WSA "Safe" Age/Pop Heuristics

Discussion in 'Prevx Releases' started by STV0726, Dec 31, 2011.

Thread Status:
Not open for further replies.
  1. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    When exactly are the "safe" or gradual age/popularity heuristics going to be enabled fully?

    ("Safe" as in "They do not function as they did in Prevx 3.0...they are still taking the behavior into account," ~Joe)

    I think with all the complaints and misinformation going around about the detection rates it could only help to restore their full power now - but I am of course no expert and I understand that it is probably a wise first step in controlling false positives. o_O

    Sorry to go geek but to make a Star Wars reference...

    "The time has come. Execute order 66." :cool:
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We're constantly changing our detection logic in the backend database and there will soon be an agent update which will allow us to do quite a lot more with detection. We still aren't planning on having the age/spread detection to be exactly as it was with P3 just because users used to configure it to Maximum and then complain about how many FPs P3 had.
     
  3. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Awesome! Glad to hear it and can't wait for the next release! :thumb:

    This also should be taken into consideration for any tests done on older versions.

    Bummer...will this ever be implemented or are you confident there is a better implementation?

    So if I am understanding this correctly, in Prevx 3.0 if one turned the Advanced Heuristics off but left the age/spread heuristics on, then their protection would be solely based on age/spread data.

    However, if one does the above in Webroot SecureAnywhere, their age/spread protection is still checking advanced heuristics or some other behavior monitoring capability, despite the status of the Advanced Heuristics.

    I had turned everything up to HIGH since the help file implied that was suitable for advanced users, but seeing behavior is taken into account regardless, I see no reason not to try everything on MAXIMUM / Apply BEFORE.

    I might also save a config file with all the heuristics in HIPS/whitelist mode too so I have that handy. Which brings one final question I have for you...

    If a user has WSA Essentials, saves their configuration file, then in a couple years downgrades to WSA AntiVirus, will that same config file work still?

    As always, many thanks! :)
     
    Last edited: Jan 2, 2012
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We're still looking into means for implementing the ideal solution (of a better version of P3's without the false positives) but we need to first get the new agent's scan engine out and give it some time to populate the new detection algorithms across all of the files after scans by all of our users, at which point we should be in a better position to see where we're at.

    You are correct in all of your assumptions about the heuristics :) Saving a configuration file and downgrading would probably cause problems - the configuration includes the license key so you'd end up applying an old(/possibly expired) license key at that point.

    Hope that helps! :)
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Why not pop-up a warning/explanation about FP's when users select higher age/pop heuristics?
     
  6. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    The main issue I take with the "safe mode" heuristics featured in WSA is that I am not sure what the benefit of selecting "apply BEFORE" versus "apply AFTER" is anymore....?

    It sounds like regardless if the user chooses before or after, WSA is applying the behavior stuff first.

    So in other words, the settings you chose are less relevant.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I agree, this could certainly help :)
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The after/before controls different parts of the database-side heuristics and will therefore still make a difference.
     
Thread Status:
Not open for further replies.