Antivirus Signatures vs Behavior Blocker (Heuristics)

Behavior Blocker or Signatures


  • Total voters
    37
May 26, 2014
1,050
2,117
There are 2 basic types of antivirus shields, Antivirus Signatures for wide-known viruses, and behavior blockers (heuristics), which guess out malware by its traits and, well, behavior. Antiviruses normally rely on signatures for its main engine and for real-time, and heuristics for extra security for scanning. The exception is Emsisoft, who uses signatures and behavior for everything together and Webroot, which uses behavior blockers mostly. So... are behavior blockers better or signatures? Please don't say "both", I know both are best, but I want individual answers!
 

BoraMurdar

Community Manager
Verified
Staff member
Aug 30, 2012
6,637
28,293
BOTH! :p

Kidding, and not. To AV program to be fully functional both must be present nowadays. If there are no signatures behavior blocker would be too intrusive and overloaded, also without behavior analysis signatures couldn't protect the user from some zero-day malware (not saying that they actually can every time).

But if both present, behavior analysis is more important IMHO, it will protect you (or will try to) from unknown
 
I

illumination

Signatures are only good after the threat has been detected in the wild, which could be days/weeks/months after being released into the wild. BB's are the way to go now days, a traditional signature anti virus just is not as effective.
 

Nico@FMA

Level 27
May 11, 2013
1,689
3,633
signatures strategy is obsolete now, it works 10 years ago , but with all those crypters/packers/binders; signatures model can't keep up the pace.

No m8 that's not correct, however the role static signatures full fill did change greatly.
Signatures use to be the the authority in order to class a file as good or bad, however this has become obsolete, so signatures are now being used as a source for variants, file prediction, behavior and proactive techniques.
As i said before in the old times your AV signatures did know every virus recorded at that time.
Now it only knows those few nasty ones and the rest it only knows file scores, behavior and proactive info.
So instead of remembering every malware, it just remembers key types so that your AV can use it as a bench mark in order to figure out which file is infected based upon scores and such.
 

BoraMurdar

Community Manager
Verified
Staff member
Aug 30, 2012
6,637
28,293
There are AVs which "Behavior Blocker" is part of an AV component (Like GData) and some kind of behavior blocker is not a part of AV Component (Kaspersky-App Control) but connected and communicating with an AV in the same product.

But also, there are behavior blockers that are not connected to an AV at all
 

Nico@FMA

Level 27
May 11, 2013
1,689
3,633
Correct me if I'm wrong, but aren't Heuristics different to Behavioural?

As in similar, but a different kind.

Well not exactly let me try to explain.

BEHAVIORAL:
Behavioral detection methods within a antivirus program works like a police officer looking for odd behavior in a suspect. If you install an antivirus application that uses behavior detection and monitoring techniques, it watches your operating system, searching for suspicious events. For instance, if the antivirus program witnesses an attempt to change or modify a file or communicate over the Web, it may take action and warn you of the threat. It may also block the threat depending on how you adjust its security settings.

HEURISTIC:
Antivirus software that use heuristics are similar to signature-based detection programs. They seek to identify malware by examining the code in a virus program and analyzing the program's structure. A heuristic antivirus engine using this detection method might run a process that simulates actually running the code it’s examining. When it does that, the antivirus engine seeks to identify additional code logic that may help it determine if the suspected virus is really a threat, so if a code is 1000 characters long then heuristics looks in how far the code is identical to a known signature, and if this percentage is like 30% good vs 70% bad then the file is classed as a virus, however if the outcome is like: 49% good vs 51% bad then it does class it as suspicious.
Some known malware have parts within their source code that are identical to known legit files, remember that actions done by malware are very much the same actions as legit programs make. The difference is the reason why.
So by comparing codes and anticipate the holes within the scanned codes heuristic techniques can be very powerful.

CODE PATTERNS:
Because antivirus programs that use behavior detection look for suspicious behavior in a potential virus, they can identify threats that some heuristic antivirus programs may miss. Assume, for example, that a heuristic database contains a code pattern that consists of A-B-B-A. If a virus's creators modify their code so that the pattern changes to A-A-B-B, a heuristic antivirus app may not detect that modified version.
Also you should keep in mind that, A false positive occurs when an antivirus program informs you that a program is dangerous even though it is not. Malware detection using heuristic methods often increase the number of incidents of false positives. It can also take more time for heuristic antivirus programs to scan files than it does programs that use behavior detection. Many modern antivirus programs use both heuristics and behavioral methods to protect computers from malware.

That being said Heuristics and Behavioral techniques are pretty much the same, the difference is that Heuristics can predict and class malware where Behavioral deals with files that have a legit code but bad actions to put it in layman words.
And as such both need to work side by side in order to give a AV program its potency.

Specially the new generation of Heuristics based and Behavioral based engines and other new analyzing techniques will make a AV increasingly smarter, but yet with the exception of Symantec and Sophos there is not a single AV company out there that uses Next Gen technology within their mainstream packages.
And thus its save to say that next gen technology while its being advertised really will start making results in late 2014 begin 2015.

Anyway i hope this explains.

Cheers
 

BoraMurdar

Community Manager
Verified
Staff member
Aug 30, 2012
6,637
28,293
What is entropy calculations?
One of the main trends in the modern anti-virus industry is the development of algorithms that help estimate the similarity of files. Since malware writers tend to use increasingly complex techniques to protect their code such as obfuscation and polymorphism, anti-virus software vendors face problems of the increasing difficulty of file scanning, the considerable growth of anti-virus databases, and file storages overgrowth.

It is based on the assumption that different samples (i.e., files) of the same malicious program have a similar order of code and data areas.
Each such file area may be characterized not only by its length (i.e., the number of bytes), but also by its homogeneity (i.e., distinction of bytes). In other words, the file may be characterized by the complexity of its data order. To indicate this characteristic of a file, there is the concept of structural entropy.
The first stage includes using wavelet analysis for the segmentation of files into segments of different entropy levels. In the second stage, we use edit distance between sequence segments to determine the similarity of the files.

  • A description of an algorithm for the segmentation of files into segments that are characterized by length and average entropy.
  • A review of the sequence alignment technique to compare files represented by sequences of segments.
 

Cowpipe

New Member
Jun 16, 2014
774
2,121
I vote signatures, but not as in what most people will be thinking "file hashes" etc. But rather signatures as in rule and pattern matching (what may be deemed heuristic signatures).

My reasoning is that these kind of 'signatures' can greatly improve the efficiency of scanners by selecting only a subset of 'suspicious files' which need the more memory intensive behavioural analysis etc
 
Top