Virus Database Tool Idea:

Discussion in 'NOD32 version 2 Forum' started by ChaosBlizzard, Jan 7, 2005.

Thread Status:
Not open for further replies.
  1. ChaosBlizzard

    ChaosBlizzard Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    44
    I have read an Eset Moderator post that the production of Virus signatures are automatic. If this is true, then couldn't a tool be made for the public/nod32 users that would enable us to make our own signatures? Then you could allow the use of an "extended" database in conjunction with this tool.

    This of course would all be at the users discretion and labeled advanced....

    After all, NOD32 is modular by design. :)
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There must have been some kind of misunderstanding - virus signatures are added manually by engineers at Eset's lab.
     
  3. ChaosBlizzard

    ChaosBlizzard Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    44
  4. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi ChaosBlizard,

    That's a cool idea but I can see one problem with that.

    It would rely on the users to decide if the sample is a 'unwanted program' and could then increase 'false positives' when someone adds somthing they should not have.


    Cheers

    Jlo
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If you don't selectively quote and read the rest of the post where the IMPORTANT info is

    Every sample is logged and examined using various methods. Addition of a sample-signature into the database is made on a need-to basis. Extraction of a signature of a sample is an automated process and could be completed in no time. However, Eset does not want to take part in a 'maximum-size-of-the-database' race and prefers to keep the database clean, i.e. without 'meaningless' benign signatures.


    What can be done automatically is the extraction of the virus code from the file sent in

    BUT what needs to be done manually is include the detections for that code to the database and instruct the antivirus how to "SAFELY" disinfect or remove the code from the file or delete the file without causing any damage to windows as well as examining the file to see what other files on the computer it is linked with that also need to be fixed

    I'm afraid there is no automatic for taht and that is very time consuming and detailed work
     
  6. ChaosBlizzard

    ChaosBlizzard Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    44
    I don't see your point.. Is the statement "Extraction of a signature of a sample is an automated process and could be completed in no time." still not within it's own sentence?

    The first statement before that one "Every sample is logged and examined using various methods" does not mean a human is doing this. If the first quote in this text lies true, then that would be part of the process. You wouldn't be able to automatically make a signature without first performing some type of analysis.

    If he didn't mean any of this, he should have reworded his statement.

    PS- Most people wont care if it's benign or not, would you let cancerous material stay within your body just because the test's come back it is benign? The junk/broken virus/wannabe malware shouldn't be there to begin with.

    This is why we need at least some KIND of extended definition database.
     
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    It's not a bad idea, however it can be used by malicious people: Malicious people can extract code from good aplication or inclusive system files and then upload a "bad" database to a site. So, when the user install that signature, the AV will detect good files as infected and novice users can delete the "infected" file. If I don't wrong, there were an AV with that feature, however currently there aren't AV with such type of feature. I think that one of the motive is that malicious people can do a bad use of that.





     
  8. PLeX?

    PLeX? Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    28
    Location:
    Knoxville, TN USA
    I believe the point that Eset is trying to make is that, yes, they could do (and have the means to do) automatic database additions but that would make NOD32 like many other of the competition (slower and less efficent). But, NOD32 has demonstrated that their seemingly unique approach to selectively adding signatures is more effective, efficent, and faster.

    It seems the thread starter is asking why not have an additional module that would use the automatic database that could be turned on or off at the users choice. Although it would seem possible, and correct me if I'm wrong, but I don't think anyone has really complained about getting infected with NOD32 running. Since NOD32 has a 100% track record with ITW viruses, why worry about 100% of zoo viruses since the likelyhood of encountering one is extremely small. Even if you do encounter a zoo virus, the AH have proven that you have a much better chance of detecting it even without a signature then any other anti-virus.

    NOD32 seems to be getting better with time. All the hard work Eset has put in to keeping it lean and mean but still effective should not be taken lightly. Otherwise, if they keep adding and adding features, suddenly you'll end up with something like NAV :p.
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    The point here is that creating single file fingerprint is only a small part of the process of adding to the database. You have to add the various parts of the malware, and most importantly you have to include a full routine for cleaning out an infection (a fair amount of people are going to find NOD32 after being infected.)

    Not to mention that they need to do research to find out if they even should include it in the database, if it contains anything new that can be made to detect heuristically, possibly share the findings with other vendors (and/or security community at large), etc etc.

    In short, NOD32 has to do more than just detect the installer, and the Eset analysts have more to do than just create one fingerprint.

    I also fully agree w/ Sir_Carew, there would be a lot of room for abuse and in the end would probably leave you more vulnerable.
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,768
    Location:
    Texas
    I will second that statement. Eset gave people what they asked for as far as features, and at the same time, gave others that don't necessarily want the full bore options the ability to turn them off.
     
  11. ChaosBlizzard

    ChaosBlizzard Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    44
    The virus signature databased isn't what really determines the speed, it's the virus programs engine. NOD32's engine, correct me if I am wrong, is written in ASM. The only language faster than AMS would be binary....

