View Full Version : Heuristic spyware detection--see PC World

2007-02-02, 05:33

Will 1.5 have heuristics?

2007-02-02, 11:30
I don't see anything about heuristics behind that link, only a description of one product.

Actually, we had heuristics for a long time... 1.4 has them, and 1.3 can use the same advanced detection library update thats available for 1.4...

From Wikipedia (http://en.wikipedia.org/wiki/Heuristic_%28computer_science%29)

Two fundamental goals in computer science are finding algorithms (http://en.wikipedia.org/wiki/Algorithm) with provably (http://en.wikipedia.org/wiki/Mathematical_proof) good run times (http://en.wikipedia.org/wiki/Run_time) and with provably good or optimal (http://en.wikipedia.org/wiki/Optimization_%28computer_science%29) solution (http://en.wikipedia.org/wiki/Solution) quality. A heuristic is an algorithm that gives up one or both of these goals; for example, it usually finds pretty good solutions, but there is no proof the solutions could not get arbitrarily bad; or it usually runs reasonably quickly, but there is no argument that this will always be the case.And here you can see the bad side of heuristics as well: false positives! Pretty much all false positives are the results of trying to update detection criteria to cover future versions as well, on the cost that since future versions are not fixed yet, one has to broaden the algorithms, and things could go bad.
So actually, please see our false positives as a proof that we use heuristics :D Or to say it in another way: heuristics are quite useful, but they're always a trade-off of reduced accuracy.


In any searching problem where there are b choices at each node and a depth of d at the goal node, a naive searching algorithm would have to potentially search around bd nodes before finding a solution. Heuristics improve the efficiency of search algorithms by reducing the branching factor (http://en.wikipedia.org/wiki/Branching_factor) from b to a lower constant b', using a cutoff mechanism.That's something we've been using nearly since the beginning. A simple example: when we're looking for a static file (lets say some minor thread that never gets updated), we know its properties: size, name, static checksum... now when we're looking for it, and we found a file with the proper name, we check the size first, since if the size does not match, we don't even have to look at the checksum, since that can't be a match any more then.
Of course, static files & checksums are outdated and we use them very rarely only, but it was the easiest example I could find ;)

edit: ok, now I saw the "behaviour analysis" on that link. And also "And it makes few false accusations." that's about what I wrote about the first Wiki quote ;) Though "non-signature anti-malware program[s]" simply do not exist, even if you look only at the behaviour, you need signatures for behaviour ;)

2007-02-02, 15:54
see their description: http://www.sanasecurity.com/products/pr/index.php

Yup, false positives are always a problem with heuristics (or behavioral analysis, whatever you want to call it).

They recommended ADDING this to a signature based antispyware.

Is there a sticky on Spybot heuristics?

2007-02-06, 02:35
The program I mentioned screwed up my OS (kept rebooting). I unclicked various startups one by one until I found it was Primary Response that was doing it.

However, I was running teatimer at the same time, so I don't know if this would happen without it.

Another heuristic program, Spycatcher, is horrible -- so many false positives and links to useless or nonexistent information about the tagged files! Not worth the headache.