Virus Database Tool Idea:

Hi ChaosBlizzard,

I still find it very strange that in the test you referenced they found 31 FPs using NOD and AH when checking with just 20,000 clean files.

However, you just stated you don't see any. I don't see any checking 285,000 files and tECHNODROME posted none with over a million files.
I do see a few FPs posted from time to time here but no where anything remotely close to 31 FPs per 20,000?

 

I don't agree that Heuristics are just a "backup technology". I view NOD's AH as a good proven first line defence that can help identify major zero-day infections in a lot of cases.

https://www.wilderssecurity.com/showthread.php?t=42010
https://www.wilderssecurity.com/showthread.php?t=58482

Also Retrospective/ProActive Test:
http://www.av-comparatives.org

I have NOD on one machine, and one of the other top AVs two machines. They are both good at detecting current infections with definitions. However, I feel more comfortable with NOD running resident, (both AMON and the HTTP scanner) because NOD stands a better chance of detecting 'zero-day' infections then a lot of other AVs.

 

Like I said every system is different. There is no way of telling what they had installed, or what websites they visited before they ran the scan...

Well, it is a backup technology. What do you think came out first? Virus databases technologies or AHs? Seeming the AH's are designed to GUESS if something is bad or not, that seems pretty seems like something for “backup” to me...

Call me crazy, but if something is only making an estimate if something else MIGHT be no good for the system, that isn't something you would want to rely off of. If so, then as Eset why AH isn't enabled by default.. If you ask me, it is a false sense of security.

I will be going into Network Security for my major. There is NO way I would tell a corporation they are "safe" because their anti-virus can guess. Do you have any idea how fast you would get fired? You are letting their network take a risk because the anti-virus can guess.

 

Almost seems statically impossible for them to have 31 FPs for 20,000 clean files when compared to what others post from real world experience.

 

Yes, the use and the bad point of signatures too: ONLY YET KNOWN MALWARE.
No, I've experience with about 7.000 differents class of malware. I collect malware and NOD32 with AH without signature is able to detect close to 70% and are ZOO, I'm NOT considering ITW, because NOD32 can detect close to 90% of ITW malware.
Is strange that NOD32 passed one test and the other *similar* not, because both test are based in the WildList (SAME SAMPLES).
Backup technology? nah, signatures are a backup technology, to add malware by name because if heuristic detect the malware, isn't so important that the signature detect that too, only for give them a name.
Anyway, you're wrong, with signatures, there're FPs too. And I prefer a AV with strong heuristic with few FPs than a AV based on signatures that in any case, is impossible too (I found FPs in KAV too).

 

Since when are computer security statistics always uniform?

I'm wrong? I assume you work with Computers for a living? Or at least have some kind of training to come to this conclusion?

Funny how you know say 90% ITW viruses... I could have sworn you said 100% earlier. How can a signature be backup technology? If something matches the signature 100%, it isn't backing anything up, it's doing the identification without any help. I think you are getting the term backup confused.

Also, you are wrong, not all testing companies use the same samples. What's considered ITW is up to the testing company to determine. ITW might be different in certain parts of the world. You must remember the Internet is very large, so ITW might not be the same for one region as it is the other...

 

Not a false sense of security for me but actual experence.
As noted: https://www.wilderssecurity.com/showthread.php?t=42010
https://www.wilderssecurity.com/showthread.php?t=58482

I guess we will just have to agree to disagree about the value of NOD's AH as a proven first line of defence against some major "zero-day" infections.
I much rather have that real time warning as opposed to waiting for the time span when a definition is available and also updated by the end user in which during that time span they may be infected.

 

WildList consider the same ITW samples, so, if a test is based on WildList, the samples are the same. Please write here when I said that NOD detect the 100% of ITW samples using heuristic. I said in other post that NOD with signature detect the 100% of known ITW samples.
Do you think that I've no experience with PCs? Please said me your argue. A valid argue, please.

 

I myself would not prefer to get a false warning. You could end up deleting something vital to the system operation. Eset themselves warn that this can happen.

Most Students and all the Professors in my tech school recommend you should not put so much trust in a technology as to lead you to a sense of security. That sense of security may be false. In any case, if both the technologies fail, you can become infected and not even know it.

So it is important to monitor your own process list in any event.

I will agree to not agree, but as a professional I wouldn't advise any of my clients to put that much faith in Heuristics... Most IT professionals won’t either.

 

I have given you a valid argument. I asked you if you worked with Computer systems, and you answered that question with a question. Therefore I can't assume you work with them. That would be a false judgment on my part.

Would you provide something that says all ITW samples are the SAME.

I do have something you can read:
http://viruspool.vanderkooij.org/

The archive of ITW samples are not ORGANIZED.

http://www.plastic-buckles.com/catalog.html

Those ITW samples are governed by region, as noted in the above URL.

You obviously didn't know this, or you wouldn’t have stated what you did.

 

And do you recommend to your clients to put much faith in signatures? Sorry, but if you recommend to not put to much faith in heuristic, in signature you should do the same. With signatures, you're protected only from known malware that was analyzed first by the analyzers at the company.
I recall again, with signatures there're FPs too. Doesn't you think that?

 

I never said that either. There is a reason why most administrators block executables and or installations by the user, such as I do.

