Setting heuristics to high ?

Suppose we have a sample of 100 malwares and the antivirus detected 80 with heuristics set to normal.
How many malwares we expect to detect with heuristics set to high?
Forget about false positives because it is not the point here.

Quotation form AV-Comparatives reports:
"Avast, AVIRA, Kaspersky, Symantec: asked to get tested with heuristic set to high/advanced. For this reason, we recommend users to consider also setting the heuristics to high/advanced."

 

Impossible to say guess, either none, all, or something in between.

"Avast, AVIRA, Kaspersky, Symantec: asked to get tested with heuristic set to high/advanced. For this reason, we recommend users to consider also setting the heuristics to high/advanced."
That doesn't account for the fact that many vendors employ a multi-layered approach, many of them apply high(est) level of heuristics on execution (rather on access) out of the box.

 

So some antivirus automatically raise the heurestics level when we execute something even if we have set normal heurestics in the option ?

 

This differs per product, each have their own heuristics and some products high settings are more or less sensitive than others'.

 

Basically, yes. Some vendors have hardcoded a heuristics level for execution of applications, which doesn't relate with heuristics applied for read/write/modify operations on files. Why would you unnecessarily tax performance on all those operations when you can protect the machine with just higher heuristics on execution without that much of a tax on performance. I don't care about inert files laying somewhere on the disk.
With KIS the highest heuristics level in FileAV and on demand scans is 10 (default is 1- Low). When you execute applications the heuristics used is level 100, that is ten times more than you can possibly set in FileAV/ODS.
ESET has similar behavior, MSE as well AFAIK.

 

Sorry but I talk here about real time scan not only on-demand scan.
So you think avsat for example which default real time heuristics to normal is raising it automatically to high on execution of applications?

 

Essentially setting detection to high is a method of weighting statistics to ones own advantage. I think ALL products should be tested with out-of-the-box (default) settings. Otherwise, what is the purpose of testing security applications with differing levels of sensitivity? Makes no sense.

I purchase four, two-litre vehicles, the engines are similar in output power and other tech specs. I leave everything stock, no modifications etc. Race each car around the same track (in an ideal world we shall assume the same driver controls each of the cars precisely the same, breaking, turning, throttling etc.)

With these default/normal settings, we shall establish an initial BASELINE of results which, can then later be used as a reference frame for when we wish to adjust and tweak other settings.

If there are other modes available in the car, sport, off road etc then these can be tested later, with all vehicles adjusted similarly to mimic each other/obtain closest test settings.

Then one can compare the results of the new adjusted/tweaked settings to the initial baseline results to determine the variance +ve or -ve.

 

I'm talking about realtime scan as well, realtime heuristics = on demand heuristics in case of KIS. Go to http://av-comparatives.org/ , select Comparatives/Reviews > Single product reviews > Archive single product > Kaspersky Internet Security v8 (proactive test) from May 2008. ~15% increase in proactive detection via on execution heuristics compared to maximum possible heuristics in realtime/on demand protection.

I don't know about avast, someone who is more in the know can comment on it.
Edit: ^ probably yes, because their sandbox is relying on how suspicious the program looks like when executed, probably with increased heuristics compared to High setting in realtime protection..

 

I always set them to High. So far no AV apart from Comodo generated excessive false positives because of that. In fact, with avast! and AVIRA case i only got few in very long periods of time.

 

What is the purpose to DON'T set a security software to the highest level ? This make not sense IMO.

 

To avoid nanny the security software instead of using the PC
(e.g. HIPS pop-ups, false positives reporting, conflicts with other applications)

 

Many people, here too, believe that the intent of HIPS's pop ups is to bore the user and not to protect the system.

 

Yeap, but that's why "defaults" exist... Normally the best compromise between security and usability and thats one important factor to judge the solidity of a security tool. Giving the maximum without boring the everyday user. Most users (not wilders type) are clueless in terms of the best choice to take.

 

Generally speaking one should always set it to high. The difference in detection is not insignificant but probably not going to put it in a new league anyway.

Some products generate quite a few FPs if you are not connected to the internet since they rely on the cloud for verification of detections (e.g. PC Tools, AVG).

 

The defaults are usually great because they are often set to be in good balance between protection and PC performance.

 

I always use High heuristics with avast! and haven't got any false positive because of it so far. avast! staff said High setting also enables packer detection for very popular malware only packers where Normal sensitivity only triggers regular heuristic analysis with very few malware only packer detections.
But like i said, no false positives based on that while detection is probably a bit better in general.

 

Out of the few examples i've seen around the net, usually the difference is small. (I've seen some detection tests done in default and high heuristics)
I don't remember the sources d00d, so don't ask for them