Heuristic Antivirus

[manimatters]

Hey people, I'm posting after a long time here at DC.

Is there any anti-virus out there which i can use to test heuristic analysis only? I mean, only use the heuristic engine only to scan for viruses?

Well, I'm doing term paper on Heuristic Anti-virus Technology and want some pointers to where I can get more information etc on the topic. This is the best forum I'm aware of, so thought I would ask here.

[mouser]

Don't have an answer for your question but I'd be interested in any technical writeups you find on heuristic antivirus scanning.. Personally I am really mad at the way antivirus companies handle heuristic reporting..

That is, what they SHOULD do when they find a file that triggers some heuristic flag is perhaps make a report saying that a file was found that is probably ok but triggered a heuristic alert and explain exactly what in the file triggered the alert.

Instead what they do is report it to the user as if a known virus was found with high confidence.

This results in tons of false positives, scaring users and causing harm to company reputations.

[Crush]

I´ve seen only antivirus progs with a switch for additional heuristics, but you could try to disable the bloomfilter in the ClamAV-sourcecode to switch off the >64Bytes-signature-search.

[manimatters]

Don't have an answer for your question but I'd be interested in any technical writeups you find on heuristic antivirus scanning.. Personally I am really mad at the way antivirus companies handle heuristic reporting..

That is, what they SHOULD do when they find a file that triggers some heuristic flag is perhaps make a report saying that a file was found that is probably ok but triggered a heuristic alert and explain exactly what in the file triggered the alert.

Instead what they do is report it to the user as if a known virus was found with high confidence.

This results in tons of false positives, scaring users and causing harm to company reputations.

-mouser (March 15, 2009, 09:01 AM)

I totally agree on this, false positives cause more damage than viruses, even putting company reputations at stake. From what i've learnt so far, it should be that the user decides what a virus is and what not.

[TucknDar]

I imagine the AV companies consider which company is more important: Theirs or some other company. If they let the user decide whether something is a false positive or actual virus there's bound to be some users who'd let a virus through and then probably blame the AV software. So it's safer for them to trigger on the false positives.

[J-Mac]

NOD32 allows you to disable their "advanced heuristics" (Threatsense Engine, Unwanted Applications, Dangerous Applications) but it still uses heuristics in its regular scanning. Which is one of the reasons I have to disable it when I download some of Nir Sofer's utilities (password-related, mostly) and immediately move them to a flash drive before re-enabling it. Exclusing these utilities doesn't seem to help this.

Actually I haven't tried it again with the latest version of NOD32; it's entirely possible that they have fixed this and I have been using this PITA protocol so long I haven't noticed. But I doubt it!

Jim

[Carol Haynes]

NOD32 seems NirSoft these days (at least the version I am running doesn't seem to flag issues and I don't have exclusions listed). I used to have odd problems with some of their Password stuff in NOD32 v. 2.7 but in V. 3 it seems to be fixed. In version 2.7 I added the offending files to the exclusions list and then it didn't trouble me.

To be fair I think flagging password utilities as potential password stealers is a reasonable thing to do - at least it means someone who has the software installed without their permission will get a warning and anyone who needs to use the software should know how to get round potential warning problems.

[sgtevmckay]

heuristic Only? I do not think so.

But I would look into Spybot Search and Destroy, ThreatFire, and Vipre

As for their documentation, I would suggest contacting the folks at Spybot S&D, as they have always been helpfull to me.

Good luck.

[J-Mac]

NOD32 seems NirSoft these days (at least the version I am running doesn't seem to flag issues and I don't have exclusions listed). I used to have odd problems with some of their Password stuff in NOD32 v. 2.7 but in V. 3 it seems to be fixed. In version 2.7 I added the offending files to the exclusions list and then it didn't trouble me.

To be fair I think flagging password utilities as potential password stealers is a reasonable thing to do - at least it means someone who has the software installed without their permission will get a warning and anyone who needs to use the software should know how to get round potential warning problems.

-Carol Haynes (March 15, 2009, 04:11 PM)

I agree completely that flagging password cracking utilities is admirable. However at one time you could not even exclude them. Well, actually you could exclude the setup files but as soon as you opened a file and it created its own folder in C:\Program Files NOD32 would eat it up quickly, before you had any chance to exclude that folder or the .exe file. There are threads at Wilders about this - it seemed a new one would pop up each year for a while, without any response from Eset. Plus I wrote to Eset about this twice and never got a reply. I just got into the habit of disabling it when I downloaded them and moved them to my flash drive.

Jim

[codyBane]

I agree it's nice to see password recovery tools flagged as potential viruses, I've also seen nod32 flag a lot of irc scripts and nasty bots coded for the linux bash shell while I've been downloading them for analysis onto a windows machine.

Spybot is strictly dictionary based as far as I'm aware,
and yes, you can do just a heuristic scan with nod32 - latest version for sure.  The easiest way to do so is to open up nod32, select computer scan, click on custom scan, click on setup, then on the left go to options - there you can disable everything but heuristics and advanced heuristics.

I haven't had any problems with NOD32 (viruses or annoyances with the nod32 software) in the past 2 years.  I highly recommend it.

[J-Mac]

I agree it's nice to see password recovery tools flagged as potential viruses, I've also seen nod32 flag a lot of irc scripts and nasty bots coded for the linux bash shell while I've been downloading them for analysis onto a windows machine.

Spybot is strictly dictionary based as far as I'm aware,
and yes, you can do just a heuristic scan with nod32 - latest version for sure.  The easiest way to do so is to open up nod32, select computer scan, click on custom scan, click on setup, then on the left go to options - there you can disable everything but heuristics and advanced heuristics.

I haven't had any problems with NOD32 (viruses or annoyances with the nod32 software) in the past 2 years.  I highly recommend it.

-codyBane (March 16, 2009, 03:05 PM)

OK - I'm pissed at Eset again! They released Version 4 of their AV and no notifications. I don't think they ever send notice of new versions; visit their site and check or lose out. Grrr...

Jim

[Carol Haynes]

I really don't understand ESET - their software has an update option for the application as well as the viurs databases etc. and yet it has never worked. I have been using NOD32 since version 2.5 and I have never once received an update notice either by the update function or by email despite opting in to their emails. The only communication with users they seem to be good at is reminding you that your subscription is running out.

[a_lunatic]

The way I found out about V4 been released was I got a BSOD & once rebooted Nod32 had a Virus scanner initialization failed

[Carol Haynes]

Having read that thread is there any point in upgrading to version 4?

[J-Mac]

Having read that thread is there any point in upgrading to version 4?

-Carol Haynes (March 17, 2009, 09:33 AM)

I've seen a few more bugs too. mouser posted about false positives that delete Windows system files (Yikes!). Also I saw at Wilders that NOD32 v4's email integration has wiped out a lot of users' Thunderbird email messages - both on their computers AND on the server.

I think I shall wait also. 

Jim