I put more faith into signatures yes, but NOT as much as standard safe computing or security on the network to beginning with in a proper manor.

 

Work with computers doesn't meant that you're a professional in computers. You can work with computers cleaning the screen and you aren't an expert but you're working with PCs too
And you're wrong, I work with PCs and I got money from that.
Oh, I forgave something: Many hackers aren't "professional" in computers because they doesn't have title however many of them known many more than experts with title.

 

I work in the IT industry; this does make me a professional. My professor could argue with you on that one. I work as a computer repair technician; I don't clean any other screen than my own.

I also stated before I have CISCO training. I am also continuously gaining more knowledge through schooling. Even though I have 7+ years of working with PC's in the past. This is my career, it's what I do.

 

I think that there're 2 main areas into the computers: Hardware and Software. I don't think that a good expert in hardware can know the same as an a good expert in software and viceversa.
>>I don't clean any other screen than my own.
Don't feel you that I'm insulting you. I put that if I work with computers doesn't meant that I'm an expert. I don't know if you're an expert or not, but if you said you are an expert, I trust you, even considering that in Internet anyone can lie.
WildList: http://www.wildlist.org/wild_desc.htm
Many experts from many companies and countries report different samples to consider that as ITW samples and thus create a list with "ITW" malware considering many samples that aren't massive in all countries.

 

So you are now agreeing that not all companies use the same ITW samples? Also, I program lightly in Visual Basic 6 SP6. I also use to program for years in HTML 4.1. If you need that much proof I can send you, or post somehow, on of my written applications.

I have written a database program for any company or person that wants to store employee information. Granted I did it for educational use, it would probably function just fine in a real environment.

I am not taking any of your information as an insult. I am fine arguing, trust me, I do this sort of thing everyday. Rather it is a debate in class or on the Internet.

PS- As for hardware, I have built a dual pentium III system with RAID and other varuous features. I have also repaired motherboards before using a soldering gun station... The capacitors went bad on a few of my motherboards and some friends, I replaced them with Panasonic caps.

 

I believe some folks shoot themselves in the foot by limiting themselves to just one school of thought. Heuristics is improving all the time and NOD's AH has a proven track record to date and continues to improve with very few FPs. Even definitions can result in FPs.

https://www.wilderssecurity.com/showthread.php?t=58482

Some AV's Heuristic can provide that all important "zero-day" defense if used correctly. To just advise folks to rely solely upon good computer practices and AV definitions may be a disservice in my mind.

 

You keep making reference to this very forum. Isn't that one school of thought?

We all do it, however I am going to stick to my views. I haven't had a client complain or become infected with any major threat yet. If they keep their dat's updated then I don't have problems. It's when they neglect their updates that I have issues I have to fix for them. That is the only reason why I said "no major" threats yet.. If you secure the system/network to begin with you can make it almost impossible to compromise.

You shouldn't allow the typical user to install anything.

Besides, I believe my Professor knows enough. He does have two master degrees and is working on his PHD.

Also, if the Eset company takes such care with their AH, as you say they do, then their definitions should have less FPs then their AH...

It's a good discussion in any case.

 

One thing I have learned in the years I have been testing and useing antivirus programs is that I won't use one that does not have decent hueristics, viri are written much faster than the av companies can release definations. Even if hueristics only give me a small percentage of extra protection over just straight definations it is worth it to protect my computer. I have to much invested in it to not give it that little extra bit of protection. But everyone to their own preference.

bigc

 

This is why anti-virus companies combine them. I prefer definitions over heuristics, but if you choose to use heuristics you should make sure the dats are up to date. Also, if you are going to use heuristics, you should always consider things the anti-virus nabs using them. The "thing" it nabs might not be something you want to get rid of.

At least we all use AV software here.. You would be amazed at the amount of people who use NOTHING. No AV, no spy ware scanner, and no firewall. Almost every time I get a call is when the user lacks one of the three.

 

Agreed.
Heuristic isn't a technology of "guess that file is infected and the other not".
Heuristic report a suspicious file because it know that there're something strange in the file. Heuristic is something like a artificial inteligence.
Well, anyone can prefer/think anything. I gave the enought argues about why I prefer heuristic over signatures.
Many people use AV too, but without updating them.

 

Here's a good article to consider. IMO relevant to the whole of this thread..

Detecting Complex Viruses
http://www.securityfocus.com/infocus/1813

Agreed, balance is key.. as is much in life

 

How is it not guessing if it is suspecting a file due to suspicious activity? That doesn't really make any sense. It can't be suspicious if it you are not guessing. A definition is exactly what it states, it either is or it isn't. Heuristics however labels things that are unknown or "in-between". If it's unknown and being identified, then it sounds like a guess to me.

A.I. isn’t as advanced right now as you think it is, not in consumer products anyway. Currently we are in the fourth generation of Computers. A.I. is considered to be a fifth generation technology.

 

I know I used to have people come in my shop with a computer that wouldn't run that had an antivirus program that had never been updated and no firewall. they can sure get screwed up like that.

bigc

 

Yes and they usually don't know how to run standard maintenance.. Oh well, it's money in our pockets..

"http://www.securityfocus.com/infocus/1813"

Whilst written by workers from the Symantec Company it was still a nice read. It’s nothing that you probably haven't read in pursuit of a good AV, but none the less worth reading.