October 30th, 2004 11:31 AM
Heuristics scans without signatures. It looks for certain patterns in code. Email-borne viruses are a good example. In order for the virus to work it will have to insinuate itself into startup somehow so it will contain code to alter the registry, the startup folder or some other vector. Then it is going to have to spread itself so it will have code for it's SMTP engine. So upon seeing this file a heuristic engine would say:-
1. File changes the registry
2. File uses code to transmit email
3. File is smaller than xKb so it isn't a mailserver installer
this could be a virus......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
October 30th, 2004 11:51 AM
I can’t speak for others, but past experience is what dictates what I use. Although I don't remember trying AVG, perhaps others who do feel as strongly and have had similar experiences with it as I have with Trend Micro products.
Years ago when I first got hit with a virus and it hosed my home machine ( I think I was running MS anti-virus at the time, but the updates were almost non-existent, and luckily I had backups ) I started “borrowing” AV programs for testing purposes. There were only a few back then, but Norton and McAfee both seemed to slow the machine down considerably ( it was running Win 3.1 as I recall ) and kept conflicting with running apps. I found PC-Cillin ( then distributed by TouchStone software ) to be the most stable and reliable, did not impact on performance and came with “ 100% Virus Protection Guaranteed” and “ FREE Lifetime Updates”.
Although they no longer offer the “FREE” updates for that program as of a month or two ago ( I believe it started with version 3, which they upgraded free to version 6, and went through an OS upgrade to win 95, then win 98 and several motherboards ) I never again lost any data on that machine due to a virus. ( you think I can sue 'cause they failed to fulfill as advertised? )
Though they don’t make those claims anymore ( now yearly subscriptions, disclaimers, etc. ), when I had a problem on another machine with conflicts ( running XP, Netscape and PC-Cillin 2002 ) they responded with a fix ( e-mail attachment ) within half a day!
From what I have seen Norton over the years has become more stable and less prone to conflicts then in the early years, but I have cleaned many a machine even recently running Norton AV using Trend’s “HouseCall" . And have not as of yet ( hope I didn’t jinx myself ) had any infections on any machines running PC-cillin.
And for McAfee , where I work they use it on the network. When I received an e-mail from one of the top administrators which contained a virus ( routed through a web site I manage ) and I informed him of it, the replay I got a month later was they had a virus on the network and had been trying to clean it for a month and a half! ‘Nuf said! ( Yes, that’s true, yes I know what you’re thinking, don’t go there. My head has already bled from hitting it against the wall on numerous occasions! )
As for others, I have installed many to test over the years ( currently have the October Sophos disk and plan to try it on Linux now that construction is done, the granddaughter has her own room and I am getting my computer room back ... she’s a year old already! ) but I have found none that has proven better then PC-cillin .
So until it lets me down I will continue using it, at least on my main machines. And the 2005 version ( in response to another thread ) now scans for Spyware and includes the ability to " configure, update, and control PC-cillin Internet Security running on any PC on your home network—managing all functionality through a single interface", ( though I haven't tested those features yet ).
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
October 31st, 2004 02:44 AM
I think Bloodhound detects viruses, (Does it send mail, does it have trojan behavior, yadda yadda), and reports home to have the file tested if it is not recognized as a virus. From there, non-heuristic signatures (old school) are made to deal with the virus. First heuristic detection, and then signature based removal. The signature that is developed from a Bloodhound detection is given the Bloodhound prefix. At least that's what it sounds like to me. Because otherwise, every program that connects to a mailserver, even if it is small, will be a false positive. I don't think heuristics is trusted enough to act as a removal engine, but I think it is being used to speed up Symantec's sig releases.
Bloodhound is a complete departure from traditional virus scanning technology, which typically relies upon virus “signatures” or fingerprints to detect virus infections. When an anti-virus company receives a new virus, it analyzes it and extracts a virus fingerprint. The virus is then considered “known” and can be identified by subsequent updates of the anti-virus product; viruses that have not yet been analyzed are invisible to such anti-virus software.
Rather than using signatures, Bloodhound detects viruses by inspecting executable files for virus-like behavior. Since many viruses are finicky and only spread under ideal circumstances, the SARC heuristic system actually “coaxes” viruses into exhibiting their malicious behavior. If a program exhibits such virus-like behavior, it is passed on for further analysis by the Symantec AntiVirus Research Automation (SARA) system or a SARC virus researcher. This heuristic technology has been shown to detect up to 80% of new, unknown viruses.
Back when I used Norton, I remember Bloodhound asking me if I wanted to send in a specimen to Symantec, but I can't recall if it actually did anything with the file in question.
Bloodhound.Exploit.13 is not called a "signature", but it pretty much is a signature, just of a different breed. Bloodhound would not have been able to detect the jpeg exploit unless it was told to look for it. My point is that heuristic engines still need to be told what to look for, such as mail daemons, jpeg exploits, or whatever. That sounds to me like a "heuristic signature". A "heuristic signature" is more like a set of directions to find, than a fingerprint. Of course a heuristic signature now sounds like an oxymoron... although I will still call it that for lack of a better name.