Phil Weldon said:
'edgewalker' wrote, in part:
| ...and sacrifices the low FP rate obtainable with more thorough
detection/verification
| methods.
_____
Please explain the methods of detecting a new virus for which there can be
no signatures.
We're not discussing only new virus (proactive) detection methods. Sure, for
new viruses not yet having signatures developed - heuristic detection by far
outweighs signature based detection. For the overall (old and new) virus set,
heuristics sacrifices too much accuracy (high FP rate) for the sake of processing
cost - it is a fairly good method overall.
The detection of new malware is a side effect of the heuristic method. Some new
malware will exhibit old behaviors (or other characteristics) and thus be detected.
Unfortunately, some legit programs may also match suspect behaviors/characteristics
and be FP detections.
What are the possible choices?
Those are the top contenders it seems. Most good AVs offer both methods as part
of their package.
A chess program could gather data about positions and past outcomes resulting from
previous moves and keep it in a lookup. When it is the computer's turn to make a move
it could look up the current position and given enough time and data make the "best"
move under those conditions. Heuristics would be more general like "a piece has more
influence if it is positioned closer to the center of the board", "control of the center of
the board allows you to support positioning powerful pieces in more powerful places",
and "when in doubt - push a pawn". Less time used trying to find the "best" move and
in return gets you a reasonably good move. The relation in viruses/new viruses in your
argument is like the advantage in heuristics in speed chess where you don't have the
time for exhaustive searches for the "best" moves.
- it works fairly well.
As I mentioned in a previous post