avast! engine on online scanner (VirusTotal)

[TAP]

I come across a variant of Win32:Sdbot that the latest version of avast! on my machine detects it but when I submit it to an online scanner (VirusTotal) it's so surprised that avast! engine doesn't detect this sample as you see.

Is avast! on VirusTotal not the same engine as avast! for desktop/server? so this may be the proof that the results from an online scanner are not reliable to determine the efficiency of an antivirus software as some people/amateur testers try to do.

[igor]

The engine on VirusTotal is basically the same as the Windows desktop/server engine.
The difference may be in the particular version, however. The online scanners are not updated during the ordinary program updates, but rather receive a special version of the program from time to time (I am talking about avast! right now, don't know how other products work). So, sometimes the engine might be slightly older than the one publically available, sometimes also slightly newer. While the same virus database is used everywhere, newer versions of the scanning engine may have improved unpacking capabilities, which may affect the detection as well.

In this particular care, you can see that the virus was detected inside of an Upack-compressed executable. The engine on VirusTotal is probably slightly older than your desktop one - and it's probably not able to unpack this particular version of Upack (and the virus database currently doesn't contain the signature for the compressed file itself).

[RejZoR]

Ok, this is excellent example for my question.
Could generic unpacker help in this very case (if the older version would have one) or it would fail to detect it anyway (since there were some hints about avast! 5.x having gen unpacking)? I'm still learning about this generic unpacking so this question might sound dumb hehe

[Vlk]

In theory yes, but even a generic unpacker is definitely not a panacea.

Some packers cannot be unpacked generically (are way too complex and the emulation would take too long) and some may give strange (unusable) results...

But yes, it's a useful tool (although our internal stats show that right now, we're able to unpack the vast majority of all packed files (up to 90%)).

[polonus]

Hi Vlk,

How do you declare the differences between Jotti and Virus Total,
they are there.

polonus

[igor]

I'm not sure what exactly are you asking about...
Jotti, just as Virus Total, may have a different version of the engine that the public one (and different version than Virus Total at that). Besides, Jotti is running on Linux, so there may be fewer packers supported in the avast! engine.

[RejZoR]

Thanks Vlk!