I searched around the forums for heur and i found all of this (not sure if all of them are still in 3.9)
Heur.Packed.Unknown (It got a boost in 3.9)
Heur.PEBomb
Heur.Pck.tElock
Heur.Pck.Shrinker
Heur.Pck.RLPack
Heur.Pck.MEW
Heur.Pck.SVKP
Heur.Pck.MoleBox
Heur.Suspicious.Attribs
Heur.Pck.UPX-Scrambler
Heur.Pck.Crypto
Heur.Pck.NsPack
Heur.Pck.Upack (fix mistake)
Heur.Pck.FSG
Heur.Pck.PKLITE32
Heur.Pck.EXECryptor
Heur.Pck.ASProtect
Heur.Pck.kkrunchy
Heur.Pck.Armadillo
Heur.Pck.PESpin
Heur.pck.eTlock
Heur.Pck.Themida
Heur.Pck.UPC
Heur.Pck.ASProtect
Heur.Suspicious (added by SputnikRU)
Heur.pck.Obsidium (added by Lysias)
(there maybe more i just dont have that much malware to test it on i have about 300) (Also add other heur. that you have had)
I would love to get egemen or someone else to explain what they mean.
I wonder what the Heuristics warnning will be like with CIMA
Here are some examples i though of (lol a bit to many and some how i think this is a small list of what CIMA will detect when it comes into the AV) ;D ;D
Pretty much all those above are just (■■■■■■) packer detections 88)
Why on Earth would anyone use those in home environment is beyond me. Thats for gateways, not home PC’s lol :o
So because 3 out of 10.000 Ferrari users also drive on tarmac ocassionally, they should convert Ferrari’s into SUV’s ? I think not. So this argument about packer detection has little to none weight.
over 85% of all the current malware is packed. Some are packed with custom packers. This behaviour is an important feature to analyse and does help many AV vendors with their high detection rate like Avira.
A simple check of double packing for example, or checking if a file is packed using a custom packer or even seeing if a packer which is a favourite packer for malware authors are all good ways to detect malware. Of course this should be supplemented with a whitelist and rules to reduce FPs. I don’t think any AV can ignore the importance of packers tbh.
True thing. Though the Pck detections in 3.8 caused too many false-positives, this seems way better under control since 3.9. I only hope you can crank up the Heur detections since still too many packed samples slip through at the moment (wich get catched by Avira’s and Norman’s Pck signatures). Also a clear detection difference between low-medium-high can’t be noticed. Still happy to see the progress tough!
@OmeletGuy
I’ve noticed a Heur.Pck.Upack as wel I remember (really Upack not Unpack :P0l).
Well, malware is packed and so are legit programs. Why i complain so much? Because packer detection is , a bad practice and an awful feature if it’s not controlable (on/off). Only packer detection that i tolerate is the one that is in 99,9% used by malware and as such basically a malware packer. No harm in detecting that.
But Armadillo, PESpin, UPack, EXECryptor and so on don’t fall into that category.
I’m also complaining over stuff because i’m not a stupid fanboy who’s ok with every ■■■■ devs serve to me. Free or not, i don’t really care.
@RejZoR
I do understand your opinion and it’s definitely constructive feedback. Although personally I think if Comodo works the Pck signatures some more it could be a valuable addition like it currently is for Avira and Norman for example.
Not a fanboy here, however I’m interested in it’s developments and posting some thoughts now and then. Since it’s now also available in my native language it might become an nice free option for friends and relatives. Any feedback will only benefit us users I think :-TU
I’ll try to explain this in the most easy way possible
As you said the name is : “heur.pck.fsg” this means “heur” that it’s detected by the heuristics. ‘pck’ that it’s a packer detection and “fsg” is the extension of the packer I think.
So it’s a packer detection, to avoid detection, most virii makers simply repack their malware so that it isn’t detected by the antivirusses. As it is difficult for an AV to have all teh packers included they simply are going to say that everything in such package is a virus.
This makes me believe that it is a False Positive. to make sure of that, I sujest you look at the path were the virus is (it’s normally in the antivirus pop-up) and you submit it to :
