Antivirus Signatures vs Behavior Blocker (Heuristics)

[WinXPert]

you mean like a fragment of codes that is consistent to a specific malware writer on a family of strain?

 

[Nico@FMA]

you mean like a fragment of codes that is consistent to a specific malware writer on a family of strain?

Well no but its certainly a part that comes into play when using heuristic techniques.

 

[Malware1]

If I know something, behavioural scanning is a submodel of heuristics

No, it isn't.

 

[Nico@FMA]

No, it isn't.

Correct Heuristic detection techniques might appear to be the same as Behavioral detection techniques and while they both find their origin within the same context they both are additions to their own flaws and strengths so to speak one is made to enhance the other.
Because both techniques are powerful but also far from perfect, combining both will enhance each ability and eliminate most of the flaws of both.

 

[BoraMurdar]

you mean like a fragment of codes that is consistent to a specific malware writer on a family of strain?

Like I said there are 2 stages : file segmentation and sequence comparison.
Any file can be characterized by properties of data it contains. For instance, one may consider how well-ordered the data are or how much space the data occupy.

The main purpose of the suggested segmentation algorithm is splitting the file into segments that are characterised by size and entropy.

This has a number of advantages that help detect malicious programs efficiently on personal computers. First, this comparison does not take into account the functionality of analysed files and is based solely on determining the similarity in code and data area positions. Therefore, the algorithm is effective against many ways of protecting executable code. On the other hand, such a comparison may result in false alarms. Solution is useful as a preliminary test that triggers the running of additional checks. Second, the method is
relatively easy to implement and does not require code disassembly or emulation. And, third, the malicious file record is compact which is significant when compiling anti-virus databases.

 

[Nico@FMA]

Like I said there are 2 stages : file segmentation and sequence comparison.
Any file can be characterized by properties of data it contains. For instance, one may consider how well-ordered the data are or how much space the data occupy.

The main purpose of the suggested segmentation algorithm is splitting the file into segments that are characterised by size and entropy.

This has a number of advantages that help detect malicious programs efficiently on personal computers. First, this comparison does not take into account the functionality of analysed files and is based solely on determining the similarity in code and data area positions. Therefore, the algorithm is effective against many ways of protecting executable code. On the other hand, such a comparison may result in false alarms. Solution is useful as a preliminary test that triggers the running of additional checks. Second, the method is
relatively easy to implement and does not require code disassembly or emulation. And, third, the malicious file record is compact which is significant when compiling anti-virus databases.

While it is 100% true what you are saying there is one aspect i would like to point out, while segmentation and sequence based techniques do have their obvious benefits they are for a large part included within Heuristic and Behavioral techniques
After all Heuristics is for a large part based upon comparison, anticipation and prediction, while Behavioral is looking at actual actions and such.

 

[BoraMurdar]

No, it isn't.

Well it is

You can barely find a pure heuristic scanning engine that will determine malicious code only by its own component of scanning, nowadays.
Again, Behavior Blockers started on the step where heuristics are limited, first introduced by Norton SONAR and ESET ThreatSense Technology.

Pure heuristics is using "behavior/DNA of the files to determine malicious code" and pure behavior blocker uses the remembered pattern what the file did, can do, and probably will do.
Most behavior blockers contact signatures and heuristics to determine if the file is safe, first. Then it does what it does.

AV engine uses 4 main scanning/detecting techologies :, by signatures, by heuristics , by virtualization/sandbox and by cloud.
By that virtualization + heuristics inside of it can be called an Behavior Blocker.

Other kinds of protection are Proactive Controls (which are probably misunderstood between me and you) and they areHIPS/ Program Control/System Guards and others.
Me and/or you probably mixed up Behavior Blocker (inside heuristics) and Behavior Control (which is proactive protection which may and may not be a part of an AV)

 

[Anupam]

The number of virus everyday is growing very fast. Signature is not alone is enough to fight against this . So I will vote for behavioral blocker . But that does not mean that I am against signatures . Basically my vote is for both together.

 

[Nikos751]

Specially the new generation of Heuristics based and Behavioral based engines and other new analyzing techniques will make a AV increasingly smarter, but yet with the exception of Symantec and Sophos there is not a single AV company out there that uses Next Gen technology within their mainstream packages.
And thus its save to say that next gen technology while its being advertised really will start making results in late 2014 begin 2015.

Anyway i hope this explains.

Cheers

Really, Symantec and Sophos are the only ones that imply such next gen technology? ex Kaspersky is not such case?

 

[Nico@FMA]

Really, Symantec and Sophos are the only ones that imply such next gen technology? ex Kaspersky is not such case?

No that's not what i was saying, Symantec and Sophos are the only ones now that added the technology to their industry packages as a standard.
Other brands like kaspersky have similar modules but most of them are not yet mature enough to make a real difference yet. While they have been released much earlier then Symantec and Sophos did.
So give it a few months before the real results of those brands become notable in tests and other benchmark reports.

 

[Kate_L]

Heuristics now go hand in hand with Generic signature, Behavioral based engines are used in cloud security for easy detection "suspicious file" (see Panda Cloud, Norton Insight ...)

