Author Topic: Adding a virus to the db  (Read 18374 times)

0 Members and 1 Guest are viewing this topic.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31130
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Adding a virus to the db
« Reply #15 on: September 19, 2004, 09:51:20 AM »
Submitted them 2 times. Jotti also submitted them, no response whatsoever. Send them a normal email twice, no respons either. No reaction from Alwil in this thread either.

I honestly must say it is very disappointing and I never expected this from Alwil :-\
« Last Edit: September 19, 2004, 09:55:36 AM by Eddy »

lee16

  • Guest
Re:Adding a virus to the db
« Reply #16 on: September 19, 2004, 10:45:54 AM »
Mabey they not viruses then Eddy  ::)

Or mabey they having problems adding them (not likley), or mabey even they already added them without your knoledge.

--lee

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31130
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Adding a virus to the db
« Reply #17 on: September 19, 2004, 11:44:06 AM »
Check the report from Jotti (link is in earlier post here)
Do you really think all those other AV applications are wrong? ;D

And they are not added. (Ofcourse I checked)
« Last Edit: September 19, 2004, 11:44:53 AM by Eddy »

Jlo

  • Guest
Re:Adding a virus to the db
« Reply #18 on: September 19, 2004, 02:40:27 PM »
HI Eddy,

Yes I agree with you with the virus submissions. I have sent quite a number of samples in detected by other AV for avast to add. Sometimes they are quick and included in next VPS, sometimes after resubmitting they are added a few VPS's later.

I guess though that if only Myself or yourself are sending in a sample and no one else has sent in the same sample then it is a low risk sample and not 'in the wild' Also some virus vendors detect 'virus creation tools' whilst others choose not to. I know some virus's have bugs so they don't run but still some vendors detect these and other choose not to as the sample is faulty.

I know that when there have been 'virus outbreaks' I am sure many of the 'same virus' sample are submitted by lots of different users and VPS's are released asap (even on weekends and as we have seen twice a day sometimes)

Avast has never let me down (its alway detected a virus sample which has been sent to my via e mail mostly mydoom, netsky)

If you want top notch protection it has to be kaspaskey (or F-secure) which use the same engine. KAV add updates every 3 hours! They do have the highest detection rates running in at at between 80-90% detection rates at Jottis scanner. The others all run in beween the high 30's to 50%.

For the average user avast is good. The heureristics for the e mail scanner alerts to any .exe or other funny/double extensions as possible infected which is good, it updates in the background so you always have the latest VPS and there is  a good support forum ;D.

In the future it would be good to have heureristics in the on access program (Nod32, Bitdefender, MKS score well on this)

Also it would be nice to have an automatic reply to say your virus sample has been received!

Just my honest thoughts!! Many Thanks still to Avast for providing a good stable program which is availble free to the home user. That is a real bonus!

Kind Regards

Jlo

Pavel Baudis

  • Guest
Re:Adding a virus to the db
« Reply #19 on: September 19, 2004, 06:52:20 PM »
Well, as explained already several times on this forum, the samples which come to us fit into several categories which have different priorities. Some of them (the ItW stuff and dangerous stuff) are added immediately (some even initiate the VPS release itself) while others fit into normal not so hot stuff category and are added later. Many boring and unteresting Trojans are added only occationaly - say once in the month.

We are receiving about 500 samples a day nowadays and this number is increasing. Some of the samples are already detected by avast!, others are crap and finally some are new malware. We are not able to answer to all those submissions and explain in detail what they contain - this is really not possible. But we finally add all the dangerous stuff - so you , the users *ARE* protected.

I hope this explanation will clear the misunderstandings (at least for a while  ;) ) and that you will be more patient in the future  :D ;D !

Pavel

Jlo

  • Guest
Re:Adding a virus to the db
« Reply #20 on: September 19, 2004, 09:09:36 PM »
Hi Pavel,

Many thanks for adding your explaination which does make perfect sense. :)

500 samples a day sounds an awlful lot of work. :-[

Out of interest what do you mean by your statement  '(some even initiate the VPS release itself)' Is it that your sandbox recognuises extremly danerous or speading viruses and can create and issue a VPS automatically or that you would release a VPS straight away on receipt of a dangerous or in the wild virus?

