NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2004-01

Re: [Full-Disclosure] Show me the Virrii! (heuristics)

From: S G Masood (sgmasoodyahoo.com)
Date: Mon Jan 05 2004 - 06:17:17 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Alex,

Good points.

To add an example, Swen was detected automatically as
"W32.Automat.AHB" by Norton AV before its signatures
were added. When Norton AV detects a new virus based
on heuristics, it usually identifies it as
"W32.Automat.*", with "Automat" probably standing for
"Automatically Detected".

Regards,

--
S.G.Masood

--- starlabs <ashippmessagelabs.com> wrote:
> > Does anyone have reliable reports of an antivirus
> system firing
> > off on a heuristic?
>
> >I'm not aware of ever having seen one; always seems
> to be a
> >signature.
>
>
> As part of my job I regularly evaluate antivirus
> products. I have
> seen plenty of heuristic detections; all the engines
> have different
> heuristic capabilities, so some detect more new
> malware than others,
> and of course some also have more false positives
> than others.
>
> Your experience might be because you are using a
> poor heuristic
> engine, or because by the time you get a sample of a
> real new
> virus, your vendor has released a signature anyway,
> even if they
> detected it heuristically anyway.
>
> My findings indicate that the state of the art is
> that most
> new malware can be detected heuristically these
> days.
>
> Regards,
>
> Alex
>
>
>
>
>
________________________________________________________________________
> This email has been scanned for all viruses by the
> MessageLabs Email
> Security System. For more information on a proactive
> email security
> service working around the clock, around the globe,
> visit
> http://www.messagelabs.com
>
________________________________________________________________________
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]