Author Topic: Samples missed by avast (VirusTotal links only!)  (Read 373570 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Samples missed by avast (VirusTotal links only!)
« Reply #45 on: October 02, 2010, 04:01:08 PM »
If you want to get frightened, here we goes...

http://www.virustotal.com/file-scan/report.html?id=377f8601a5f3868a5290193844abafa24d54aca366a3f6b51ce33c9627ec1545-1285835021
http://www.virustotal.com/file-scan/report.html?id=3ec7149c46e54e81eea95cb0ca8cb20eaff21d785967c4de1305204f76fe6290-1285847507
http://www.virustotal.com/file-scan/report.html?id=962c7856d2d6b4c5ce2921dc5cc5bad516623361541a677f1f5349be474eecc3-1285835130
http://www.virustotal.com/file-scan/report.html?id=35c51fbfd9a713ceaf1a792f8aeba95cd47fe88bc3dc781a99f1d208c63928cc-1286026435
http://www.virustotal.com/file-scan/report.html?id=8ad3165eba03c2bd92dedbc89a5c13700cc289e2d636e7a4f2adb4cb90cce948-1286022745
http://www.virustotal.com/file-scan/report.html?id=b61fd3beea501c83ae6f0b1a2a5fd00366dbb2744ab480c814dbe4e3578cdfd0-1286017983
http://www.virustotal.com/file-scan/report.html?id=12e5efddd690c52fcc751a93aa16c2216d2107cc2b164eaa9984b312a3ab0f43-1286017451
http://www.virustotal.com/file-scan/report.html?id=18b1ac1ce2bbc3214004a9edcd64a1383ffdc5ea364b6e64d82802ff54e84566-1286017643
http://www.virustotal.com/file-scan/report.html?id=31095bd923240423b3234e8d874ef95b518f53da5792bbd081b4d001fbcd6094-1286005492
http://www.virustotal.com/file-scan/report.html?id=31137bcdf67b3b70c864058af25aba5c97ea54ce55825bb258d56d5a1cdc99a5-1286005652
http://www.virustotal.com/file-scan/report.html?id=63a9b83764282c748a2621c10948c766f5617146dd988c97691541db6c4730f3-1286005660
http://www.virustotal.com/file-scan/report.html?id=174f53b2f6615b0f2cfd1b1fd27456009c3f5015f6789e67b53e89cff677d506-1286005676

... and so on...
The best things in life are free.

Online DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 86931
  • No support PMs thanks
Re: Samples missed by avast (VirusTotal links only!)
« Reply #46 on: October 02, 2010, 04:29:22 PM »
I honestly don't see the purpose of this topic as it achieves little (or the other one that got closed).

I also don't see how the average user would be coming into regular normal browsing contact with these, which you are obviously seeking out. Most regular users aren't seeking out malware in this way.

Yes, they could get tricked into downloading something from a search result, but how would this topic help them in any case, it doesn't.

As you have already said the VT links are of little use to the virus labs team, they need the samples to analyse.

<snip>
Although I was alerted that just posting virustotal links without further information about the origin of the file, behavior, etc. is just adding manual work for the virus analysts that are receiving 50.000 samples per day.
They have quite some honeypots and they're not really worried about the links posted here.
<snip>

So it is clear that the sample and information needs to be sent to avast, rather than posting VT links and you can't go posting links to file sharing sites or the origin of the sample, for the very reason the other topic was closed.

That is why I feel this is pointless in this context, not to forget as polonus mentioned, it shouldn't be post and forget, but go back and confirm if the original post is now detected or a false positive.
<snip>
But the folks that report missed samples through VT links, should check there again for more recent results, also sometimes results are found to be false positives, see the link Left123 gave above. So do your homework properly.
<snip>

Over time (now on 4 pages) all you see are missed samples and zero input on samples now added to the database or considered to have been false positives, or all you see is an unbalanced/one sided view.

As you say "If you want to get frightened, here we goes..." the object surely is not to frighten users ???

If it is to improve detections, then you need to send the samples and information to avast as the VT results in isolation are pretty worthless. Especially if those who post them don't follow up to see if they are added or are FPs.
« Last Edit: October 02, 2010, 04:32:21 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37148
  • Not a avast user
Re: Samples missed by avast (VirusTotal links only!)
« Reply #47 on: October 02, 2010, 04:36:51 PM »
Quote
I honestly don't see the purpose of this topic as it achieves little (or the other one that got closed).
Have been thinking the same.....how will this improve detection if you don`t send the samples ?
or does Tech know something we don`t

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Samples missed by avast (VirusTotal links only!)
« Reply #48 on: October 02, 2010, 04:53:02 PM »
I honestly don't see the purpose of this topic as it achieves little (or the other one that got closed).
The other one was closed because people post open links to malware I think.

I also don't see how the average user would be coming into regular normal browsing contact with these, which you are obviously seeking out. Most regular users aren't seeking out malware in this way.
Sure. But not all the avast users are "regular normal browsing"...

As you have already said the VT links are of little use to the virus labs team, they need the samples to analyse.
They could get them from virustotal as they have the MD5 of the file.

