Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: RedSector on September 07, 2004, 06:22:15 AM
-
About how long does it take to get a virus (a trojan in this case) added to the virus database? I submitted one to H+BEDV and ALWIL last Thursday. H+BEDV has gotten back to me already but no word at the people from avast. What is the avarage time it takes a virus to be added to the database, or at least have them acknoledge that they will be adding it soon?
BTW, I love avast and wouldnt stop using it.
-
It's a lot of work to reply to everyone who sends in things. Alwil has chosen (if I'm correct) not to reply unless there really is a need for it.
Alwil wil release inmediatly a new vps if it is very harmfull/spreads very rapidly. With minor malware they will implemented in the sheduled releases of the vps.
That is how I understand it. If I'm wrong here, I'm sure one of the Alwil people will tab me on the fingers ;D
-
Win32:Flux [Trj], Win32:Flux-2 [Trj], Win32:Flux-B [Trj] ;D It got added
-
The 3 I submitted are not added yet. But hey! I submitted them about 10 minutes before they released their new vps ;D ;D ;D
Would be very much surprising if they where that fast, now woudln't it? *grin*
Let's see if the next one has them ;)
The ones I send them are:
Trojan.Loader.TCS aka Trojan.Dos.Suspision.Cat_a, Loader.J-K
Phoenix.Live.1226 aka Phoenix.Drp.1226, Gen.1226B, 1226(b)
The third one was only detected by Bitdefender (Virtool.Sdne7.A) Since only Bitdefender saw it as infected it could be a false positve.
Since they are rather old, it surprises me Avast doesn't recognize them already.
-
Alot of Antiviruses have an option to reply to you if you submit one. I think it would be nice, just to put my mind at ease to have some sort of email reply. Though I could see how they could get busy and not have time to send an email
-
Perhaps a automated response saying the mail has been received and what exactly is received.
Something like:
We have received the following email from you:
date, time
copy of mail text
name(s) of atachment(s)
thank you for your submission, we will analyze it asap and if needed we will release a new vps.
Perhaps an idea for Alwil to do this. At least people will know that the email has been received in perfect order or not and since it is automated it wouldn't cost time for them to reply.
-
That would be quite nice ;D
-
With vps 437-1, Avast still not picks up the ones I send them :'(
I just noticed this is post number 56000 on this board ;D
-
The file I have send to Bitdefender which was recognized as Virtool.Sdne7.A is indeed a false positive. I just received a confirmation from them. They will fix it in the next vps release.
-
4 vps updates later and the two I send to Alwil are still not added >:(
-
Try again, Eddy? A second update for today (0438-1) just arrived here, maybe it's there?
-
Nope, that was update nr 4 I was talking about.
-
JOTTI RESULTS (http://members.home.nl/edeijl/download/jotti.txt) from the files I submitted to Alwil. courier.exe was, as I suspected, indeed a false positive and Bitdefender has already solved that.
-
VPS update number 5 after I mailed the viruses.
With vps 438-3 Avast still not recognizes Trojan.Loader.TCS and Phoenix.Live.1226 :-\
Come on Alwil, normally you people are really fast. What's going on?
-
tried resubmit to make sure it was received ?
got answer about Alwil get them ?
-
Submitted them 2 times. Jotti also submitted them, no response whatsoever. Send them a normal email twice, no respons either. No reaction from Alwil in this thread either.
I honestly must say it is very disappointing and I never expected this from Alwil :-\
-
Mabey they not viruses then Eddy ::)
Or mabey they having problems adding them (not likley), or mabey even they already added them without your knoledge.
--lee
-
Check the report from Jotti (link is in earlier post here)
Do you really think all those other AV applications are wrong? ;D
And they are not added. (Ofcourse I checked)
-
HI Eddy,
Yes I agree with you with the virus submissions. I have sent quite a number of samples in detected by other AV for avast to add. Sometimes they are quick and included in next VPS, sometimes after resubmitting they are added a few VPS's later.
I guess though that if only Myself or yourself are sending in a sample and no one else has sent in the same sample then it is a low risk sample and not 'in the wild' Also some virus vendors detect 'virus creation tools' whilst others choose not to. I know some virus's have bugs so they don't run but still some vendors detect these and other choose not to as the sample is faulty.
I know that when there have been 'virus outbreaks' I am sure many of the 'same virus' sample are submitted by lots of different users and VPS's are released asap (even on weekends and as we have seen twice a day sometimes)
Avast has never let me down (its alway detected a virus sample which has been sent to my via e mail mostly mydoom, netsky)
If you want top notch protection it has to be kaspaskey (or F-secure) which use the same engine. KAV add updates every 3 hours! They do have the highest detection rates running in at at between 80-90% detection rates at Jottis scanner. The others all run in beween the high 30's to 50%.
For the average user avast is good. The heureristics for the e mail scanner alerts to any .exe or other funny/double extensions as possible infected which is good, it updates in the background so you always have the latest VPS and there is a good support forum ;D.
In the future it would be good to have heureristics in the on access program (Nod32, Bitdefender, MKS score well on this)
Also it would be nice to have an automatic reply to say your virus sample has been received!
Just my honest thoughts!! Many Thanks still to Avast for providing a good stable program which is availble free to the home user. That is a real bonus!
