 |
 | Another Cheap Heuristic? |  |
|
GuitarBob
|
|
I understand that much of the current virus software:
1. tries to uninstall/cripple antivirus programs 2. tries to infect/use chat/messaging software (Kazaa, AIM, Messenger, IRC, etc.) 3. uses cursewords/porn messages in the code to attract/infect computer users 4. uses other words to gain acceptance/trust or instill a sense of urgency in the user In view of this, I recommend that ClamWin developers set up their own small signature database (via the .hdb MD5 hash capability built into ClamAV) to search for: 1. mention of the four or five largest antivirus software names (Norton, McAfee, Trend, Sophos, Panda) 2. mention of the four or five most common chat/messaging software programs 3. mention of four or five common cursewords/porn messages--such as f***, free porn, etc. 4. mention of four or five other words--such as: your friend, please confirm, important, failed transaction, etc. You can search for these words as ClamWin is searching for virus signatures in the files. To prevent false positives, you could keep track of the number of "hits" in a file, and flag it as possibly infected if there are five hits (or however many you decide). Perhaps the ClamAV team has already done something like this, but if not, I think ClamWin should consider it. Regards, |
|||||||||||
|
|||||||||||||
 |
| |
|
al968
|
|
Yes but if such a heuristic was made the number of False possitive would be so High that everytime you would get a warning you could be sure that it was a false possitive.
Thanks for the idea Al968 |
|||||||||||
|
|||||||||||||
|
| Another Cheap Hueristic | |
|
GuitarBob
|
|
I previously wrote:
"To prevent false positives, you could keep track of the number of "hits" in a file, and flag it as possibly infected if there are five hits (or however many you decide)." I doubt if very many legitimate software programs will have five, six, seven, eight, or ten of these characteristics (or however many you select to trigger a warning message of a possible unknown malware). This isn't really a wild idea, since many antivirus programs now flag programs for a further look if they mention the names of several antivirus programs--since much of the current malware tries to disable antivirus software. You can take this "cheap" idea much further if you want. For instance, look at system calls, interactions with legitimate programs, etc. It doesn't depend upon developing a real/complicated virus signature. I wish I could help further with this, but I'm not a programmer. Regards, |
|||||||||||
|
|||||||||||||
|
 | Another Cheap Heuristic? | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.