I'm not posting links quite some weeks ago as the avast team just said they won't stop their analysis to manual check the links here. It was becoming useless without the avast team being able to add the definitions.

At least, posting here can show:
1. avast protection needs to be increased. And there are users that can't even talk about that.
2. avast team could post or react to threads about security and drop some light and knowledge on how to get protected.

But the folks that report missed samples through VT links, should check there again for more recent results, also sometimes results are found to be false positives, see the link Left123 gave above. So do your homework properly.
I always check more recent results.
Did you try my links just after they were posted?

Over time (now on 4 pages) all you see are missed samples and zero input on samples now added to the database or considered to have been false positives, or all you see is an unbalanced/one sided view.
So, which should improve here? Our posting about missdetections or acknowledgment from avast team?
If we're posting false positives, could it take a while to say that for us? Why not?

As you say "If you want to get frightened, here we goes..." the object surely is not to frighten users ???
Ok, I was thinking that people need to discuss these issues, nothing more.
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Samples missed by avast (VirusTotal links only!)
« Reply #49 on: October 02, 2010, 05:01:40 PM »
Pondus has showed me a link to http://www.shadowserver.org/wiki/pmwiki.php/Stats/VirusDailyStats
Seems a good source for what I'm trying to talk about.
The best things in life are free.

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Samples missed by avast (VirusTotal links only!)
« Reply #50 on: October 02, 2010, 05:16:24 PM »
some weeks ago i made a topic about some trojan.ransoms and i only posted VT links,and after about 1 day an avast techinical said:samples should be detected now,i only posted vt links and the samples were in the next virus database update
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Samples missed by avast (VirusTotal links only!)
« Reply #51 on: October 02, 2010, 05:32:50 PM »
some weeks ago i made a topic about some trojan.ransoms and i only posted VT links,and after about 1 day an avast techinical said:samples should be detected now,i only posted vt links and the samples were in the next virus database update
Lucky you... Our samples did not have that luck :'(
The best things in life are free.

Henrique - RJ

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #52 on: October 03, 2010, 08:47:22 AM »
Loss of time and labor ...

The avast team will not improve the service of automatic analysis.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Samples missed by avast (VirusTotal links only!)
« Reply #53 on: October 04, 2010, 09:54:55 PM »
guys, what about posting VT links where avast kicks ass (to keep the balance in our universe)? :P // don't try to tell me, there are no such links :-X

as Tech already mentioned: watching this thread means an out of bound work for our analysts, therefore the links should provide an additional information.. you should always know why exactly the link posted by you has a bigger priority than samples sorted out by our internal systems, otherwise it's a waste of time on both sides... you can write a script for browsing virustotal results and posting them here, but what will be their benefit for us? we'll receive the files and metadata anyway from virustotal (on a regular basis of sample submission) so it means an extra manual work that duplicates what a machine does for us.. here's a guideline for posting links which make some sense:

1. you know the origin/behavior/way of spreading of the sample (it comes from a machine that you recently disinfected e.g.)
2. the sample is not an adware, toolbar or such low-risk malware/PUP
3. you're able to write related metadata either to VT comments or here

Henrique - Bankers is what bothers you, right? we're receiving samples from Bank of Brasil (and maybe other institutes in Brasil), but it's probably not enough to cover this regional issue.. if you have better samples, we can talk about a processing of your submission through our ftp (a daily uploaded batch with a predefined name), if you prove the quality of your feed, we can dedicate someone to its processing maybe..

Hermite15

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #54 on: October 04, 2010, 10:09:43 PM »
guys, what about posting VT links where avast kicks ass (to keep the balance in our universe)? :P // don't try to tell me, there are no such links :-X

+1 ;)

Henrique - RJ

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #55 on: October 04, 2010, 10:22:12 PM »
Henrique - Bankers is what bothers you, right? we're receiving samples from Bank of Brasil (and maybe other institutes in Brasil), but it's probably not enough to cover this regional issue.. if you have better samples, we can talk about a processing of your submission through our ftp (a daily uploaded batch with a predefined name), if you prove the quality of your feed, we can dedicate someone to its processing maybe..

Maxx

What do you attribute the better performance of the Avira in the proactive tests of  AV-Comparatives?

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Samples missed by avast (VirusTotal links only!)
« Reply #56 on: October 04, 2010, 10:35:08 PM »
bigger viruslab, PCK/*Anything* detections etc.. but i haven't seen the diff between our and their misses, actually noone except the testers did, afaik..

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37148
  • Not a avast user
Re: Samples missed by avast (VirusTotal links only!)
« Reply #57 on: October 04, 2010, 11:04:26 PM »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Samples missed by avast (VirusTotal links only!)
« Reply #58 on: October 05, 2010, 12:23:11 AM »
Maxx, I've changed the original post accordingly.
New posters, please, read the first post.
The best things in life are free.

Burkoff

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #59 on: October 05, 2010, 10:46:19 AM »
Sorry.

Code: [Select]
http://migre.me/1txW0
Attention ! Only experienced users to try!