[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3FFCA80E.27939.276C39F4@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Show me the Virrii!
Steve Wray <steve.wray@...adise.net.nz> replied to S G Masood:
> > 4. When their heuristic engines pick up new viruses
> > automatically, they usually have some kind of an
> ...
>
> Does anyone have reliable reports of an antivirus system firing
> off on a heuristic?
>
> I'm not aware of ever having seen one; always seems to be a
> signature.
Well, the answer may depend on precisely how you choose to define
"firing off", "heuristic" and "signature"... Regardless, apart from
what would be ridiculously limited definitions of those terms, I am
sure I could answer "yes, all the time".
The sophist in me wishes to point out that _any_ detection based on
"identifying data" smaller than the object to be detected is
necessarily "heuristic". For example, consider the simplest case of
malware detection -- identifying a single, complete file (be it a
Trojan Horse, monolithic replicating virus or what have you) -- and the
simple detection method for such static targets (albeit possibly
impractable for real-world, realtime use) of comparing a cryptographic
hash of the entire file contents with a list of such hashes for all
known static malware targets. Although triflingly small, there is
always a larger than 0% probability of false positives due to the
heuristic assumption that this probability is "low enough" for everyday
use. Note that I am not denying the usefulness of such a heuristic in
much everyday malware scanning. Rather, I am pointing out that such
detection methods _are_ heuristic in nature despite the fact they are
often considered deterministic.
Of course, all manner of further simplifications of this basic approach
-- from the crudest of simple short sub-string matches through the
sometimes hugely elegant evaluations of code emulator outputs --
commonly used in varying numbers and forms in all currently
"successful" virus scanners are equally clearly "heuristic" in this
sense.
However, let's accept for now that by "heuristic" we mean detection
methods much "looser" and much less deterministic than comparison of
cyrptographic file hashes. Many scanners have emulators, code
analysers, groups of detection strings indicative of functionality that
typically falls together in malware and seldom is seen together in
"legitimate" programs and so on. These make detections of previously
unseen malware all the time. Further, some products have (to varying
degrees) eschewed the notion that precise identification is the be all
and end all of malware detection, with the developers deliberately
making their product's detection of known and analysed malware quite
"loose". The point of such "sloppy" deetction is that it will, by and
large, detect new and previosuly unseen malware variants while not
detecting non-malware programs.
All this leads to continual "heuristic" detections. Of course, in some
products these heuristic detections may not seem like such unless you
know what to look for. For example, NAI's (aka McAfee) detection
engine uses a lot of "generic" detection drivers. In effect these work
by being able to detect a large number of specific variants of a known
malware family (handy when different disinfection and system restore
information is necessary for different variants), but also have a
notion of a code profile (my term, for lack of a better one) for the
family in question. Many new variants are thus detected by the
"profile" rather than by information pertinent to a specific variant.
The engine may report many (or even all -- someone from NAI may wish to
step in and help me here...) of the detections from such a driver as
"<family_name>.gen" despite the fact the disinfection engine will know
the right thing to do for any specifically detected variants.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists