What means heuristic in the AV from CIS

In the scanner settings we have 3 tabs where there is an heuristic option, what does this do exactly.

It detects packers. Basically just self contained forms of data compression for executables. Some open source packers such as UPX are commonly used by malware authors.

Well I do not understand completely but why can we choose, what is the difference in levels?

Each level adds more detection for packers, and it also is able to detect files that are packed but the packer is unknown (a.k.a Heur.Pck.Unknown) with the higher levels.

Ok maybe I’m stupid or slow but what is a “packet” do you mean zip like files (compressed)? And from your last sentence I really can’t make chocolate, does the higher level not work correctly, so what is the best level ?

Let me explain about Heuristic little bit.
Please read.

Heuristic is just like this.

When Antivirus finds a virus, they use the signatures right?
What is the signatures?
It’s the sum of virus DB.
The signatures have virus types, patterns, fix informations etc.
It can only match the patterns. This is the weakness of the Antivirus
based on the signatures. It doesn’t calculate anything. It just tries to match the patterns.
But what if new virus comes when we don’t have any signatures about that virus?
Antivirus can’t detect new virus until it has new signatures.
At this point, we need Heuristic.

Heuristic engine is one of the programs.
It has mathematical formula and well known patterns inside of the engine.
It detects suspicious activities followed by the formula.

How to detect and decide?
If there is new virus, Heuristic engine reads and takes some codes
from the virus. And then it starts to analize with the formula and algorithm.
And it decides what is the best way to take care of the virus.
Finally, it shows us the answer.
‘This is a virus’.

But there are still some problems.
What is it?
‘False Positive’.
If normal programs are made by same or similar programming codes that some virus use too,
your Antivirus says ‘This is a virus’. This is the ‘False Positive’.
What is the packer(packed) then?
Packer(packed) is one of the packing program or packed virus.
When you make a program but you don’t want to show native programming codes
to other people or to prevent from modifying, you can compress and put some passwords in it.
Think about ZIP file.
You can put your own password if you want to protect it.
You can make it as .exe file for excutable. right?
That’s why False Positive exists.
We call them ‘Cryptograph’, ‘Cryptography’ instead of using password in this field.
(ex. encryption>decryption, encrypt>decrypt,)

So how to find those packed virus with Heuristic engine?
What do you do when you want to extract your zipped file?
In case of packer, we call this process ‘Unpacking’.
Packing follows their own the algorithm. Also Unpacking follow it’s own
algorithm. If heuristic engine can’t recogninze which one is virus or not
because the engine can’t unpack new packed virus?
Antivirus says ‘Suspicious’ or gives you ‘False positive’
Packer is just a part of those malwares no more no less. Heuristic engine takes care of
almost all kinds of types.
Anybody can make these type of files. There are many tools to do that.

So What if Heutistic engine can’t find new virus?
That’s why we use HIPS(COMODO’s Defense+).


what is the difference in levels?

If the levels go to high, Heuristic engine reads, collects, calculates more suspicious codes from the files.
So you can deeply scan those suspicious file.
It makes your system slow.
The CPU have to calculate those files more than the low level.
Also your HDD have to move faster than the low level.
It means the HDD’s spin head should move faster than ever.
Thay’s why you can hear the sound like ‘Grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr~~~’.

Ok maybe I'm stupid or slow but what is a "packet" do you mean zip like files (compressed)? And from your last sentence I really can't make chocolate, does the higher level not work correctly, so what is the best level ?

“packet” and "packer’ are completely different.
I’ve already explain the packer at the above.

Now let me explain Packet.
Packet is a tiny piece of file in the Networking system.
When you send a file(a movie) to your friend, your PC slices the file as tiny pieces.
And then your PC sends the pieces to your friend via the network(internet).
Your friend’s PC gets the pieces from you.
And then his PC rebuilds the pieces to it’s actual shape.
Finally, your friend can watch the movie.
We call the piece “Packet”.

Yep, which is why there are those that aren’t fond of the “heuristics” of CAV as it just detects packers. There are just too many valid uses for packers to make this a very viable heuristic.

Fantastic the way this is explained, thanks. :-TU