Welcome Guest.   Make a donation to an author on the site October 31, 2014, 02:07:39 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Learn about the DonationCoder.com microdonation system (DonationCredits).
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Heuristic Antivirus  (Read 4247 times)
manimatters
Participant
*
Posts: 56


see users location on a map View Profile Give some DonationCredits to this forum member
« on: March 15, 2009, 08:47:41 AM »

Hey people, I'm posting after a long time here at DC.

Is there any anti-virus out there which i can use to test heuristic analysis only? I mean, only use the heuristic engine only to scan for viruses?

Well, I'm doing term paper on Heuristic Anti-virus Technology and want some pointers to where I can get more information etc on the topic. This is the best forum I'm aware of, so thought I would ask here.
Logged
mouser
First Author
Administrator
*****
Posts: 33,611



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: March 15, 2009, 09:01:02 AM »

Don't have an answer for your question but I'd be interested in any technical writeups you find on heuristic antivirus scanning.. Personally I am really mad at the way antivirus companies handle heuristic reporting..

That is, what they SHOULD do when they find a file that triggers some heuristic flag is perhaps make a report saying that a file was found that is probably ok but triggered a heuristic alert and explain exactly what in the file triggered the alert.

Instead what they do is report it to the user as if a known virus was found with high confidence.

This results in tons of false positives, scaring users and causing harm to company reputations.
Logged
Crush
Member
**
Posts: 399



Hello dude!

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: March 15, 2009, 09:29:06 AM »

IĀ“ve seen only antivirus progs with a switch for additional heuristics, but you could try to disable the bloomfilter in the ClamAV-sourcecode to switch off the >64Bytes-signature-search.
« Last Edit: March 15, 2009, 09:30:57 AM by Crush » Logged
manimatters
Participant
*
Posts: 56


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #3 on: March 15, 2009, 09:49:56 AM »

Don't have an answer for your question but I'd be interested in any technical writeups you find on heuristic antivirus scanning.. Personally I am really mad at the way antivirus companies handle heuristic reporting..

That is, what they SHOULD do when they find a file that triggers some heuristic flag is perhaps make a report saying that a file was found that is probably ok but triggered a heuristic alert and explain exactly what in the file triggered the alert.

Instead what they do is report it to the user as if a known virus was found with high confidence.

This results in tons of false positives, scaring users and causing harm to company reputations.

I totally agree on this, false positives cause more damage than viruses, even putting company reputations at stake. From what i've learnt so far, it should be that the user decides what a virus is and what not.
Logged
TucknDar
Charter Member
***
Posts: 1,094


Advanced coder of Nowt

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: March 15, 2009, 11:30:21 AM »

I imagine the AV companies consider which company is more important: Theirs or some other company. If they let the user decide whether something is a false positive or actual virus there's bound to be some users who'd let a virus through and then probably blame the AV software. So it's safer for them to trigger on the false positives.
Logged
J-Mac
Supporting Member
**
Posts: 2,869


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: March 15, 2009, 01:50:53 PM »

NOD32 allows you to disable their "advanced heuristics" (Threatsense Engine, Unwanted Applications, Dangerous Applications) but it still uses heuristics in its regular scanning. Which is one of the reasons I have to disable it when I download some of Nir Sofer's utilities (password-related, mostly) and immediately move them to a flash drive before re-enabling it. Exclusing these utilities doesn't seem to help this.

Actually I haven't tried it again with the latest version of NOD32; it's entirely possible that they have fixed this and I have been using this PITA protocol so long I haven't noticed. But I doubt it!

Jim
Logged

"I am getting so tired of slitting the throats of people who say that I am a violent psychopath."
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,958



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #6 on: March 15, 2009, 04:11:51 PM »

NOD32 seems NirSoft these days (at least the version I am running doesn't seem to flag issues and I don't have exclusions listed). I used to have odd problems with some of their Password stuff in NOD32 v. 2.7 but in V. 3 it seems to be fixed. In version 2.7 I added the offending files to the exclusions list and then it didn't trouble me.

To be fair I think flagging password utilities as potential password stealers is a reasonable thing to do - at least it means someone who has the software installed without their permission will get a warning and anyone who needs to use the software should know how to get round potential warning problems.
Logged

sgtevmckay
Supporting Member
**
Posts: 836


Magis Esse

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: March 15, 2009, 04:48:39 PM »

heuristic Only? I do not think so.

But I would look into Spybot Search and Destroy, ThreatFire, and Vipre

As for their documentation, I would suggest contacting the folks at Spybot S&D, as they have always been helpfull to me.

