[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <freemail.20040005115535.51433@fm1.freemail.hu>
From: etomcat at freemail.hu (Feher Tamas)
Subject: Re: Show me the Virii! (Pyrrhic heuristic)
Hello,
>>Does anyone have reliable reports of an antivirus system
>>firing off on a heuristic?
>>
>>I'm not aware of ever having seen one; always seems
>>to be a signature.
>
>As part of my job I regularly evaluate antivirus products.
>I have seen plenty of heuristic detections; all the engines
>have different heuristic capabilities, so some detect more
>new malware than others, and of course some also have
>more false positives than others.
Anti-Virus heuristics' job is not to catch unknown viruses, but to
measure the amount of lazy factor in virus authors' blood.
The fully functional trial versions (usually 30-day limited) of all anti-virus
packages by all vendors is available on the Web. You just download it,
no hassle, anonimously. Obviously, AV companies need to sell their
products and free trial versions are an effective way of convincing the
would-be customers of the software's merits.
But there is a side effect: virus writers can also test their new creations
in-house, for free. When they are finished coding, they test their
executables against all those virus scanners and when one of them
detects it using heuristics, they further tweak the malware code to
avoid detection. When none of the major scanners can detect it any
more with heuristics, they release their evil creature in the wild.
(Or send it to the AV companies sample address together with a small
mail meant to boost their own ego. This is clearly better for the sake of
the Internet).
To summarize: heuristic detection rate in diverse AV products
represents three things:
-Diligence (or lack of) by virus writers to go through the above
described testing & tweaking threadmill, which can be a time-
consuming task, considering there are a good dozen or so significant
AV packages.
-The market share of a given AV product. If you are a big brand name in
the AV market, your scanner's heuristics is more likely to be tested
against by virus writers before they release their malware.
Is it not cost-efficient for virus writers to test an AV suite that protects
a mere two or three hunder thousands Netizens overall. Antivirus
software titles with tens of millions of people in installed user base are
interesting enough.
-The willingness of the particular AV vendor to make its customers take
the risks of false positives. Your AV product can alert on more entirely
new viruses, if you define heuristic with looser conditions, obviously.
But it means more innocent files will get trapped, too. False positives
can be almost as devastating as viruses. It is a fact of life that false
positives do occur, but the frequency varies from vendor to vendor. I
would hate to crucify a particular vendor here, cause this can happen to
any one of us; but one major AV package did alert on the Installshield
core executable in mid-2003 and millions of computers lost important
software as a result. The cause of this was a faulty signature update.
I think heuristics has a limited future in the AV field. The AV companies
are trying to release more exact detection updates instead. For
example, Kaspersky Labs has just announced its intent to publish new
AV signatures every 3 hours on every workdays (there was some
media publicity about it).
BTW, antivirus firms never give samples to outsiders. They go so far
that one of them even warns on its corporate webpage that if you send
them a CD-ROM disk with a suspected new virus on it and they actually
find it infected; they will not be able to give it back.
BTW, the plural for virus should be virii (with single R). But I'd say let's
call it viruses, because it's simpler and it's IT, not Biology.
Sincerely: Tamas Feher.
Powered by blists - more mailing lists