Setting heuristics to high ?

Discussion in 'other anti-virus software' started by bollity, Mar 24, 2012.

Thread Status:
Not open for further replies.
  1. bollity

    bollity Registered Member

    Joined:
    May 9, 2009
    Posts:
    179
    Suppose we have a sample of 100 malwares and the antivirus detected 80 with heuristics set to normal.
    How many malwares we expect to detect with heuristics set to high?
    Forget about false positives because it is not the point here.

    Quotation form AV-Comparatives reports:
    "Avast, AVIRA, Kaspersky, Symantec: asked to get tested with heuristic set to high/advanced. For this reason, we recommend users to consider also setting the heuristics to high/advanced."
     
  2. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Impossible to say guess, either none, all, or something in between.

    "Avast, AVIRA, Kaspersky, Symantec: asked to get tested with heuristic set to high/advanced. For this reason, we recommend users to consider also setting the heuristics to high/advanced."
    That doesn't account for the fact that many vendors employ a multi-layered approach, many of them apply high(est) level of heuristics on execution (rather on access) out of the box.
     
  3. Sherlock_Holmes

    Sherlock_Holmes Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    1,448
    Location:
    Mumbai
    So some antivirus automatically raise the heurestics level when we execute something even if we have set normal heurestics in the option ?
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    This differs per product, each have their own heuristics and some products high settings are more or less sensitive than others'.
     
  5. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Basically, yes. Some vendors have hardcoded a heuristics level for execution of applications, which doesn't relate with heuristics applied for read/write/modify operations on files. Why would you unnecessarily tax performance on all those operations when you can protect the machine with just higher heuristics on execution without that much of a tax on performance. I don't care about inert files laying somewhere on the disk.
    With KIS the highest heuristics level in FileAV and on demand scans is 10 (default is 1- Low). When you execute applications the heuristics used is level 100, that is ten times more than you can possibly set in FileAV/ODS.
    ESET has similar behavior, MSE as well AFAIK.
     
  6. bollity

    bollity Registered Member

    Joined:
    May 9, 2009
    Posts:
    179
    Sorry but I talk here about real time scan not only on-demand scan.
    So you think avsat for example which default real time heuristics to normal is raising it automatically to high on execution of applications?
     
  7. get_it

    get_it Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    99
    Essentially setting detection to high is a method of weighting statistics to ones own advantage. I think ALL products should be tested with out-of-the-box (default) settings. Otherwise, what is the purpose of testing security applications with differing levels of sensitivity? Makes no sense.

    I purchase four, two-litre vehicles, the engines are similar in output power and other tech specs. I leave everything stock, no modifications etc. Race each car around the same track (in an ideal world we shall assume the same driver controls each of the cars precisely the same, breaking, turning, throttling etc.)

    With these default/normal settings, we shall establish an initial BASELINE of results which, can then later be used as a reference frame for when we wish to adjust and tweak other settings.

    If there are other modes available in the car, sport, off road etc then these can be tested later, with all vehicles adjusted similarly to mimic each other/obtain closest test settings.

    Then one can compare the results of the new adjusted/tweaked settings to the initial baseline results to determine the variance +ve or -ve.
     
    Last edited: Mar 24, 2012
  8. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    I'm talking about realtime scan as well, realtime heuristics = on demand heuristics in case of KIS. :) Go to http://av-comparatives.org/ , select Comparatives/Reviews > Single product reviews > Archive single product > Kaspersky Internet Security v8 (proactive test) from May 2008. ~15% increase in proactive detection via on execution heuristics compared to maximum possible heuristics in realtime/on demand protection.

    I don't know about avast, someone who is more in the know can comment on it.
    Edit: ^ probably yes, because their sandbox is relying on how suspicious the program looks like when executed, probably with increased heuristics compared to High setting in realtime protection..
     
    Last edited: Mar 24, 2012
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I always set them to High. So far no AV apart from Comodo generated excessive false positives because of that. In fact, with avast! and AVIRA case i only got few in very long periods of time.
     
  10. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    What is the purpose to DON'T set a security software to the highest level ? This make not sense IMO.
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    To avoid nanny the security software instead of using the PC :D
    (e.g. HIPS pop-ups, false positives reporting, conflicts with other applications)
     
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    Many people, here too, believe that the intent of HIPS's pop ups is to bore the user :rolleyes: :rolleyes: and not to protect the system. :D
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Yeap, but that's why "defaults" exist... Normally the best compromise between security and usability and thats one important factor to judge the solidity of a security tool. Giving the maximum without boring the everyday user. Most users (not wilders type) are clueless in terms of the best choice to take. :)
     
    Last edited: Mar 25, 2012
  14. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Generally speaking one should always set it to high. The difference in detection is not insignificant but probably not going to put it in a new league anyway.

    Some products generate quite a few FPs if you are not connected to the internet since they rely on the cloud for verification of detections (e.g. PC Tools, AVG).
     
  15. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    The defaults are usually great because they are often set to be in good balance between protection and PC performance.
     
  16. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I always use High heuristics with avast! and haven't got any false positive because of it so far. avast! staff said High setting also enables packer detection for very popular malware only packers where Normal sensitivity only triggers regular heuristic analysis with very few malware only packer detections.
    But like i said, no false positives based on that while detection is probably a bit better in general.
     
  17. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Out of the few examples i've seen around the net, usually the difference is small. :D (I've seen some detection tests done in default and high heuristics)
    I don't remember the sources d00d, so don't ask for them :D
     
Loading...
Thread Status:
Not open for further replies.