Help - Search - Members - Calendar
Full Version: Extended Engine Heuristics
Lavasoft Support Forums > Lavasoft - General Support > False Positives - Ad-Aware
LS Pekka
Jul 14 2008, 07:59 AM
Extended Engine Heuristics

The antivirus engine(extended engine) in Ad-Aware uses heuristic signatures looking for attributes, characteristics or "digital footprints" in the application code in order to spot "malicious code". Such heuristic scans can sometimes cause false positives. In Ad-Aware 2008 there are 3 different levels/strengths of the heuristics used ranging from 1-3, level 3 being the most thorough. Theroretically the chanses for false positives get higher when running the scan at higher heuristical strength. The result of a heuristic scan should therefore be considered in a wider perspective and multiple scans with different strength settings, in combination with other observations of malicious behavior, should be used in order to pinpoint if a detected object is to be considered malicious or not. When looking at the Ad-Aware log file objects that are detected by the Antivirus ExtendedEngine(only available in Ad-Aware 2008 Pro and Plus) are flagged in the following manner:

Infections Found
===========================

Family Id: 1926 Name: ExtendedEngine Category: Malware TAI:10

===========================

How to activate/deactivate the Heuristic scan or toggle the Heuristics level (in Ad-Aware 2007/2008):



As shown by the image above the settings for the Heuristics are reachable via clicking on the "Settings" button and then on the "Scanning" tab. If false detections occur within higher levels of Heuristics i.e. 2-3, try to put the Heuristics level to 1 instead or deactivate the Heuristics by un-ticking "Use heuristics on extended scan". Remember that you always have the possibility to quarantine the detected objects instead of deleting them. Objects in quarantine can be restored if needed. Read more here about how to deal with quarantined objects, http://www.lavasoftsupport.com/index.php?showtopic=19729
Also, a user may choose to add the detected objects to the ignore list in order to avoid the detection of selected objects.

Please remember, that the result of a heuristic scan should always be considered in a wider perspective and multiple scans with different strength settings, in combination with other observations of malicious behavior, should be used in order to pinpoint if a detected object is to be considered malicious or not. The Heuristics is therefore to be considered as an relatively advanced function that has to be tuned manually by the user to a satisfactory level.


Regards,

LS pekka

Lavasoft Research

EDITS:

21/04/2009 - Added "(in Ad-Aware 2007/2008)" to screenshot caption - GoddersUK
GoddersUK
Apr 21 2009, 09:41 PM
To activate/deactivate heuristics in Ad-Aware AE:

(Note "Spyware heuristics" activates the heuristics for the spyware detections while "Behaviour based detection" activates the heuristics for the extended engine (anti-virus):



(EDIT: Apologies for the imageshacking guys, but attachment downloads in this forum are restricted to LS staff only.)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.