Heuristics + Generic signature = Kaspersky, ESET, .... = Good detection.

Panda Coud Free = Process Monitor + Behavioral + Generic signature = Good detection (on execution not scan, because the files are checked by "CLOUD", by behavioral in this case the process monitor and behavioral blocker).

 

[Nikos751]

No that's not what i was saying, Symantec and Sophos are the only ones now that added the technology to their industry packages as a standard.
Other brands like kaspersky have similar modules but most of them are not yet mature enough to make a real difference yet. While they have been released much earlier then Symantec and Sophos did.
So give it a few months before the real results of those brands become notable in tests and other benchmark reports.

I got it.
Norton 2015 is very good by the way, I did some testing yesterday and I was impressed.

 

[OlegKucherov]

No no , signature is not good solution.

Whis is original EICAR
https://www.virustotal.com/ru/file/...9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/

Compiled with fasm
org 0x100
db "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"


Whis is modified EICAR

org 0x100
push ax
pop ax
db "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"

https://www.virustotal.com/ru/file/...475bfdcd096d59f5a5d37ae9/analysis/1405003947/

Signature inside code is not modified but result is not very good for AVP.

sorry for my bad english

 

[Nikos751]

No no , signature is not good solution.

Whis is original EICAR
https://www.virustotal.com/ru/file/...9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/

Compiled with fasm
org 0x100
db "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"


Whis is modified EICAR

org 0x100
push ax
pop ax
db "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"

https://www.virustotal.com/ru/file/...475bfdcd096d59f5a5d37ae9/analysis/1405003947/

Signature inside code is not modified but result is not very good for AVP.

sorry for my bad english

Nice result for panda trend micro & 360. (There are some others too but they are no big players)

 

[phyniks]

Of course they are both important....the question is: which one is more?
In my opinion,Signatures

 

[Littlebits]

Of course they are both important....the question is: which one is more?
In my opinion,Signatures

I will have to agree that signatures are more important just for the simple reason they are much less likely to flag false positives.
Heuristics (Behavior Blocker) can detect many safe files or actions because of their behavior even though they are not malicious.
Such as blocking Windows Updates or component features, blocking safe programs or even corrupting Windows by removing important system files. (all of the above has effected most AV vendors). False positive detections can cause more problem than an actual infection.

Enjoy!!

 

[Behold Eck]

I will have to agree that signatures are more important just for the simple reason they are much less likely to flag false positives.
Heuristics (Behavior Blocker) can detect many safe files or actions because of their behavior even though they are not malicious.
Such as blocking Windows Updates or component features, blocking safe programs or even corrupting Windows by removing important system files. (all of the above has effected most AV vendors). False positive detections can cause more problem than an actual infection.

Enjoy!!

I would say that a missed virus signature is far more devastating than a simple heuristic false positive so I`ll go for the behavior blocker.

Regards Eck

 

[Littlebits]

I would say that a missed virus signature is far more devastating than a simple heuristic false positive so I`ll go for the behavior blocker.

Regards Eck

Problems caused by false positives
A "false positive" is when antivirus software identifies a non-malicious file as a virus. When this happens, it can cause serious problems. For example, if an antivirus program is configured to immediately delete or quarantine infected files, as is common on Microsoft Windows antivirus applications, a false positive in an essential file can render the Windows operating system or some applications unusable.[32] Recovering from such damage to critical software infrastructure incurs technical support costs and businesses can be forced to close whilst remedial action is undertaken.[33][34] For example, in May 2007 a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot.[35]

Also in May 2007, the executable file required by Pegasus Mail on Windows was falsely detected by Norton AntiVirus as being a Trojan and it was automatically removed, preventing Pegasus Mail from running. Norton AntiVirus had falsely identified three releases of Pegasus Mail as malware, and would delete the Pegasus Mail installer file when that happened.[36] In response to this Pegasus Mail stated:

“ On the basis that Norton/Symantec has done this for every one of the last three releases of Pegasus Mail, we can only condemn this product as too flawed to use, and recommend in the strongest terms that our users cease using it in favour of alternative, less buggy anti-virus packages.[36] ”
In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.[37][38]

In December 2010, a faulty update on the AVG anti-virus suite damaged 64-bit versions of Windows 7, rendering it unable to boot, due to an endless boot loop created.[39]

In October 2011, Microsoft Security Essentials (MSE) removed the Google Chrome web browser, rival to Microsoft's own Internet Explorer. MSE flagged Chrome as a Zbot banking trojan.[40]

In September 2012, Sophos' anti-virus suite identified various update-mechanisms, including its own, as malware. If it was configured to automatically delete detected files, Sophos Antivirus could render itself unable to update, required manual intervention to fix the problem.[41][42]

http://en.wikipedia.org/wiki/Antivirus_software

And this don't even include the more recent problems caused by false positive detections.

Google- https://www.google.com/?gws_rd=ssl#q=false+positive+corrupts+windows&start=0

Enjoy!!

 

[Behold Eck]

Signature-based detection
Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses.

I`d rather restore from quarantine than aquire a"new,unknown virus," providing of course it was`nt a critical system file but I see what you mean.

Either way a good clean system image, just incase, seems to be the order of the day.

Regards Eck