NOD32 and how heuristics work

Discussion in 'NOD32 version 2 Forum' started by kjempen, May 12, 2005.

Thread Status:
Not open for further replies.
  1. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I thought signatures don't make any difference in what the heuristics will detect. If you read this post by tazdevl, it seems like it might matter after all?

    To explain it better; how can the number of "probably unknown NewHeur_PE virus" reports increase from 2 to 4 with just a signature change? Wouldn't the advanced heuristics module have to be "improved" too?
     
  2. Heuristics can work together with signatures to detect modified malware based on existing malware that is already known. This is basically a generic detection.
     
  3. Happy Bytes

    Happy Bytes Guest

    RejZoR, are you own3d? :eek: :D
    Your post is correct ;)
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Hehe,i was writting from school PC. I was too lazy to log in :)
     
  5. profhsg

    profhsg Registered Member

    Joined:
    May 18, 2004
    Posts:
    145
    It seems that there are at least two kinds of heuristics. The first seems to be some sort of emulation a la sandboxing or similar technique. That is, runninng an emulation of the file in a safe environment and seeing if it does something malware like. The other is what was just referred to as generic signatures, seeing if the code in a file bears a similarity to other known malware. I believe that NOD32's heuristics utilize both methods. Am I correct in these suppostions?
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
  7. profhsg

    profhsg Registered Member

    Joined:
    May 18, 2004
    Posts:
    145
    Thanks for the reply and reference to the Extreme Tech article. So, does NOD32 use both static and dynamic heuristics?
     
  8. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    It appears so. If you disable signatures and try with several malware types,there is a great chance that you'll encounter "Probably modified malware_name (probable variant)".
    Probably variant is added if the heurstics decide that there is a very very high chance that the file is really malware. Otherwise you get name without (probable variant).
    There is also a difference between Probably new heur_PE detection and Probably modified Lowzones trojan.
    First one detects a completely new malware (or based on know parts of file via heuristics and/or emulation),while second one detects a modification of Lowzones trojan (in this example) or other malware containing parts of Lowzones trojan.
     
  9. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Thanks for the replies. I understand it a bit better now :)
     
  10. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    If signatures can work together with heuristics to make better results, then will the signatures also help to perform a somewhat limited disinfection of the malware modification that was found?

    Just curious :)
     
Thread Status:
Not open for further replies.