Heuristics are dead?

Similarly lambasted in the video is Host Intrusion Prevention (HIPS). Well, it’s not very relevant in a 64–bit world, but in a 32–bit world, one thing HIPS can do is block an attempt by an application to write to a place in memory where it’s not supposed to (a buffer overflow). Seems like a good idea to me. Or IDS, which relies on rules that are the writer’s best approximation of a means to detect a certain type of network event.

As my good friend Randy Abrams over at ESET said:

A battle for the industry is that customers want names for the things that are detected. It isn’t feasible anymore to maintain names for all of the threats. The entire industry has been forced to adopt heuristic approaches that preclude naming each threat…In many cases heuristics are being called signatures. Generic signatures are a type of heuristic and are used with reasonably good success. When the storm worm was at its peak it was being dynamically repackaged every 5 minutes. Generic signatures were able to protect against these threats without the need for a unique signature for each variant.

I invite the curious to spend some time in an AV lab. Fair warning, however: As in legislation and sausages, you might not want to watch the process.