Author Topic: Why aren't you using more generic signatures?  (Read 6476 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Why aren't you using more generic signatures?
« on: July 03, 2006, 11:32:28 PM »
I'm noticing that avast! indeed has the capability of generic detection. And a pretty good one actually. But why don't you use it more often?
So far i've seen just few, but would certanly like to see them more.
Visit my webpage Angry Sheep Blog

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Why aren't you using more generic signatures?
« Reply #1 on: July 08, 2006, 11:38:02 PM »
This is what i mean with generic signatures ;D



Also loads of Ardamax files are getting nailed by avast! generic detection lately.
You could just as well "replace" heuristics to some degree with already tested and of course existing tech. Just use it more often plz ;D
Visit my webpage Angry Sheep Blog

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86649
  • No support PMs thanks
Re: Why aren't you using more generic signatures?
« Reply #2 on: July 09, 2006, 12:15:51 AM »
It would also seem that the other AVs that picked this up would appear to have done so using Heuristics.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Why aren't you using more generic signatures?
« Reply #3 on: July 22, 2006, 11:39:55 AM »


Another one. avast! generic engine seems to be pretty good.
Keep on adding more of generic signatures :)
Visit my webpage Angry Sheep Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: Why aren't you using more generic signatures?
« Reply #4 on: July 22, 2006, 01:34:40 PM »
RejZor, how do you get into these samples? Just surfing dangerous?  ;D
Do you have a virus collection or any virus samples supplier?
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Why aren't you using more generic signatures?
« Reply #5 on: July 22, 2006, 01:49:44 PM »
This one is a random snapshot from Jotti. I've seen dozens of Win32:Ardamax-gen detections on it too.
Though i get most of samples from other users, P2P and questionable websites. Other half is from Malware Research.
Visit my webpage Angry Sheep Blog

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Why aren't you using more generic signatures?
« Reply #6 on: July 24, 2006, 10:09:55 AM »
Wow, Alwil guys did listen to me (or just a pure coincidence ;D).
Check out new -gen signatures :) Keep up the good work team!

EDIT:
Btw, any chance to see generics for Zlob nasties?
« Last Edit: July 24, 2006, 10:23:21 AM by RejZoR »
Visit my webpage Angry Sheep Blog

gnwd

  • Guest
Re: Why aren't you using more generic signatures?
« Reply #7 on: July 25, 2006, 08:14:10 AM »
That's interesting...

 the panda antivirus and Fortinet  may be a good choice.
 
========================
Antivirus Version Actualización Resultado
AntiVir 6.35.0.24 24.07.2006 no ha encontrado virus
Authentium 4.93.8 24.07.2006 no ha encontrado virus
Avast 4.7.844.0 24.07.2006 no ha encontrado virus
AVG 386 24.07.2006 no ha encontrado virus
BitDefender 7.2 25.07.2006 no ha encontrado virus
CAT-QuickHeal 8.00 25.07.2006 no ha encontrado virus
ClamAV devel-20060426 25.07.2006 no ha encontrado virus
DrWeb 4.33 24.07.2006 no ha encontrado virus
eTrust-InoculateIT 23.72.77 25.07.2006 no ha encontrado virus
e Trust-Vet 12.6.2306 24.07.2006 no ha encontrado virus
Ewido 4.0 24.07.2006 no ha encontrado virus
Fortinet 2.77.0.0 25.07.2006 suspicious
F-Prot 3.16f 24.07.2006 no ha encontrado virus
F-Prot4 4.2.1.29 24.07.2006 no ha encontrado virus
Ikarus 0.2.65.0 24.07.2006 no ha encontrado virus
Kaspersky 4.0.2.24 25.07.2006 Trojan-Proxy.Win32.Horst.de
McAfee 4813 24.07.2006 no ha encontrado virus
Microsoft 1.1508 25.07.2006 no ha encontrado virus
NOD32v2 1.1677 24.07.2006 a variant of Win32/TrojanProxy.Horst.NAI
Norman 5.90.23 24.07.2006 no ha encontrado virus
Panda 9.0.0.4 24.07. 2006 Suspicious file
Sophos 4.07.0 25.07.2006 no ha encontrado virus
Symantec 8.0 25.07.2006 no ha encontrado virus
TheHacker 5.9.8.181 25.07.2006 no ha encontrado virus
UNA 1.83 24.07.2006 no ha encontrado virus
VBA32 3.11.0 25.07.2006 no ha encontrado virus
VirusBuster 4.3.7:9 24.07.2006 no ha encontrado virus
« Last Edit: July 25, 2006, 08:17:13 AM by gnwd »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Why aren't you using more generic signatures?
« Reply #8 on: July 25, 2006, 09:12:20 AM »
They tag bunch of stuff with Suspicious. Plus this doesn't have much in common with generic detection either...
Visit my webpage Angry Sheep Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33624
  • malware fighter
Re: Why aren't you using more generic signatures?
« Reply #9 on: July 25, 2006, 09:27:49 AM »
Hi RejZoR,

Just another thing, but maybe related to this issue. You know I am spending an awful lot in the virus and worms, and see a lot of postings. Lately I see a lot of FP's in gamefiles etc. Is the number of FP's found by avast increasing? And why? Or is it flagged without the notion riskware, if one has downloaded it for good reasons and deliberately.

polonus
« Last Edit: July 25, 2006, 09:30:05 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Why aren't you using more generic signatures?
« Reply #10 on: July 26, 2006, 05:13:30 PM »
No, i don't think so. Generic detections are usually very precise and they don't make mistakes too often since they are designed to target very specific range of malware. Those generically added samples however cause problems more often (Win32:Trojan-gen.). I'm not sure how they sort or analyze them but it appears to be some sort of inhouse automated system that helps analysts to speed up adding of samples.
Visit my webpage Angry Sheep Blog