How effective is hueristic scanning?

[Hurricane Andrew]

Just curious. Everyone is familiar with all the tests using updated
definitions to catch the nastys, but how about new ones? I'm curious since
I use Norton on one box, Avast on another. It's nearly Tuesday now, and
Avast doesn't even seem to acknowledge Mydoom/Novarg on its site, let alone
in the virus defs, though it seems to be the next "big one".

So, without updated defs, how effecitve are the various AV's at cathing the
new ones? I've seen the feature touted for years, but other than generic
language in the various trade publications/sites, does it really get us
anything? Does anyone have experience with or know of any independant test
results for the hueristic capability alone?

Should be an interesting discussion, since if it doesn't provide any
noticeable benefit, then it really boils down to which company responds the
quickest, since any AV product worth its salt should catch the known bugs.

 

[Chuckles.]

There have been 3 Avast updates today to the Home edition. The last one will
detect Mydoom.

I received on of these today, had just updated the defs and it didn't detect
it. Got another update notice around 5 mins later. Installed that one, and
it detected straight off.

C. Fairbairn.

 

[Buford T. Justice]

NOD32 has the best heurestics. Many people think this is all that NOD32
uses but NOD32 also use signature defs. In fact, NOD32 was able to catch
W32/Bagle.A without an update...

http://www.nod32.com/about/press.htm

BTJustice

 

[Frederic Bonroy]

Buford T. Justice a écrit :

NOD32 has the best heurestics.

According to a test by Andreas Marx from av-test.org its heuristics are
actually not so great.

Don't shoot the messenger. I know his tests are somewhat controversial
but I don't know of any other such test. And the mere claim that "NOD32
has the best heurestics [sic]" without proof and their marketing drivel
are simply not convincing.


(Oh, by the way, AVK and F-Secure were the winners.)

 

[null]

Buford T. Justice a écrit :

NOD32 has the best heurestics.

According to a test by Andreas Marx from av-test.org its heuristics are
actually not so great.

Don't shoot the messenger. I know his tests are somewhat controversial
but I don't know of any other such test. And the mere claim that "NOD32
has the best heurestics [sic]" without proof and their marketing drivel
are simply not convincing.


(Oh, by the way, AVK and F-Secure were the winners.)

Not to mention the tests using way outdated defs done at VTC Hamburg
showing McAfee as the winner.


Art
http://www.epix.net/~artnpeg

 

[Buford T. Justice]

Proof of NOD32's superior heuristics...

http://www.virusbtn.com/vb100/archives/products.xml?eset.xml
http://www.freshnews.com/cgibin/jsj_news/viewnews.cgi?action=one&article_ID=
16504&cat=2
http://www.lets-talk-computers.net/guests/eset/overvu/index.htm
http://crn.channelsupersearch.com/news/crn/45234.asp
http://www.pcmag.com/article2/0,4149,978452,00.asp

AV-Test.org's "Current Tests" webpage is a joke. The most current test on
that page is from 2002 (2002-03)...

http://www.av-test.org/sites/tests.php3?lang=en

Now if they have a magazine then that is great but they really oughta update
their "Current Tests" webpage if there have been more recent tests. If they
don't have a recent magazine then you should throw those ones you have on
your coffee table away.

BTJustice

Buford T. Justice a écrit :

NOD32 has the best heurestics.

According to a test by Andreas Marx from av-test.org its heuristics are
actually not so great.

Don't shoot the messenger. I know his tests are somewhat controversial
but I don't know of any other such test. And the mere claim that "NOD32
has the best heurestics [sic]" without proof and their marketing drivel
are simply not convincing.


(Oh, by the way, AVK and F-Secure were the winners.)

 

[null]

Proof of NOD32's superior heuristics...

http://www.virusbtn.com/vb100/archives/products.xml?eset.xml
http://www.freshnews.com/cgibin/jsj_news/viewnews.cgi?action=one&article_ID=
16504&cat=2
http://www.lets-talk-computers.net/guests/eset/overvu/index.htm
http://crn.channelsupersearch.com/news/crn/45234.asp
http://www.pcmag.com/article2/0,4149,978452,00.asp

No heuristics tests here that I can find.


Art
http://www.epix.net/~artnpeg

 

[Buford T. Justice]

You went through all of that in 11 minutes?

BTJustice

 

[Frederic Bonroy]

Buford T. Justice a écrit :

Proof of NOD32's superior heuristics...

http://www.virusbtn.com/vb100/archives/products.xml?eset.xml

How is that proof of its superior heuristics?

http://www.freshnews.com/cgibin/jsj_news/viewnews.cgi?action=one&article_ID=
16504&cat=2

This is partly marketing drivel and concerns ITW viruses only.

http://www.lets-talk-computers.net/guests/eset/overvu/index.htm

I listened to the first 6 minutes. That too was marketing.

http://crn.channelsupersearch.com/news/crn/45234.asp

Now that is not very technical.

http://www.pcmag.com/article2/0,4149,978452,00.asp

??? Remember we are talking about heuristics...

AV-Test.org's "Current Tests" webpage is a joke. The most current test on
that page is from 2002 (2002-03)...

http://www.av-test.org/sites/tests.php3?lang=en

Now if they have a magazine then that is great but they really oughta update
their "Current Tests" webpage if there have been more recent tests. If they
don't have a recent magazine then you should throw those ones you have on
your coffee table away.

I read the test in a magazine but it was conducted by A. Marx. I am not
saying that NOD32 has bad heuristics (I couldn't care less about NOD32
being better or worse than any other AV program), but this article
certainly provides an opportunity to discuss and try to find out if
NOD32 actually lives up to its reputation.

 

[null]

You went through all of that in 11 minutes?

Yep DSL and speed reading are great.


Art
http://www.epix.net/~artnpeg

 

[Buford T. Justice]

I am not going through all of that. All I am going to say is that Virus
Bulletin tests with 'in the wild' viruses. Now I would think that NOD32's
remarkably high rating is due to its advanced heuristic scanning. Anyway,
to answer the original poster's question. Heuristics scanning is better
than signature since it will detect viruses not yet discovered. And NOD32
has the highest rating on Virus Bulletin due to using heuristic and
signature scanning.

BTJustice

 

[LT Higdon]

I am not going through all of that. All I am going to say is that Virus
Bulletin tests with 'in the wild' viruses. Now I would think that NOD32's
remarkably high rating is due to its advanced heuristic scanning. Anyway,
to answer the original poster's question. Heuristics scanning is better
than signature since it will detect viruses not yet discovered. And NOD32
has the highest rating on Virus Bulletin due to using heuristic and
signature scanning.

BTJustice

That's a very bold assertion. Better than signature? For what purpose?
Detect viruses not yet discovered? If it "detects' something, then by
definition it's discovered.

 

[Buford T. Justice]

That's a very bold assertion. Better than signature? For what purpose?
Detect viruses not yet discovered? If it "detects' something, then by
definition it's discovered.

Yes. There are many viruses but they all essentially do the same thing so
heuristics catch most of the unknowns. At least good heuristics (NOD32) do
anyway.

BTJustice