CIMA Like heuristics on CIS

Question and possible suggestion.

When CIMA heuristics gets integrated to CIS, will it just flag files as suspicious or will it give some explanation as CIMA does on why it was rated susp??

I cant wait to get this module integrated to CIS as I submitted a bunch of files and it works great!! Love this online analysis tool and the report it generates is amazing.

One more thing: I know CAVs scans for compressed files, but does this includes packaged exe files??
A-squared detected a file c:\testFolder\12345.exe/readme.exe as a trojan
The main 12345.exe is not malware but it has 3 files embedded that are malware.

Notice the /readme.exe embedded to 12345.exe. Does CAVs scans this way? CAV missed this file, this is why I’m asking.

I just hope this home version will have detection somewhere near the online version of CIMA… :slight_smile:

Labelling them is a secondary issue to me! :wink:

Lets hope so. The online CIMA is great. The thing is that almost every AV rate suspicious files and give a generic name. I would like to know why CAVs rate a file susp same as CIMA you know. That way we can identify better if it is a FP or not.

I just hope they’ll make packer detection optional when CIMA heuristics will be implemented…

Why? Norton’s packer detection is good at detection and low on FPs.
So Comodo one’s could be too.

Norton is not basing main detection on packers. As CIS is doing…

I see your point, however main detection is packer because is the only heur tech implemented today in CIS. Lets hope for the best when CIMA gets implemented into CIS.

Ok, I don’t know concrete facts. But maybe they will improve packer detection like Avira did although I still don’t like it because sometimes it makes FPs on keygens and cracks.

I believe that is why they are asking for FP (to resolve these FP from valid packers).

I think packer detection is a great add-on to the heuristic… even if the FP’s need some work. It makes it harder for the virus makers, when all their favorite packers are detected and can’t be used to re-pack the viruses anymore to avoid detection. >:-D :wink:

+1 Monkey_Boy=)

Yes and no. A good heuristic detection without many FPs is possible and packer based heuristics don’t need as much ressources as an emulator / sandbox. But the problem is that it will always make more FPs at keygens and cracks as the other methods and so maybe users will get negligent and run a real virus because they think that it will be just a harmless crack. That’s why I don’t like much packer detection either.