Re: Just a question about the state of antivirus technology

[Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>]

The term heuristics is confusing. It refers to an "innovative" method
for searching or discovering patterns. You could argue that binary
string pattern matching could be also classified as a heuristic method
by definition, but in the context of antiviral tools we have:

a) Traditional binary pattern matching
b) Everything else (which most call heuristics.

Of course, there are several heuristic methods and even more
implementations so that heuristic methods differ, depending on the
antivirus brand you use.

Some heuristic methods could be:
* Pre-execution disassembly 
* Sandboxing
* Behavioral pattern matching
* Certain types of hashing

Some polymorphic viruses can't be detected by traditional binary string
matching, so, you NEED to use a heuristic method here. Another problem
is that you won't know what your AV vendor is calling heuristic. Even if
there is a button to turn off heuristics in a console, the AV will still
use some form of heuristics to detect viruses, it's just that you won't
know exactly what is being turned off and what remains.

However, whatever an AV vendor classifies as heuristic within their
program for which there is a disable option, usually are methods that
the same AV vendor recognizes as "unreliable" (to some degree).

You also won't be able to eliminate false positives (even with binary
string matching), therefore the only way to be sure is to create a lab
an test it with whatever software you get your hands on and compare the
results with heuristics turned off.

That might not be good enough still to clarify how much the false
positive rate increases with heuristics for a particular product, and
also how much will you benefit of it. Supposedly, most heuristic options
should be able to detect new viruses based on old ones (therefore the
signatures are somewhat general), but we know that experienced virus
programmers test their creations for matches against many AV programs
before they are released (with heuristics turned on, of course), so
there is little use for heuristics from this point of view. If
heuristics were really that successful, AV vendors wouldn't need to
release so many updates for big virus families such as Beagle and Mydoom
(take a look at your AV vendor web site to give you an idea).

Last, for an open organization such as a university, with a lot of
diverse software, hardware, operating systems and configurations, my
recommendation is to leave it off. 

Sorry if I added to your confusion rather than helping you, but with
such vague and ambiguous terms such as "heuristics" and "IPS" in
information security, there is no way to avoid philosophical discussions
of some kind 
:-).

Best regards,
Omar Herrera

-----Mensaje original-----
De: Barbara Griffith [mailto:Barbara.Griffith () COLORADO EDU] 
 
I'm confused about the heuristic setting in various antivirus products.
We used to set it high, and never had any complaints. But now I'm
hearing from some experts that heuristic technology is no longer
considered to be very effective, and may cause a performance hit. I went
online and got even more confused. Many sites still mention and even
recommend it. 

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.