NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying malwar

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

1. Regarding a variant of
There's nothing wrong with naming something "a variant of". It all boils down how was the original sample distributed. If it was UPX packed and it gets repacked for example by ASPACK than it's indeed a variant. Reason is being that the file looks completely different from a binary point of view, even if it performs exactly the same actions. So nothing wrong with calling repacked versions "a variant of".

2. Packer Detections
There are 3 types of packers: Whitelist Packers, Greylist Packers and Blacklist Packers.

Whitelist Packers are mainly used by non-malicious applications. (However, that doesn't mean that malware isn't using them) Example: UPX

Greylist Packers are packers which are not really common for "industrial use" they are mostly used for cracks and maybe "strange" freeware/shareware and malware. Example: Exeprotector

Blacklist Packers are packers which are mainly used only for malware. Of course you can pack a clean program with a blacklisted packer but you shouldn't be suprised if a lot of antivirus apps flagging it. Example: Several patched Morphine versions, NSANTI Combinations and so on.

Flagging white-listed packers is ridiculous. Even if you only report a suspicious. A whitelisted packer should never ever been flagged regardingless of the heuristic level.

Flagging greylisted packers is very risky and leads to a lot of false positives.

Flagging blacklisted packers is basically "ok", however it's always better to take some other heuristic flags into the conclusion before flagging such files.

2.1 Combinations of Runtime Packers

Similar to point 2 there are so called blacklisted combinations of runtime packers. UPX + Yoda for example.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

I know IC, i just pointed out that not all "a variant of" are an actual modified sample but also just repacked one (which is as we both said performing the exactly same actions, just different from binary standpoint).

 

Yes and even Voyager 1 is carrying one install file,copyed somehow from the Earth, for alliens to test it!

 

@ solcroft

Good topic for a thread !

I've seen quite a few HEUR/Crypted detections when scanning hundreds of real nasties with AntiVir for nearly a year. But most of the detections it's acheived are 100% positively accurate and it correctly identified them as genuine malware. I have only had a very small number of FP's in all this time with all that malware, and that's with heuristics set on high.

I would rather see an Anti flag a file as suspicious, even if it turned out to be a FP. Because not flagging it, if it turned out to be malware could be disasterous for people.

These days more and more malware is getting packed, and some with generally lesser well known, or previously used, or new types. So flagging anything that appears as if it might be malware due it's being packed makes perfect sense, just in case it's a nasty.

The facts though speak for themselves regardless of any packing detection/heuristics talk.

AntiVir consistantly outperforms Nod, and most if not all the others, in all the recent tests, and has done for some time now. Also if you check sites such as http://www.castlecops.com/f269-Malware_Listserv.html which receives numerous daily uploads of new malware, you will be able to see that AntiVir is far ahead in already having definitions for most of these, when a lot of the others detect absolutely nothing.

So i'm afraid Nod does not have the best heuristics either, if it did it would be detecting many more than it does.

When you consider that such a fine all round product as AntiVir can be had for free, or a very reasonble price for the pay version, it's outstanding !


StevieO

 

I really do not trust this test at all. Utilizing Jotti is not an accurate way of testing since it uses the linux version of products and even if you use virustotal, it's still not perfect.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

If AntiVir couldn't remove it, the "correct" name would be a bit handy in finding a removal tool.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Reputable products don't need sleezy marketing. They perform very well without a slice of sushi. You just identified yourself.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

True, but if you had Antivir from start, it would never infect unless you ran it anyway.
If what Stefan Kurtzhals says is exact (99% etc), that kind of packer would never be used by me or you, or anyone really. Flag it malware. It's better that way for everyone.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

pffffffffft,NOD32 fan boy

 

I think this is the answer for this thread.

We also had somebody here who made software that detect files by their name and nothing else. Everybody was against him but on the end does the user really care how the malware is technically detected

 

Well I do not think you are right here or you did not read this post completly.

If we unpack and retest these files from Castlecops we could see total different results just because AntiVir is, by this test, flagging many packers as suspicius.

On the other side I like their point of view and what Inspector explained. This is right way because their main task is to protect users that do not even know what packers are

I totally agree with that but on the other side I do not like when somebody talking trash about software that detects malware by analysing its name because these people are also using very similar trick to detect malware

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Agreed

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

I think more than heuristics this is about good a unpacker system like the one from KAV, on those tests KAV could detect all the real malware packed except the last one. And we all know that KAV heuristics are not the best... mmm
but this will change for version 7.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Is it only me who finds this creation of new variants as a "test" morally questionable? Thanks to performing the evaluation using jotti he has created additional work for vlabs, as if they didn't have enough to do without "testers" creating even more crap variants.

If he did it in his own home, ran the scanners himself, and afterwards got rid of his newly created variants without ever releasing them to the public (which an upload to online scanners certainly counts as) I might have overlooked the "new variant creation" fact in this specific case. But like this... do we really need testers to contribute to the already heavy workload vlabs have to deal with nowadays?

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Thinking the same thing.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Yub. That's by the way one sub-topic of the av tester workshop.
Usually the words of such "testers" are: If the malware authors can create in this way new malware we can do that too. That is (as you see here) a common thought between hobby testers. But let's speak frankly there are several 100k files which are indeed malicious and nobody detects them. Nope, not even YOUR favorite AV application. Doesn't matter if it's KAV, NOD32 or Bitdefender. Everyone has a huge backlog (and now please read this careful!) compared to undetected files and NOT compared to other competition!

And nobody in the av industry has the time or resources to waste time on unneccesarry things which are not posing any real threat since they are so called "test-samples".

Does this mean the av industry isn't good enough? They only need to put the right priorities! And that's why it is also important that the testers understanding what is important and what not. If you detect a single malware which is available only one time in the whole world and OTOH let a important virus pass which infects or is running on several other 1000's machines than you have failed your mission. You have put your priorities then wrong! Of course this single user will walk around tell other people "only AV xyz detected my malware" and maybe 15% of the people who read this will switch the av based on this, but that doesn't mean it has a better real world protection.

 

thanks IC, now that I can understand.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

thanks for the answer. I can't wait.

 

I understand that there is a combined way to find malware, one is by a technical rule, the other is common sense. You can say priority, the white,grey and black packer is a common sense, it is not very exact. The rule in heuristics also is based on common sense and statics. So don't argue which combined way is better, is all depend on you.
Symantec is use technical rule more than common sense, so with less heuristics, much detection is reliable.
Antivirs combined more common sense, it gives you more chance to find malware.
But I had to remind every antivirs company, work hard to find more reliable and technical rule to fight against malware. Don't let the users to make the decision when they see the suspicious. This is only useful to our experienced users. For most of the common users, it is a nightmare, only they think is that the malware writer is take the initiative.