Which is more important?

Discussion in 'other anti-virus software' started by L815, Feb 4, 2008.

Thread Status:
Not open for further replies.
  1. L815

    L815 Guest

    Heuristics or signatures?

    Although many AV apps today come with both, for obvious reasons, some do better in one category than the other. Especially for those such as Avast which don't have heuristics yet, but can still hold a strong stand at one of the top of the list. I'm mentioning Avast just as an example.

    Since many haven't caught a "real" threat in a while, does this mean that all the malicious code is getting far advanced, or are threats just not bothering with trying to exceed todays top AV's.

    So In the end, which is more important in TODAYs day and age? Should heuristics play a bigger role for ghostly malicious code, or should signature base still be the dominant player ?
     
  2. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    605
    Location:
    Surabaya Indonesia
    i think signature still play important role instead of heuristic.
     
  3. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    I'm not saying this test means much. But, there doesn't seem to be too much difference between Avast and a few other AV's with heuristics. I have to say however, that it seems Avira does well no matter what test is used.


    http://virusinfo.info/index.php?page=testseng
     
  4. Sjoeii

    Sjoeii Registered Member

    Joined:
    Aug 26, 2006
    Posts:
    1,240
    Location:
    52?18'51.59"N + 4?56'32.13"O
    For now sigs are still more important, but heuristics will be more and more important in the next couple of years
     
  5. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    AVs can't be all heuristics and no signatures, AVs will have to have a signature base.
     
  6. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    They both are important and necessary to get better level of protection.
     
  7. Frisk

    Frisk AV Old-Timer

    Joined:
    Jan 28, 2008
    Posts:
    31
    Location:
    Iceland
    When heuristics were first introduced, back around 1990 it was for the purpose of getting 0-day detection, although it was not called by that name at that time. However, once a new virus had been caught, a "normal" signature was added for it, partly because that was the only method of giving in a "unique" name, which was considered important at that time.

    This has changed.

    If heuristics catch something today, many AV companies will generally not bother with assigning a particular piece of malware a specific name, unless it gets on the Wildlist or gets media attention.

    The way I see it, heuristics and signatures both serve an useful purpose, but considering the flood of malware we are seeing, some AV companies are focusing more and more on heuristics, just because it is their only way of keeping up.

    Others are focusing more on "generic" detection, or what you could call "narrow" heuristics. Those are rules that are not meant to catch entire classes of malware, but only all members of one particular family within the class. Example: "keylogger-behaviour" vs. Ardamax.gen.

    Yet other companies refrain from using heuristics altogether - perhaps for technical reasons, or perhaps in order to avoid false positives.

    I do not think there is a single "best" approach - besides, if all the AV companies were using the same methods, it would be easier for the malware authors to come up with something to bypass all of the products at the same time.
     
  8. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    I quote that sentence just to make things a bit more clear one more time.

    What do you mean with the "heuristic" word? A specific technique or the idea to catch a new malware without having for it a *specific* signature? (with specific I mean a signature that has been added for that unique malware).

    Because heuristic is a generic concept, and it isn't true that Avast doesn't make use of heuristic. They have plenty of generic signatures, another nice approach to ususally catch new malwares coming from already known families. As you can see, a generic signature can detect a new malware without having a specific signature for it, just having a common signature for that family. In other words, it has been able to intercept a new malware before an update for *that* specific threat: heuristic approach.

    That's only a matter of semantics.

    For the other question, I can only quote Fridrik's sentence:

     
    Last edited: Feb 4, 2008
  9. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    With signatures, you're dealing with a known quantity. However, the problem for AV companies is trying to keep pace with the ever changing face of the malware landscape. New variants spring up on an almost hourly basis and sometimes it's not possible to keep up in this fashion. It's a cat and mouse game.

    As I understand it, heuristics/generic detections are supposed to help deal with this to some extent. There are problems with that too as malware authors try to defeat those analyzers as well. Heuristics have to be tweaked so they get updated in a similar fashion to signatures.

    Both can play a part, but it's all about keeping one step ahead in the game and making sure either one or both are as up to date as much as possible.
     
  10. Frisk

    Frisk AV Old-Timer

    Joined:
    Jan 28, 2008
    Posts:
    31
    Location:
    Iceland
    It's a bit worse than that. Some variants are generated automatically and change (on the servers) every few minutes. They are not "polymorphic" in the old sense, as this is not self-replicating malware, but the effect is the same.

    No wonder there are around 10.000 different new samples every day (but of course most of them are just variants of a few different pieces of malware)
     
  11. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    How successful is heuristics in detecting these malware families?
     
  12. Frisk

    Frisk AV Old-Timer

    Joined:
    Jan 28, 2008
    Posts:
    31
    Location:
    Iceland
    If you include "generic detections" in the term "heuristics", the answer is "very". They can fairly easily detect stuff that is basically minor variants of the same thing. Of course, "heuristics" in this sense would also include a generic search string.

    There are other kinds of heuristics too - sandbox-related stuff for example, which is all about detecting certain types of behaviour, and that work fine as well on malware showing known malware behaviour patterns.

    However, heuristics have their limitations, for example when it comes to cleaning up installed malware. If you want for example to undo registry changes and such, you really need exact identification, and that's something heuristics cannot provide.
     
  13. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi! Programmers have got "handicap", because hackers are before them and they can test their new malware samples until they won't be detected. :(
     
  14. Frisk

    Frisk AV Old-Timer

    Joined:
    Jan 28, 2008
    Posts:
    31
    Location:
    Iceland
    Well, it's not quite that simple. You see - if the malware authors want to be sure no AV programs will detect their new creations, they have to test all of them, right? Sure, it is easy to test a few, but testing over 20 programs might be too much of a hassle. Also, they cannot use services like virustotal or jotti, because the samples would then be forwarded to the AV companies - before they might have a chance to "properly" release them.

    However, it is easy for them to test that a handful of the "major" products don't detect what they just developed, yes.
     
  15. computer geek

    computer geek Registered Member

    Joined:
    Oct 6, 2007
    Posts:
    776
    In the future, hundreds of more viruses will be created, far to many for signitures, so this is why heuristics are more important.
     
  16. L815

    L815 Guest


    Thanks for the clarification. I did mean heuristics in the sense of detection without a signature. But the thing is, the generic signature is based on known families, but what I really meant is detection of completely new threats. Not based on a set of rules similar to previous detections. Your point is valid, and I do agree Avast is doing a great job with generic signatures.

    I do agree both do play an important role, but for the future it seems heuristics will be of more use than signatures. Mainly because heuristics can catch a threat on the spot, rather than taking a chance of infection, and then wait for a signature update. Generic signatures seem to be the middleman, and Avast has used this in a smart way.

    My main reason for asking was the curiosity about ESS methods. They always score amazingly in heuristics, while signatures are decent. Although, heuristics seem to be a bigger player at the moment, it doesn't stop the old signatures from creeping in.

    It's like locking up your house with tons of security features, which can detect an intrusion just as it happens, but then you forgetting to lock the door to which someone can walk in do malicious things, to only then be caught and blacklisted.
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Both.
     
Thread Status:
Not open for further replies.