Heuristics

This question is about whether heuristics really work. According to last summer's PC Magazine (yeah, yeah I know - please no flames) none of the AV tools tested picked up on new viruses after not being updated for a month and off the web (except for McAfee and NAV and they already had sigs on the new viruses somehow).

The article basically said that it's nice to talk about but it doesn't actually work.

I was reading at SANS.org the other day and they were saying how heuristics were basically the cause of a lot of false positives.

Any thoughts?

 

Rodzilla just said something the other day about NOD32 picking up several viruses, before they had the signature files.
I have DrWeb and they seem very proud of their Heuristics. I doubt they would say much about it if it didn't work at all.
Haven't had a chance to prove one way or another though.

 

> Rodzilla just said something the other day about NOD32 picking up several viruses, before they had the signature files.

Yep ... there's a l-o-n-g list.

You may have noticed that sometimes several days elapse between NOD32 updates ... this is because viruses which are detected heuristically generally don't rate an immediate update ... but sometimes we release two or three updates within a few hours of each other, for new viruses which are not detected heuristically.

> I have DrWeb and they seem very proud of their Heuristics. I doubt they would say much about it if it didn't work at all.

DrWeb would also have a long "before they were written" hitlist ... its heuristics are also very powerful. There's no question that it's right up near the top in virus detection ... but I would have to seriously weigh its detection rate against its false positive rate if I was in the market for an antivirus program and I wasn't in the AV industry.

 

I think DrWeb is more suited to an experienced user who analyse these false positives and act upon them without panic, I believe thats the way its reviewed also here at Wilders. No doubting though that its a fine av.