まっちゃ４４５で、松川さんが言われていましたが、URLが違うとかちょっとレジストリのエントリが違うとかそういうのでGenericにしちゃうとか。確かにそっちのが間違えがなくて確実ですよね。

Many of the leading AV engines are, in fact, relying heavily on generic detections and heuristics (some that come to mind include Sophos, Avira, Symantec, and one of the great users of heuristics, ESET). Go ahead and grab a piece of malware, submit it to Virustotal, and see how many detections are things like “trojan.gen”, “delphi.gen”, “troj.heur.downloader”, or “trojan.packed.gen” . These are generic or heuristic detections. And there’s a lot of them.

As far as I’m concerned, just about the only thing an AV company can do these days is to lean heavily on heuristics or behavioral detections. When you’re processing over 30,000 pieces of malware daily, there’s not much choice.

We’re certainly pushing in that direction. As an example, some preliminary test results of our upcoming MX-V virtualization technology (which is almost purely behavioral) are showing detections of almost a quarter of our entire malware repository. That’s pretty powerful, and this is a behavioral system. There are no signficant issues with false positives, either.

GFI LABS Blog: Heuristics are dead?