Your understanding of scanning techniques is flawed at best (I believe this has been pointed out multiple times). Both techniques have issues with false positive and false negative matches. The only significant difference is how they perform against unknown threats. In that regard, heuristic scanning _may_ be able to detect the threat while it is unlikely that a signature would be able to detect it.
All of the AV vendors you've named provide signature based scanning. Some also have a behavior or heuristic based engine as well. As Al mentioned, heuristic-based approaches are great for matching things that "might" be malicious. However, they also tend to generate false positives depending on how tight or loose their rules are. Tighter rules for is considered 'malicious' means fewer false positives but also fewer matches. Signature based approaches have similar issues but they only work against known threats. But the more generic the signature, the more likely it is to run into false positives. Also, what *you* consider to be malware might be "just another tool" for someone else. Having multiple engines performing behavior based analysis (heuristics) is pointless as they would need to share everything they "detect" in order to perform the analysis correctly. On the other hand, having multiple engines for signatures makes sense as you can have separate engines looking at different types of signatures or files. Your claim of regarding the detection rate is just the statistics against your collection of malware. The official databases don't seem to be aimed at the kinds of samples you're running against while Sanesecurity and SecuriteInfo databases are more closely aimed at the malware population you're testing against. If other databases work better for your workload, great. Not everyone has the same experience you do. Also, you can help improve the official databases by submitting samples that are not detected by the official signatures. I wish you all the best with writing your own engine, but I think you'll find that it's not easy to get close to the performance that ClamAV has. Also, then you still need to write signatures that your engine can understand to look for. On Thu, May 11, 2017 at 8:55 AM, crazy thinker <crazythinke...@gmail.com> wrote: > @AI > > Any Comments from your end on my question in previous mail thread > > On 11 May 2017 at 15:33, crazy thinker <crazythinke...@gmail.com> wrote: > > > @AI > > May be my question is a stupid one.. i have a still doubt so want to > > clarify my self.. Why Heuristics Scanner need Signature Database when > > Heruisitcs Scanning Technique detects malware based on behaviour? > > > > Can't Heuristic Scanner detects Malware detected by Signature Based > > Scanner. if Yes, why not we use Heuristic Scanner alone in AV > Software? > > > > On 11 May 2017 at 14:58, Al Varnell <alvarn...@mac.com> wrote: > > > >> On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote: > >> > > >> > Hi ClamAV Developers, Users > >> > > >> > SaneSecurtiy and SecruiteInfo provides better virus signature database > >> > feeds. with help of this, we can Increase the ClamAV Engine Detection > >> Rate > >> > up to 80%-90%. I had already integrated ClamAV Enine with unofficial > >> > database (excluded official database) in experimental way. ClamAV > >> > Performance better than earlier now. I want to rewrite the Engine > first > >> > from scratch and i am looking for some guys who willing join to work > >> with > >> > me > >> > >> How is performance better for you? > >> > >> > when i debugged ClamAV CodeBase, i am interestingly found that ClamAV > >> > Creating 14 Engine Instances Internally. out of 14, one only > Heuristic > >> > Engine > >> > >> This is really a developer question, but what are the other engines for > >> and how can you say for certain that they are non-heuristic? > >> > >> > ClamAV providing both Signature Baed Scanner and Heuristic Based > >> Scanner. > >> > As per my understanding, Signature Based Scanner will never involve in > >> > false postive/false negative results. > >> > >> Not at all true. Signatures are being dropped daily due to reports of > >> False Positives. > >> > >> > But Heuristic scanner some times > >> > gives false postive/false negative results. > >> > >> Heuristic determinations are by their nature warnings based on best > guess > >> that something can be malware. It's then up to the user to check > further to > >> determine whether they are or not. False positive/negative has little > >> meaning here. > >> > >> > My Question is All AV Vendors are Including both Signature Based > >> Scanner > >> > and Heuristic Based Scanner in their Software? for an example, Most > >> > Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the > >> same > >> > thing? > >> > >> This is a ClamAV user forum, so it would be appropriate to ask that > >> question elsewhere. > >> > >> > I had researched on virus scanning tecniques with the help of google > >> > engine..i come to know that heuristic scanning techniques provides > >> > better results than traditional signature based scanning.. then why > >> ClamAV > >> > not created Scanner with Heuristic Scanning Technique Alone? > >> > or my thought is wrong ah ? > >> > >> Define "better." I'd have to guess that signature based scanning results > >> in an order of magnitude more detections that any current AI technique > >> being used by any vendor, but fixed signatures only work when scanning > for > >> known malware. AI techniques are most useful against so called zero-day > >> malware attacks, so both techniques are necessary for complete > protection. > >> > >> -Al- > >> > >> > Thanks, > >> > Crazy Thinker , Inc > >> > >> _______________________________________________ > >> clamav-users mailing list > >> clamav-users@lists.clamav.net > >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > >> > >> > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml > >> > > > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
