Dustin Cook wrote:
> kurt wismer <kurtw@sympatico.ca> wrote in news:f99lcd$d94$2@aioe.org:
>> Dustin Cook wrote:
>> [snip]
>>> Which capabilities is it either of you seem to think BugHunter is
>>> missing? aside from resident protection... It scans, it can rename,
>>> it can delete, it can be told to do nothing but scan. What feature(s)
>>> am I not including that everyone else is then?
>> there are all sorts of more generic detection techniques out there
>> that you don't try to implement but more commercial products do - but
>> as i said, those products have a lot more time/effort/money behind
>> them...
>
> Hueristics etc? No, I don't implement them. Many of the generic detection
> methods that worked great for viruses don't work so well for trojans.

i know, i wasn't thinking of generic *virus* detection techniques, just
generic techniques...

> Behavior blocking etc works for everything, but that would require
> BugHunter to remain resident, and it's really not designed for that.
> I certainly do understand your point. Thanks for speaking up.

there are other generic techniques that wouldn't necessarily require
residency... cross-view diffs, for example, or change detection
(especially for those areas involved in startup)...

i've also seen some generic manual malware removal instructions on the
net which say things like look in process explorer/autoruns for things
that don't have a publisher - probably qualifies as a heuristic, actually...

and of course it's easy enough to use a whitelist in a non-resident
manner and say if it's not on the whitelist then it's suspicious and the
user might want to investigate it further or send it in for analysis...
not sure that qualifies as generic, however...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"