Kind Regards
Jlo
-
Well, as explained already several times on this forum, the samples which come to us fit into several categories which have different priorities. Some of them (the ItW stuff and dangerous stuff) are added immediately (some even initiate the VPS release itself) while others fit into normal not so hot stuff category and are added later. Many boring and unteresting Trojans are added only occationaly - say once in the month.
We are receiving about 500 samples a day nowadays and this number is increasing. Some of the samples are already detected by avast!, others are crap and finally some are new malware. We are not able to answer to all those submissions and explain in detail what they contain - this is really not possible. But we finally add all the dangerous stuff - so you , the users *ARE* protected.
I hope this explanation will clear the misunderstandings (at least for a while ;) ) and that you will be more patient in the future :D ;D !
Pavel
-
Hi Pavel,
Many thanks for adding your explaination which does make perfect sense. :)
500 samples a day sounds an awlful lot of work. :-[
Out of interest what do you mean by your statement '(some even initiate the VPS release itself)' Is it that your sandbox recognuises extremly danerous or speading viruses and can create and issue a VPS automatically or that you would release a VPS straight away on receipt of a dangerous or in the wild virus?
Thanks again.
Cheers
Jlo
-
Out of interest what do you mean by your statement '(some even initiate the VPS release itself)' Is it that your sandbox recognuises extremly danerous or speading viruses and can create and issue a VPS automatically or that you would release a VPS straight away on receipt of a dangerous or in the wild virus?
No, there is really no such thing as fully automated VPS release - it could be too dangerous in case of some problem (and about two million users loading it ;) ). I meant that some samples could be of high emergency, so they "cause" the VPS release (as happened many times in the past).
Pavel
-
I understand.
Many Thanks Pavel.
Kind Regards
Jlo
-
about two million users loading it ;) )
Pavel, for the first time we realise how big is the family 8)
-
about two million users loading it ;) )
Pavel, for the first time we realise how big is the family 8)
;) Yep, that's it - and growing every day !!!
-
Submitted another one to Alwil. Strange thing about this one is that it is detected by all other av's. Most see it as Bugbear. Checking the virus library in Avast, it should be detected by Avast. But it is not. Wondering what is causing this ??? A new variant? Could be, but is in my opinion not likely. Think it is a little bug in the vps, but not sure about it. Let's hope Alwil can shine a light on this.
Results from Jotti's scan are HERE (http://members.home.nl/edeijl/bugbear.jpg)
Found this one on one of my customers systems.
-
Submitted another one to Alwil. Strange thing about this one is that it is detected by all other av's. Most see it as Bugbear.... Wondering what is causing this ??? A new variant? Could be, but is in my opinion not likely. Think it is a little bug in the vps, but not sure about it. Let's hope Alwil can shine a light on this.
It is corrupted MIME (missing Content-Type line), so avast! is unable to unpack it. When unpacked manually, avast! detects the Win32:Bugbear-C inside without any problems (so such virus will be detected when somebody will try to execute it).
Pavel
-
Ok,i never really had the chance to test this one...
...so theoretically antivirus can detect any virus no matter which packer its using(as long as virus is in VPS)? The only limitation is that it will be detected only upon execution and not on copy/move/create command?
-
Ok,i never really had the chance to test this one...
...so theoretically antivirus can detect any virus no matter which packer its using(as long as virus is in VPS)? The only limitation is that it will be detected only upon execution and not on copy/move/create command?
It's simple: There is a virus which could have several different layers on itself (have you seen Shrek ;D ?). With these layers, it could not be executed directly but must be unpacked first. And it does not matter if it is ZIP, MiME etc. Unless it is unpacked, it is just "data" - it acutally cannot spread in this form.
Of course, the EXE packers are different - with Pklite or UPX, it is decrypted on the fly in the moment of execution - and it could carry its envelope with itself...
Sometimes it is good to detect even the packed "data" form (especially for the mail servers - like the encrypted Beagle variants) but such files can't be executed directly and after unpacking the virus could be detected in its native form.
Hope this helps
Pavel
-
Thanks for the feedback Pavel, appreciated.
-
Thanks for the feedback Pavel, appreciated.
;D You are welcome!!
But I hope you will understand we can't send such detailed explanations to +500 emails a day ;) !
Pavel
-
Many boring and unteresting Trojans are added only occationaly - say once in the month.
Pavel
OK, I'll bite -- what the heck is a "boring and uninteresting" Trojan, especially to someone in your position? ??? ;D I assume you mean ones that either don't yet seem to be out ITW, or else they're essentially non-disruptive other than, say, displaying prank messages?
-
OK, I'll bite -- what the heck is a "boring and uninteresting" Trojan, especially to someone in your position? ??? ;D I assume you mean ones that either don't yet seem to be out ITW, or else they're essentially non-disruptive other than, say, displaying prank messages?
Most of Trojans are boring and uninteresting ;D - we receive hundreths of them from other AV companies every month, they were not seen ItW and they bring no danger to our users...
Pavel
-
Do other Av companys such as kaspersky hire extra people to reply to virus samples then pavel?
And could there be a sort of automated respons just to let us know the sample arived at its destination?
--lee
-
Kaspersky simply has more manpower and even Kaspersky sometimes add Malware only if a new Comulative update is released. Not often, but it happens.
BTW: Their respond is not very informative, just Malware(the name of) or not or if an outbreak took place they make an autorespond with an automatic scan-robot. But thats enough for me, maybe Avast could do that too!?
The respond of CA Etrust is intresting, if sending Malware via their Webpage.