Why antivirus reports for files are no longer available with VT URL scans?

[polonus]

Hi forum friends,

Normally after scanning an URL with executable via VT URL scan a pop-up would open up that allowed access to an av report scan and with one glance of an eye we could see whether avast and or other av solutions had detection for a certain threat or not. With new.virustotal com this additional scan function seems gone, making VT URL scanning nothing better or worse as a web rep tool. So we have to establish the file MD5 has first and look for detection or not via other resources. Why they obscured scan results in this way?

polonus

[!Donovan]

Hi Polonus,

Tested the new and old virustotal with our old detection of multipagos' plugin jar file.

New VT Site Results (2/17): https://new.virustotal.com/url/9b2327c5f64a5a02bfcefbe0b51bd3df1768b53b322e649275b7df071930d831/analysis/1325264628/

Old VT Site Results (4/16): http://www.virustotal.com/url-scan/report.html?id=2bfd77f032022ca8750ff319bf823c97-1325260692

Why couldn't the new VT site generate an antivirus analysis of the same file?

[polonus]

Good question that is, I give another example: scanned this here: https://new.virustotal.com/url/48a196dbeb3db3e4fcff47d15db411c60884591dbc4220733590dc9aa9489871/analysis/1325264511/
normally would have scanned here: http://www.virustotal.com/url-scan/report.html?id=3131e152c979d13fbed5bf983bd905fb-1325260441
and then get the results here:
http://www.virustotal.com/file-scan/report.html?id=775172ce2a6d835f0ca2f29958aaf3a5099b3590a2ff3ad789e68bceaa72e2ab-1325264047
In the new method I have these info returned:
URL after redirects
-http://echip.com.vn/echiproot/Softwares/d32/
Response code
200
Response headers
via: HTTP/1.1 GWA
x-google-cache-control: remote-fetch
vary: Accept-Encoding
server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch
date: Sat, 31 Dec 2011 00:32:58 GMT
content-type: text/html;charset=UTF-8
Response content SHA-256
775172ce2a6d835f0ca2f29958aaf3a5099b3590a2ff3ad789e68bceaa72e2ab
I know there is malware out there: File Name   d32
File Size   11951 bytes
File Type   Unknown file
MD5 Hash   f4e3f3f9ab9fcf0cf482376274531bfc
SHA1 Hash   ae40ab771dcfcbf09d522b89a9455184ce8dd44c
Detections:   0 / 9 (0 %)
I know there is malware because of this report:
http://amada.abuse.ch/?search=203.162.35.98
There I find no VT file results either...
was PUA.Packed.ASPack
Nothing here: http://vscan.urlvoid.com/analysis/f4e3f3f9ab9fcf0cf482376274531bfc/ZDMy/

polonus

[!Donovan]

I know there is malware because of this report:
-http://amada.abuse.ch/?search=203.162.35.98

This file isn't detected by avast:
http://www.virustotal.com/file-scan/report.html?id=3fd65b3f366a391a13a406ecf10d06f1338fd527059952a4264d3995f0a458d6-1325226292

[polonus]

Hi Donovansrb10,

This file not being detected by avast has another reason alltogether. That reason it is a PUP or risktool. Scanners like ClamAv flagging this as PUA.Packed.PECompact-2 does not have all the latest technology aboard to even come to terms with all packers/protection and what have you in modern malware etc. From the Emisoft result we know we deal with a risktool. Now I greatly miss the bugbopper site where these enthusiasts there could come up with the right name convention terminology, e.g. this is such an such a virus, then furthermore it could be classified as part of this family and that subfamily etc. and so on. A great pity it was discontinued because it had a wealth of malware resources and data on malcode there. They functioned for me as a sort of Linneus not for flower determination but for malware name convention. Now we have to take the file "by the hash id" to knwo what we really deal with uniquely, because some malware comes up uniquely all the time all of the time. Who said that they would make it easy on you?  

polonus