Jump to content
Tuts 4 You

What is the best way for heuristic malware scan, what to check?

rijeka2008

By rijeka2008
in Malware Reverse Engineering

 Share

Recommended Posts

rijeka2008

rijeka2008

Posted
Posted

What is the best way for heuristic malware scan, what good AV should check?


RDGMax

RDGMax

Posted
Posted


 


The best av for all purposes = ESET NOD32


 


2º  Best AV = Avira


 


The king of false positives  =1º AVAST  & 2º BitDefender Engine


 


The worst/simple malware signature = Kaspersky


rijeka2008

rijeka2008

Posted
  • Author
Posted

You did not understand question, I am not looking for AV, I need information what good heuristic scan should look into file, what functions writeprocessmemory or similar?


RDGMax

RDGMax

Posted
Posted

Does not exist unique way to detect malware using heuristic detection.


 


heuristic = generic


mrexodia

mrexodia

Posted
Posted

Does not exist unique way to detect malware using heuristic detection.

I don't agree with you here. There are heuristics like when software is reading/writing from/to the registry on places it shouldn't and doing stuff like CreateRemoteThread. Obviously this is not a definitive way to detect malware, but that's why it's called heuristics (also known as 'educated guess' by many people).

To answer the actual question asked: you could start with processing accessing other processes for no good reason. Creating files in the windows directory, registry reading/writing to system-critical parts, creating services. You might annoy people with false positives though :)

  • 1 month later...
Struppigel

Struppigel

Posted
Posted (edited)

heuristic = generic

 

No, those are not the same.

 

Generic detections detect all or several variants of a malware family.

Heuristic methods find a solution for a problem using incomplete knowledge. Heuristic detection describes all malware detection methods that use "a rule-based

approach to diagnosing a potentially-offending file" (see http://www.eset.com/us/resources/whitepapers/Heuristic_Analysis.pdf)

 

That means generic detection can be non-heuristic. E.g. you can create a detection pattern that is generic; but it is not heuristic, because there are no rules involved.

You can also have an heuristic approach that detects more than just one malware family, thus is not generic.

 

@rijeka2008

Read the book by Peter Szor: The Art of Computer Virus Research and Defense. You will find your answers there. The answer to your question is too much to compile in one post, because the ways of detecting malware heuristically are endless. But Szor will give you a good start and understanding. The rest comes with experience.

Edited by Struppigel
AcidShout

AcidShout

Posted
Posted

 

The best av for all purposes = ESET NOD32

 

2º  Best AV = Avira

 

The king of false positives  =1º AVAST  & 2º BitDefender Engine

 

The worst/simple malware signature = Kaspersky

That's sooooo much bs.

 

All of those AVs suck.

Actually, all of the AVs suck, but that's another topic.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...