Full Disclosure: Re: Show me the Virrii! (heuristics)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Show me the Virrii! (heuristics)

From: S G Masood <sgmasood () yahoo com>
Date: Mon, 5 Jan 2004 04:17:17 -0800 (PST)

Hi Alex,

Good points.

To add an example, Swen was detected automatically as
"W32.Automat.AHB" by Norton AV before its signatures
were added. When Norton AV detects a new virus based
on heuristics, it usually identifies it as
"W32.Automat.*", with "Automat" probably standing for
"Automatically Detected".

Regards,

--
S.G.Masood




--- starlabs <ashipp () messagelabs com> wrote:

Does anyone have reliable reports of an antivirus

system firing

off on a heuristic?

I'm not aware of ever having seen one; always seems

to be a

signature.



As part of my job I regularly evaluate antivirus
products. I have 
seen plenty of heuristic detections; all the engines
have different 
heuristic capabilities, so some detect more new
malware than others, 
and of course some also have more false positives
than others.

Your experience might be because you are using a
poor heuristic
engine, or because by the time you get a sample of a
real new
virus, your vendor has released a signature anyway,
even if they
detected it heuristically anyway.

My findings indicate that the state of the art is
that most 
new malware can be detected heuristically these
days.

Regards,

Alex

________________________________________________________________________

This email has been scanned for all viruses by the
MessageLabs Email
Security System. For more information on a proactive
email security
service working around the clock, around the globe,
visit
http://www.messagelabs.com

________________________________________________________________________


_______________________________________________
Full-Disclosure - We believe in it.
Charter:

http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

Show me the Virrii! Richard Maudsley (Jan 04)
- Re: Show me the Virrii! S G Masood (Jan 04)
  - RE: Show me the Virrii! Steve Wray (Jan 05)
    - Re: Show me the Virrii! (heuristics) starlabs (Jan 05)
    - Re: Show me the Virrii! (heuristics) S G Masood (Jan 05)
    - RE: Show me the Virrii! Nick FitzGerald (Jan 07)
  - Re: Show me the Virrii! Nicob (Jan 07)
    - Re: Show me the Virrii! Nick FitzGerald (Jan 07)
    - Re: Show me the Virrii! Valdis . Kletnieks (Jan 07)
    - Re: Show me the Virrii! Nick FitzGerald (Jan 08)