    Also, someone was talking about how the fingerprint isn't good enough because it also must clean the infection.. Well, NOD32 is ICSA certified for detection, not cleaning. So it looks like you might say this, but it's not holding true with the product itself.
     
  12. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    That's true, however I think ICSA sucks. KAV and NOD aren't certified in the cleaning test and I'm 100% segure that NOD and KAV are able to clean ALL ITW malware from the system. Moreover, both, KAV and NOD are certified in detecting and cleaning ITW malware in the Check Mark test.


     
  13. ChaosBlizzard

    ChaosBlizzard Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    44
    That's your opinion.. However ICSA has some tough standards that must be meet before you can hold one of their certifications.

    ICSA for cleaning:
    http://www.icsalabs.com/html/communities/antivirus/certification/avcleancrit.shtml

    If NOD32 isn't certified for that, it must mean if fails in one of those regards. You shouldn't blame the tester, but what's being tested.

    PS- There is a reason why the next version of NOD32 is listed as having a better cleaning algorithm. The one NOD32 has now most likely isn't ICSA certifiable.
     
  14. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I don't trust in ***ANY*** test. Anyway, NOD32 passed the cleaning test in Check Mark. There're others AVs like NAV that are certified in the cleaning test at ICSA and believe that NOD32 is thousand of time better than NAV in all aspects. So, that test sucks. ICSA doesn't include other important points like the heuristic (very important).

     
  15. ChaosBlizzard

    ChaosBlizzard Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    44
    The heuristics aren't, in my opinion, as important as the virus signature database. Your telling me, you would rather have your AV guessing than truly knowing what it's reading...

    You don't trust any test, and yet you are talking about how NOD32 passed the checkmark test? I do trust those tests, it's not like they can fake them. They don't favor one over the other. They aren't going to go "Opps, I disabled the AH and scanned instead so KAV could get a better score.."

    If all AV are subjected to the same test, using the same methods, it is scientific. The only thing you can't compare is one AV companys tests over any others. As they each use different methods/virus code to test.
     
  16. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I'm not quite getting you.. are you trying the straw man argument here? What does this have to do with users making virus database signatures? Is your line of reasoning that because it's not ICSA certified for cleaning they should just throw out the cleaning engine?
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would disagree with you on this point. Eset have the database covered, as do all others in the top 5 or so AV manufacturers. Where Eset excel is in capture of the unknown or day zero viruses/trojans etc through advanced heuristics...

    Cheers :D
     
  18. ChaosBlizzard

    ChaosBlizzard Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    44
    Notok, you assumed yourself I tried to start something. I have been listing facts, unless you want to disagree with that, then I suggest you stop trying to start something.

    PS- Because NOD32 uses heuristics it gets false positives... This wouldn't happen as much if it used the signature database more.

    Blackspear, you claim how good AH are, yet your company has them disabled by default....

    This conversation has been led way off topic and should be closed.
     
  19. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    You are beating a dead horse here. False positives are common case with products without heuristics as well (KAV, NAV etc).

    Nowadays, a heuristics engine has been tweaked in the way that they don’t produce as much FPs as they used to in the old days. Good (made quality) heuristics engines such as NOD32’s or Norman’s sandbox have minimized FAs. Possibility to get a FA is just as equal as with the product relying on classic virus database detection.

    Heuristics= False positives is very, very dated.



    tECHNODROME
     
  20. PLeX?

    PLeX? Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    28
    Location:
    Knoxville, TN USA
    This conversation is "off topic" due to the fact the requested addition to NOD32 is contrary to Eset's philosophy/approach to virus protection.

    Eset believes (like many here that use NOD32) that heuristics is extremely important in protecting a computer system. ChaosBlizzard and others believe that signatures are more important.

    As the signature database grows the amount of time required to compare the tested file grows as well. Therefore, keeping the database as small as possible keeps the impact on performance as small as possible. Since Eset usually takes more time to add a signature to their database then other AV companies, probably due to studying the virus more in depth, they rely on heuristics to give them the extra time they need to properly analyse a virus before adding it to the database. The proposed addtion to NOD32 flies in the face of this idea and is why so many are here discussing heuristics instead of the "extended database" idea.

    ChaosBlizzard, I don't mean this personally, but this your topic is almost a flame subject here and that's why you've seen this kind of response. I doubt you'll find many NOD32 supporters interested in a signature-centric approach to virus detection. If there were, we'd probably not be using NOD32. We are trying to explain why NOD32 is not the product to add this kind of feature because the belief in heuristics is why most of us use NOD32 in the first place.

    In a NOD32 world, there isn't as much import placed on virus removal. The key is prevention. Therefore, you won't need to remove a virus in the first place. Eset concentrates on prevention more than removal. Start with a clean machine...and keep it that way, with the least amount of impact on performance. There are a blue million free removal tools for viruses out there, but there is only one AV like NOD32.
     
  21. ChaosBlizzard

    ChaosBlizzard Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    44
    No, you have the definition of "off topic" incorrect. I am the original poster. Since my original post obviously has a topic, anything related to that post is ON topic. Anything not related to that original post is OFF topic. Besides, who are you to say it's against their beliefs? Did you discuss this matter with them?

    You think adding signatures to the database, a small "text" based file, will somehow increase the amount of time needed to scan a file? I assure you, with even a 1.0Ghz machine and a modern hard drive, you aren't going to notice anything. The other anti viruses, such as McAfee are slow because of the way they are programmed, not because of their "large definition databases".

    I wasn't aware suggesting improvements were considered flames. How silly of me to offer feedback to a product I BOUGHT.

    I haven't had one thing caught due to heuristics yet, so if I didn't have those signature files, I guess I would be infected.

    You don't have to lecture me on safe computing. I have been training myself for 7+ years with computers, I have one year of CISCO training. I am also in ITT-Tech right now studying CNS. I tested out of their PC Introduction course. I have even had a computer with something running RAM modules about the size of your arm, and the operating system was before DOS went to 16 bit.

    "Heuristics= False positives is very, very dated." I never said this, you are twisting my words. I said if an ENGINE RELYS on heuristics it gets more false positives.

    I believe NOD32 had the most false positives out of any other tested product.

    If you do wish to negate my statements, first read:
    http://www.pcworld.com/reviews/article/0,aid,115939,pg,4,00.asp

    ...."at the other end of the scale, Eset's NOD32 misidentified 31 clean files."

    I am not bashing NOD32, it is a very good product. However I feel you reject any and all suggestions to your product because you feel it can't be improved, and that it is FAR SUPERIOR than all of it's counterparts. This is a misconception, NOD32 still needs improvements, and or isn't perfect.
     
  22. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    "AV-Test also scanned 20,000 clean files .... at the other end of the scale, Eset's NOD32 misidentified 31 clean files."

    I find that test a bit unbelievable in my real world experence with NOD and AH. I notice an occasional FP posted here but not that many. I use AH with the NOD32 on demand scanner on a machine. On that 80GB drive it scans 285,000 files with no FPs.

    Are you seeing a lot of FPs with AH when you scan your hard drives? Do your scans with AH show around 31 FPs per 20,000 clean files?
     
  23. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I was generally speaking for those people who still believe that modern heuristics means a load of FAs.
    Regarding that test, I have over a million files on my computers and I have yet to see a False Positive from NOD32.


    tECHNODROME
     
  24. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Virus signature can detect only yet known malware. That's very good when you had a known malware on your system. What happend if you had a yet unknown malware?
    My experience: I recommend to bought NOD32 to a friend. I analyzed her system using AH, and NOD32 recognized many malware as Probably unknown.... I packed all of these files into a RAR package. Later, I scanned it using KAV with latest update and KAV detected 18 of 20 of these files. NOD using AH detected the 20. I submited such trojans to Eset, and they now detect the 20 using signatures, so, the 20 files are infected. If she has choosen KAV, she will still with infected with these 2 trojans that KAV with its huge database doesn't detected. Thanks to NOD Heuristic, she hasn't now these 20 trojans. Isn't heuristic important? That's 100% incorrect.
    I recall Check mark test because NOD passed a similar test that in other test failed. Strange... If I recall check mark is to show you that NOD was able to desinfect ITW malware, however I still don't trust in those test. Anyway, if NOD has many FPs, why Eset has a record in winning VB 100% test? Even more than KAV and NAV that hasn't a good heuristic. FYI an AV need to detect 100% of ITW malware without any FPs to get the VB 100% award.
    Currently, heuristic is much more important than virus signature.


     
  25. ChaosBlizzard

    ChaosBlizzard Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    44
    Sir_Carew - That is 100% KNOWN ITW..

    Yes, you described the use of a signature, exactly why I like them, they are records of A SURE THING.

    So you have good experience with 20 files... How many viruses/Trojans/worms/malware other than those 20 are out there?

    To stan9, no I don't see any misidentified files; however you are suggesting all systems have similar files. This is a false understanding of a computer system. Regardless of how many similarities one system has with another, it is different.

    I don't see what's so strange about NOD32 passing one test and failing another. It would only be consecutive if all companies used the same malware to test, which of course isn't the case.

    "..heuristic is much more important than virus signature. " - If that is the case, then why bother with signature updates? If that technology is more important then you should be fine with that alone.

    Also, the highest detection rate I have seen AT ALL with just heuristics is just around 80%. Other's claim only about a 53% detection rate of unknown malware with AH enabled in NOD32.

    Heuristics are a backup technology, even the Eset Company would agree on this. It is not meant to replace definitions.
     
Thread Status:
Not open for further replies.