Good luck. smiley
Logged
J-Mac
Supporting Member
**
Posts: 2,869


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: March 15, 2009, 10:27:13 PM »

NOD32 seems NirSoft these days (at least the version I am running doesn't seem to flag issues and I don't have exclusions listed). I used to have odd problems with some of their Password stuff in NOD32 v. 2.7 but in V. 3 it seems to be fixed. In version 2.7 I added the offending files to the exclusions list and then it didn't trouble me.

To be fair I think flagging password utilities as potential password stealers is a reasonable thing to do - at least it means someone who has the software installed without their permission will get a warning and anyone who needs to use the software should know how to get round potential warning problems.

I agree completely that flagging password cracking utilities is admirable. However at one time you could not even exclude them. Well, actually you could exclude the setup files but as soon as you opened a file and it created its own folder in C:\Program Files NOD32 would eat it up quickly, before you had any chance to exclude that folder or the .exe file. There are threads at Wilders about this - it seemed a new one would pop up each year for a while, without any response from Eset. Plus I wrote to Eset about this twice and never got a reply. I just got into the habit of disabling it when I downloaded them and moved them to my flash drive.

Jim
Logged

"I am getting so tired of slitting the throats of people who say that I am a violent psychopath."
codyBane
Participant
*
Posts: 5


View Profile Give some DonationCredits to this forum member
« Reply #9 on: March 16, 2009, 03:05:05 PM »

I agree it's nice to see password recovery tools flagged as potential viruses, I've also seen nod32 flag a lot of irc scripts and nasty bots coded for the linux bash shell while I've been downloading them for analysis onto a windows machine.

Spybot is strictly dictionary based as far as I'm aware,
and yes, you can do just a heuristic scan with nod32 - latest version for sure.  The easiest way to do so is to open up nod32, select computer scan, click on custom scan, click on setup, then on the left go to options - there you can disable everything but heuristics and advanced heuristics.

I haven't had any problems with NOD32 (viruses or annoyances with the nod32 software) in the past 2 years.  I highly recommend it.
« Last Edit: March 16, 2009, 03:09:18 PM by codyBane » Logged
J-Mac
Supporting Member
**
Posts: 2,869


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #10 on: March 16, 2009, 10:21:27 PM »

I agree it's nice to see password recovery tools flagged as potential viruses, I've also seen nod32 flag a lot of irc scripts and nasty bots coded for the linux bash shell while I've been downloading them for analysis onto a windows machine.

Spybot is strictly dictionary based as far as I'm aware,
and yes, you can do just a heuristic scan with nod32 - latest version for sure.  The easiest way to do so is to open up nod32, select computer scan, click on custom scan, click on setup, then on the left go to options - there you can disable everything but heuristics and advanced heuristics.

I haven't had any problems with NOD32 (viruses or annoyances with the nod32 software) in the past 2 years.  I highly recommend it.

OK - I'm pissed at Eset again! They released Version 4 of their AV and no notifications. I don't think they ever send notice of new versions; visit their site and check or lose out. Grrr...

Jim
Logged

"I am getting so tired of slitting the throats of people who say that I am a violent psychopath."
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,958



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #11 on: March 17, 2009, 04:32:21 AM »

I really don't understand ESET - their software has an update option for the application as well as the viurs databases etc. and yet it has never worked. I have been using NOD32 since version 2.5 and I have never once received an update notice either by the update function or by email despite opting in to their emails. The only communication with users they seem to be good at is reminding you that your subscription is running out.
Logged

a_lunatic
Supporting Member
**
Posts: 71


Fulltime Single Dad

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #12 on: March 17, 2009, 05:08:49 AM »

The way I found out about V4 been released was I got a BSOD & once rebooted Nod32 had a Virus scanner initialization failed
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,958



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #13 on: March 17, 2009, 09:33:52 AM »

Having read that thread is there any point in upgrading to version 4?
Logged

J-Mac
Supporting Member
**
Posts: 2,869


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #14 on: March 17, 2009, 12:07:57 PM »

Having read that thread is there any point in upgrading to version 4?

I've seen a few more bugs too. mouser posted about false positives that delete Windows system files (Yikes!). Also I saw at Wilders that NOD32 v4's email integration has wiped out a lot of users' Thunderbird email messages - both on their computers AND on the server.

I think I shall wait also.  Thmbsup

Jim
Logged

"I am getting so tired of slitting the throats of people who say that I am a violent psychopath."
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.045s | Server load: 0.15 ]