Heuristics in ESS... false sense of security!?

Discussion in 'ESET Smart Security v3 Beta Forum' started by mecute, Oct 20, 2007.

Thread Status:
Not open for further replies.
  1. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    Eset Smart Security's heuristics analysis is giving us false sense of security when it comes to detecting new and unknown viruses.

    Compared to other AV's heuristics analysis technique, ESET is much inferior (though Advanced Heuristics is capable of detecting the same virus). Given a new and unknown virus, heuristics analysis alone of ESET cannot detect it. Pls see my comparison:

    Sample: a virus that duplicates using filename similar to that of a folder name where it (virus) resides

    Modes are: No Heuristics; Heuristics; Advanced Heuristics

    1. ESET Smart Security - no detection; no detection; probably unknown NewHeur_PE virus
    2. Dr. Web CureIt - no detection; probably WIN.SCRIPT.VIRUS; N/A

    Both AVs have the same date of definition files (September 17, 2007), outdated :D

    Guys! If ESS Advanced Heuristics == other AV's Heuristics, then what's the use of ESS's inferior heuristics?

    This is just my obeservation. And I believe using Heuristics Analysis alone (not Advanced Heuristics) will give us a false sense of security, especially for a new and unknown viruses. And hey! dont forget that the default setting of 'Real-time file system protection' is set to Heuristics analysis only.

    Note: Im using CureIt only as a "First Aid Kit"
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I absolutely don't see any sense of what you've been trying to say :) The heuristics never catches 100% of all threats. Needless to say that the heuristic and signature based detections are complementary and together they give a high probability of detecting new malware. By the way, I don't understand why you differenciate between the heuristics and advanced heuristics.
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Because advanced heuristics isn't turned on by default in the resident module?

    While we're at it, judging by how heavily Eset relies on its advanced heuristics to catch variants, leaving it off by default could be a mistake. Personally I hope this gets fixed in the ESS final release.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    AH is enabled by default for newly created/modified files :D

    In ESS/EAV you can enable it even on access.
     
  5. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Okay, sweet.
     
  6. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada

    that's good news - it's something we mentioned as a possible improvement ages ago!
     
  7. ASpace

    ASpace Guest

    :D :D :D
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It isn't actually as good idea as it might appear at the first sight.
     
  9. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada

    do you mean in a corporate environment Marcos?

    I did suggest two downloads - one maxxed out in settings and protections, and one dumbed down for corporate deployment... but I doubt it went any further than the staff I mentioned it to...
     
  10. rwt325

    rwt325 Registered Member

    Joined:
    Jul 28, 2005
    Posts:
    101
    Location:
    Strasburg VA
    In my version 3.0.414.0 Advanced Heuristics is turned on by default.
     
  11. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    It would be best if only AH is used by ESET. For me, if there is AH there will be no more need for Heuristics alone. In fact the Heusristics used by ESET is inferior compared to other Heuristics used by other AV. No question about the AH!

    AH will do the job. Anyway, if ESS is configured properly, it will give an excellent result. :thumb:
     
  12. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    Because heuristics alone cant detect the virus sample I used, while other AV's heuristics can! AH does.
     
    Last edited: Oct 21, 2007
  13. ASpace

    ASpace Guest

    But it doesn't matter what module,component,part of the product detected the threat . This is one system and all modules work as one , as a team to reach the best possible effect .
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Heuristcs can detect stuff that AH cannot and vice-versa, so they are COMPLEMENTAL and do not do the same things.
     
  15. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    Nicely said Marcos...
     
  16. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    But youre not totally safe there Marcos! The name (Advanced Heuristics) speaks for itself. If you say complemental, then why leave an option? Why is it also the AH is unmarked by default? Why is it not created as one? Surely the level of AH is much higher compared to its basic heuristics. Or maybe the heuristic is somewhat weako_O
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Heuristics and advanced heuristics are two different things. "Normal" heuristics does static analysis of code looking for specific code patterns. It's very fast, but it's bypassed by code obfuscation.
    Advanced heuristics does dynamic analysis, looking for malware behaviour. It creates a virtual machine and emulates the code inside it. This is slow, but it's more resistant against code obfuscation.
    This paper (PDF) by Symantec does a fine job at explaining heuristics.
     
Thread Status:
Not open for further replies.