The difference between proactive defence and heuristics!

Discussion in 'other anti-virus software' started by Firefighter, Oct 29, 2005.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I want some good examples (3...4) of each! Only av:s are those that I'm interesting about. :doubt:

    Best regards,
    Firefighter!
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    The only example that I can think of is that proactive defense will not detect a new virus/trojan/whatever with an On-demand scan (Proactive=Real time only). Heuristics, on the other hand, can be used On-Demand.

    Also, ~maybe~ proactive defense just protects the PC as the virus executes (based on the actions of the infected file, stops the file before it does something seriously bad), and not by means of analysing the code inside the file before/on execution.....:doubt:
     
  3. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I have a Buffalo WBR2-G54 WLAN in my laptop and I disabled my Outpost Pro Firewall and made some surfing in the most nasty sites ever lasting some 2 hours. Why I couldn't get any nasty to my own collection?

    Best regards,
    Firefighter!
     
  4. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Pro-active just means detecting/preventing new, unknown malware. This actually can be achieved with various methods, heuristics, variant detection, integrity checking (black and/or white lists), behaviour blocking/api monitoring and so on.

    Heuristics aren't limited to file scanning. You can apply heuristics on API monitoring which is behaviour blocking like TruPrevent does for example.
    Process Guard, PREVX or SSM are just API monitors, containing no kind of heuristics to rate the monitored API calls. They simply let the users decide what is dangerous and what is not.

    NOD32 is much more effective in detecting variants than it's plain heuristic detection (though the heuristic seems to get used to gather the required information to perform the actual variant detection).

    So there is no difference between pro-active and heuristic detection, heuristic is just a subset of possible pro-active detection methods.
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    We have two kinds of detection technologies.
    "Reactive" like signatures and "proactive" like heuristics.

    Reactive are regular pattern signatures and generic signatures to some degree.
    Heuristics is just another word for proactive methods.
    These can be behaviour blocking like Panda TruPrevent or upcoming Kaspersky Proactive Defense, they can be virtual environment like Sandbox and HiVE (and also ThreatSense according to last info from ESET). And then there are "standard" code analyzers like VBA32's Paranoid Heuristics, AntiVir Heuristics, ArcaVir heuristics, DrWeb heuristics etc... (i used "standard" because these don't exactly use the old code analyzing that was used a decade ago)
     
  6. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Hi Firefighter,

    You pose an interesting question, i.e. just what is meant by a proactive defence and heuristics, and where and when is it applied.

    For example, I take the following to be the definition of proactive:
    Acting in advance to deal with an expected difficulty; anticipatory: proactive steps to prevent infection such as immunization. For example, installing an AV may be considered equivalent to getting immunized against known infections represented by entries in a signature data base of the AV.

    Also, I take the following to be the definition of heuristic:
    A rule of thumb, simplification, or educated guess that reduces or limits the search for solutions in domains that are difficult and poorly understood. Unlike algorithms, heuristics do not guarantee optimal, or even feasible, solutions and are often used with no theoretical guarantee. So, heuristic rules attempt to ferret out unrecognized behavior as candidates for further inspection.

    As Stefan has mentioned heuristics can be applied at various points along the vector of an attack, one such being API monitoring.

    As for proactive defence, one can immagine a firewall cache, either hardware or software, whereby scans are made of incoming traffic including fragmented packets that go beyond Statefull Packet Inspection (SPI). Identifying culprits at the earliest opportunity would then be the signature of a proactive defence. Also, one needs to cover all attack vectors to shore up the defence, not just the firewall.

    The difference between non-heuristic vs heuristic would be in the decision making process whereby at the firewall cache both signature scans of known worms, trojans and other interlopers would be applied followed by heuristic driven scanning rules attempting to weed out abnormal behaviors.

    If I turn off my (AV) PC-Cillin Internet Security 2005 firewall (while turning on another), I lose PC-Cillin's firewall's network virus/worm detection capabilities and so may open up an opportunity to be attacked unless the other firewall at least stealths all of my ports and other scanning AV tools I have in place are adequate to protect my computer. In part, this depends on where I surf!

    With the increasing feature addins to firewalls that prevent the likes of dll injection, piggybacking as threads to compromised processes, and otherwise behaving in a rootkit stealthy-like way possibly compromising kernel data structures, it is no wonder that the distinction between firewalls and other categories of products like AV, AS, AT, ADS, and AKL have become blurred.

    Virtual environments seem to offer a way out of the blurred distinctions, but possibly could also be compromised as interlopers become more sophisticated with their intrusion techniques - note the HyperThreading compromise of P4 as reported earlier this year - not a well known threat yet one that could be utilized.

    The main message is to seek to implement a multi-layered security strategy possibly overlaying capabilities as catchall-in-the-middle where other precautions fail or are compromised, i.e. AVs are just not enough in a well thought out multilayered security strategy.

    -- Tom
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O

    IE cofigured too tight?
    allow auto downloads, drive by installs, activex, javascript

    or get an unpatched XP
     
Thread Status:
Not open for further replies.