Educause Security Discussion mailing list archives
Re: Just a question about the state of antivirus technology
From: Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>
Date: Sat, 9 Oct 2004 17:40:38 -0500
The term heuristics is confusing. It refers to an "innovative" method for searching or discovering patterns. You could argue that binary string pattern matching could be also classified as a heuristic method by definition, but in the context of antiviral tools we have: a) Traditional binary pattern matching b) Everything else (which most call heuristics. Of course, there are several heuristic methods and even more implementations so that heuristic methods differ, depending on the antivirus brand you use. Some heuristic methods could be: * Pre-execution disassembly * Sandboxing * Behavioral pattern matching * Certain types of hashing Some polymorphic viruses can't be detected by traditional binary string matching, so, you NEED to use a heuristic method here. Another problem is that you won't know what your AV vendor is calling heuristic. Even if there is a button to turn off heuristics in a console, the AV will still use some form of heuristics to detect viruses, it's just that you won't know exactly what is being turned off and what remains. However, whatever an AV vendor classifies as heuristic within their program for which there is a disable option, usually are methods that the same AV vendor recognizes as "unreliable" (to some degree). You also won't be able to eliminate false positives (even with binary string matching), therefore the only way to be sure is to create a lab an test it with whatever software you get your hands on and compare the results with heuristics turned off. That might not be good enough still to clarify how much the false positive rate increases with heuristics for a particular product, and also how much will you benefit of it. Supposedly, most heuristic options should be able to detect new viruses based on old ones (therefore the signatures are somewhat general), but we know that experienced virus programmers test their creations for matches against many AV programs before they are released (with heuristics turned on, of course), so there is little use for heuristics from this point of view. If heuristics were really that successful, AV vendors wouldn't need to release so many updates for big virus families such as Beagle and Mydoom (take a look at your AV vendor web site to give you an idea). Last, for an open organization such as a university, with a lot of diverse software, hardware, operating systems and configurations, my recommendation is to leave it off. Sorry if I added to your confusion rather than helping you, but with such vague and ambiguous terms such as "heuristics" and "IPS" in information security, there is no way to avoid philosophical discussions of some kind :-). Best regards, Omar Herrera -----Mensaje original----- De: Barbara Griffith [mailto:Barbara.Griffith () COLORADO EDU] I'm confused about the heuristic setting in various antivirus products. We used to set it high, and never had any complaints. But now I'm hearing from some experts that heuristic technology is no longer considered to be very effective, and may cause a performance hit. I went online and got even more confused. Many sites still mention and even recommend it. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Just a question about the state of antivirus technology Barbara Griffith (Oct 09)
- <Possible follow-ups>
- Re: Just a question about the state of antivirus technology Herrera Reyna Omar (Oct 09)
- Re: Just a question about the state of antivirus technology Barbara Griffith (Oct 10)