will be more present in the future.

    Source : http://www.avira.com/en/company_news/avira_extends_security_in_the_cloud.html

    Please note that McAfee-GW-Edition (previously Secure Computing SecureWeb, acquired by McAfee) uses Avira engine. ;-)
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,352
    Location:
    Hawaii
    1- Hmmm. Does anyone think that we should test (a) FW (firewalls) & (b) AV (antivirus apps) & (c) SB (sandboxes) & (d) HIPS-classic & (e) HIPS-BB (behavior blockers) & (f) suites of security apps -- all together in one amorphous group? I wonder.

    BUT SERIOUSLY...

    2- The trend nowadays seems to be in the direction of "security suites" having multiple components. Examples include but are not limited to A-squared, OA, KIS, & CIS, each of which includes two or more of the following components: AV + HIPS(classic or BB) + Firewall + Sandbox.

    3- But some folks (me included) prefer to assemble their own set/layers of security apps instead of having some suite do it for them.

    3a- One reason: taken INDIVIDUALLY, not every component within a given suite will necessarily be "best-in-class". For example, the AV in the CIS suite is a useful one, but some folks would say that it is, by no means, "best-in-its-class".

    3b- Thus, it is possible to assemble a set of stand-alone security apps that are (individually & collectively) equal to or better than any security suite I am aware of.

    4- When I am considering various AVs (e.g.) for a do-it-myself suite of cobbled-together stand-alone security apps, I want to see comparative tests of AVs with similar components. In other words, oranges compared to other oranges; NOT oranges compared to fruit salads.

    5a- Consider (for example) a test which includes: (1) standalone AV apps <compared to> (2) AV+BB apps <compared to> (3) AV+HIPS apps.

    5a- What can be learned from such a test? Basically, all we will *learn* is that (other factors being equal) an augmented AV will out-perform a stand-alone AV. Big deal! That no-brainer "lesson" can pretty much be stated a priori BEFORE conducting any appropriate test.

    5b- In other words, mish-mash testing is pretty much useless, and can be very misleading.

    6- Perhaps that is the point that Stefan was trying to make. If so, it is a good point IMO...

    6a- Namely: test like against like -- oranges against oranges, not against fruit salads!

    6b To wit: Test suites versus suites. Test AV+BB versus AV+BB. Test full-scope suites versus full-scope suites. Test specialized (single function) security apps versus apps with similar specialized (single function) capabilities.
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @johnyjohn

    Wasn't aware of that, but i am now, thanks :D

    @bellgamin

    .

    I'm with you on this :thumb:
     
  21. pasha101

    pasha101 Registered Member

    Joined:
    Nov 28, 2009
    Posts:
    34
    The biggest issue from the originally linked article, is that there is some malware that uses the term eval in some form of malicious script. One way that the eval file in your previous post can stop triggering Avira is to insert the term google to the file. You can test that easily enough. The eval file you had posted was detected by Avira as you stated. I then added the term google to the last line of the file, no more detection. While the file you have is a harmless file that is reported as a false positive, I gather that there may be malicious scripts that may be able to get through Avira's heuristics by adding the term google to them. Of course I am only basing this off of the article which is fairly critical of Avira's heuristics.
     
  22. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Stefan, just a thought for you. I know most products are developed in-house, but if ThreatFire currently doesn't have a paid edition and are looking at receiving additional income for their product, you might look into a partnership with ThreatFire in the future.

    No way?! Serious, it's one of the strongest behaviour blockers available, and works well with Avira. Us here like layers, but average users prefer one single program they recognize providing prompts/alerts. Could be something to consider in the future (considering pctools AV isn't so strong, spyware doctor has the 'spyware' name and to most users, is not an anti-virus and doesn't have the reputation as one).
     
  23. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Unfortunately it's the boss you have to convince not the developer :p
     
  24. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Very true. :)

    I haven't used the premium edition, I'm just basing my comments off the free edition, and that instead of spending many hours developing something (behaviour blocker) you could utilize another program that could 'possibly' be available.
     
  25. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Are you aware that the whole-product dynamic tests conducted by AV-Comparatives and by AV-Test (both in December, 2009) actually did “test suites versus suites”? Within the set of security suites tested, capabilities differ. And, it is completely appropriate that the test results reflect those differences in capabilities, because a real-world user would experience differences in malware protection when using one suite versus another. For example, if Kaspersky Internet Security 2010 has capabilities that AVIRA Premium Security Suite 9.0 lacks, then so be it -- each is assessed in the same way in these dynamic tests.

    Theoretically, nearly anything is possible. Unfortunately, there is no independent and rigorous comparison of a “build-your-own” security suite to those of the major vendors, and so it is not known which is actually the better approach. Logically, however, a security suite has a key advantage: the integration benefit. Components of a suite work together and complement one another, which is not possible when using a collection of isolated and non-integrated pieces.

    Maybe some testing organization at some time in the future will explore this issue, but it would be a massive effort due to the combinatorial complexity of mixing and matching the "build-your-own" components.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.