CAVS Heuristics

I searched around the forums for heur and i found all of this (not sure if all of them are still in 3.9)

Heur.Packed.Unknown (It got a boost in 3.9)
Heur.Pck.Upack (fix mistake)
Heur.Suspicious (added by SputnikRU)
Heur.pck.Obsidium (added by Lysias)

(there maybe more i just dont have that much malware to test it on i have about 300)
(Also add other heur. that you have had)
I would love to get egemen or someone else to explain what they mean.

And since database 1166 Heur.Suspicious got added. However I didn’t see to many Heur detections on malware yet myself…

There’s also Heur.pck.Obsidium.

i see it every now and then, more if I would turn them to medium or high but I want to find and test malware with heuristics at the stock level, low.

I wonder what the Heuristics warnning will be like with CIMA
Here are some examples i though of (lol a bit to many and some how i think this is a small list of what CIMA will detect when it comes into the AV) ;D ;D

AD= Advanced

ADHeur.Hooks.Network Driver
ADHeur.SYS.Process killer
ADHeur.SYS.Process scanner
ADHeur.Hiddend Process
ADHeur.Creates.SYS32 files
ADHeur.Code Injector

Pretty much all those above are just (■■■■■■) packer detections 88)
Why on Earth would anyone use those in home environment is beyond me. Thats for gateways, not home PC’s lol :o

RejZor, because some people have gateways and servers in their home, as in a home office (my Dad is one such person).

So because 3 out of 10.000 Ferrari users also drive on tarmac ocassionally, they should convert Ferrari’s into SUV’s ? I think not. So this argument about packer detection has little to none weight.

Why are you even on the Comodo forums? all the posts i see from you are complains.
It’s really annoying in the length.

Easy now. Without commenting RejZoR’s posts in this very thread, I sometimes see some support from him as well. :wink:

over 85% of all the current malware is packed. Some are packed with custom packers. This behaviour is an important feature to analyse and does help many AV vendors with their high detection rate like Avira.

A simple check of double packing for example, or checking if a file is packed using a custom packer or even seeing if a packer which is a favourite packer for malware authors are all good ways to detect malware. Of course this should be supplemented with a whitelist and rules to reduce FPs. I don’t think any AV can ignore the importance of packers tbh.


True thing. Though the Pck detections in 3.8 caused too many false-positives, this seems way better under control since 3.9. I only hope you can crank up the Heur detections since still too many packed samples slip through at the moment (wich get catched by Avira’s and Norman’s Pck signatures). Also a clear detection difference between low-medium-high can’t be noticed. Still happy to see the progress tough!

I’ve noticed a Heur.Pck.Upack as wel I remember (really Upack not Unpack :P0l).

Well, malware is packed and so are legit programs. Why i complain so much? Because packer detection is , a bad practice and an awful feature if it’s not controlable (on/off). Only packer detection that i tolerate is the one that is in 99,9% used by malware and as such basically a malware packer. No harm in detecting that.
But Armadillo, PESpin, UPack, EXECryptor and so on don’t fall into that category.
I’m also complaining over stuff because i’m not a stupid fanboy who’s ok with every ■■■■ devs serve to me. Free or not, i don’t really care.

I do understand your opinion and it’s definitely constructive feedback. Although personally I think if Comodo works the Pck signatures some more it could be a valuable addition like it currently is for Avira and Norman for example.

Not a fanboy here, however I’m interested in it’s developments and posting some thoughts now and then. Since it’s now also available in my native language it might become an nice free option for friends and relatives. Any feedback will only benefit us users I think :-TU

actually i agree with you in some aspects and that was a very good feedback

hello everyone.
“Comodo Internet Security” has found the virus “heur.pck.fsg” on my computer. Please could you help me :

  • What kind of virus is it ?
  • What are the risks in opening this file ?
  • Is it a real virus or a false alert ?

Please be patient with me, i am completely newbie in internet security ;D



I’ll try to explain this in the most easy way possible :wink:

As you said the name is : “heur.pck.fsg” this means “heur” that it’s detected by the heuristics. ‘pck’ that it’s a packer detection and “fsg” is the extension of the packer I think.

So it’s a packer detection, to avoid detection, most virii makers simply repack their malware so that it isn’t detected by the antivirusses. As it is difficult for an AV to have all teh packers included they simply are going to say that everything in such package is a virus.

This makes me believe that it is a False Positive. to make sure of that, I sujest you look at the path were the virus is (it’s normally in the antivirus pop-up) and you submit it to :

Thank you,