What is the difference.....

Discussion in 'other anti-virus software' started by Starrob, Aug 10, 2005.

Thread Status:
Not open for further replies.
  1. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    .....between heuristics and a behavior blocker? Is their a difference?



    Starrob
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    "Heuristics" typically refers to "fuzzy" signatures, i.e. the ability to detect variants of known malware while behaviour blocking normally refers to controlling/limiting the actions that a program can take, i.e. it focuses on what happens when a program is run. There is overlap though as vendors may use these terms differently.
     
  3. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Interesting things are Norman Sandbox and BitDefender HiVE that use heuristic analysis backed up with behaviour blocking (or shall we say monitoring) in a virtual environment.

    Also behaviour blocking steps in action when you execute potential malware,while heuristics detect it at entry point (eg when you download the malware). Panda TruPrevent is in some way doing exactly this.
    When threat is recognized,AV terminates it and notifies user about it so it can clean the mess (usually program does that too).
     
  4. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    They say the new KAV 6.0 will have hueristics. I wonder if KAV has true hueristics, a true behavior blocker or a hybrid?


    Starrob
     
  5. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i believe KAV 6 will use true heuristics, i havent seen any reference to behavior blocking in the betas unless maybe the registry monitoring.
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
  7. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    You might say that there are two ways to identify "bad guys". One is by the way they look (signatures/mug shots). The other is by what they do (behavior/breaking in through a window).

    Positive ID is always the best, but "heuristics" (intelligence) can always be added to either approach. "Intelligence", however, can lead to more or less alerts - but they are not "positive IDs".
     
  8. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Confusing because from that link, there are comments about it being more of a IDS/behavior blocker.

    Maybe no one is too sure about what it exactly the pro-active feature is yet?


    Starrob
     
  9. profhsg

    profhsg Registered Member

    Joined:
    May 18, 2004
    Posts:
    145
    Actually NOD32 v. 2.5 now claims to use generic signatures, advanced heuritstics and emulation (i.e. behavior monitoring in a virtual environment) in their Threatsense technology. Eset has been advertising it in their 64bit version. See http://64.233.161.104/search?q=cach... threatsense emulation&hl=en&client=firefox-a

    At least in the setup portions of AMON, IMON, and on demand scanner of the 32bit software it indicates that it is also using the Threatsense technology
     
    Last edited: Aug 10, 2005
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
  11. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    No, i'm sure about this (Afrodude in that link shown btw), in the current builds there is a type of behaviour blocker/ IDS system. Not an improved "traditonal" type of heuristic (ie via code comparison).
     
  12. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    Thanks for the info.



    Starrob
     
  13. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
Loading...
Thread Status:
Not open for further replies.