PDA

Просмотр полной версии : An explanation in layman terms of the 4 detection methods.



Ultima Weapon
20.11.2007, 07:21
An explanation in layman terms pls????:'-(
a) signature detection (detecting already known malware by the signature method)

b) heuristic detection (detecting yet unknown malware by the method of emulation / code analysis / etc. Examples: "Heur.Trojan.Generic"; "a variant of: XXXXX")

c) detection of suspicious file (detecting yet unknown malware by the method of informing the user about suspicious characteristics of a sample under analysis. Examples: "Suspicious file"; "VIPRE: Suspicious")

d) detection of suspicious cryptor / packer (detecting yet unknown malware by the method of informing the user about the unknown / rare / suspicious packer / cryptor or about the fact of multiple packing / crypting. Example: "HEUR/Crypted").

Can anyone pls explain how these detection methods work, comparisons between the 4 methods ,pros & cons about them in layman terms. I think I understand signature based & heuretics. But the other two is kinda bit complicated.:'-(

XP user
20.11.2007, 15:08
Both are a preventive types of protection, not based on signatures or behavior, but on the way the [unknown] files are written or packed. Such methods may easily lead to false positives (= the file is marked 'suspicious', while it is not actually malicious). You should be very, very careful with this kind of alerts.
c) detection of suspicious file If the file is an executable, the code that was used to write it is inspected. If there are some strange instructions in the code, you will get a warning. This means that you should be particularly careful with such a file and should send it to the anti-virus lab for analysis.
detection of suspicious cryptor / packer Executables are often packed. Some kinds of packers are specifically used to pack malware so that it won't be detected by your protection. Sometimes, the bad guys use multiple packing as well. Your protection will warn you in these cases. This does not mean that the file inside is necessarily infected. It's more a preventive, pro-active measure. Again, sending the file for analysis is the way to go...

Paul

Simple10
16.02.2008, 10:22
I use the behavior method, of detection. If my computer acts out of character, I start running every scan I can think of.