Thanks again.

Cheers

Jlo

Pavel Baudis

  • Guest
Re:Adding a virus to the db
« Reply #21 on: September 19, 2004, 10:17:58 PM »
Out of interest what do you mean by your statement  '(some even initiate the VPS release itself)' Is it that your sandbox recognuises extremly danerous or speading viruses and can create and issue a VPS automatically or that you would release a VPS straight away on receipt of a dangerous or in the wild virus?

No, there is really no such thing as fully automated VPS release - it could be too dangerous in case of some problem (and about two million users loading it  ;) ). I meant that some samples could be of high emergency, so they "cause" the VPS release (as happened many times in the past).

Pavel

Jlo

  • Guest
Re:Adding a virus to the db
« Reply #22 on: September 19, 2004, 10:49:48 PM »
I understand.

Many Thanks Pavel.

Kind Regards

Jlo

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re:Adding a virus to the db
« Reply #23 on: September 20, 2004, 03:55:48 AM »
about two million users loading it  ;) )

Pavel, for the first time we realise how big is the family  8)
The best things in life are free.

Pavel Baudis

  • Guest
Re:Adding a virus to the db
« Reply #24 on: September 20, 2004, 11:22:56 AM »
about two million users loading it  ;) )

Pavel, for the first time we realise how big is the family  8)

 ;) Yep, that's it - and growing every day !!!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31130
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Adding a virus to the db
« Reply #25 on: September 20, 2004, 04:27:23 PM »
Submitted another one to Alwil. Strange thing about this one is that it is detected by all other av's. Most see it as Bugbear. Checking the virus library in Avast, it should be detected by Avast. But it is not. Wondering what is causing this ??? A new variant? Could be, but is in my opinion not likely. Think it is a little bug in the vps, but not sure about it. Let's hope Alwil can shine a light on this.

Results from Jotti's scan are HERE

Found this one on one of my customers systems.
« Last Edit: September 20, 2004, 04:40:01 PM by Eddy »

Pavel Baudis

  • Guest
Re:Adding a virus to the db
« Reply #26 on: September 20, 2004, 05:31:36 PM »
Submitted another one to Alwil. Strange thing about this one is that it is detected by all other av's. Most see it as Bugbear.... Wondering what is causing this ??? A new variant? Could be, but is in my opinion not likely. Think it is a little bug in the vps, but not sure about it. Let's hope Alwil can shine a light on this.

It is corrupted MIME (missing Content-Type line), so avast! is unable to unpack it. When unpacked manually, avast! detects the Win32:Bugbear-C inside without any problems (so such virus will be detected when somebody will try to execute it).

Pavel

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9409
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Adding a virus to the db
« Reply #27 on: September 20, 2004, 05:34:35 PM »
Ok,i never really had the chance to test this one...
...so theoretically antivirus can detect any virus no matter which packer its using(as long as virus is in VPS)? The only limitation is that it will be detected only upon execution and not on copy/move/create command?
Visit my webpage Angry Sheep Blog

Pavel Baudis

  • Guest
Re:Adding a virus to the db
« Reply #28 on: September 20, 2004, 05:58:56 PM »
Ok,i never really had the chance to test this one...
...so theoretically antivirus can detect any virus no matter which packer its using(as long as virus is in VPS)? The only limitation is that it will be detected only upon execution and not on copy/move/create command?

It's simple: There is a virus which could have several different layers on itself (have you seen Shrek  ;D ?). With these layers, it could not be executed directly but must be unpacked first. And it does not matter if it is ZIP, MiME etc. Unless it is unpacked, it is just "data" - it acutally cannot spread in this form.

Of course, the EXE packers are different - with Pklite or UPX, it is decrypted on the fly in the moment of execution - and it could carry its envelope with itself...

Sometimes it is good to detect even the packed "data" form (especially for the mail servers - like the encrypted Beagle variants) but such files can't be executed directly and after unpacking the virus could be detected in its native form.

Hope this helps
Pavel

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31130
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Adding a virus to the db
« Reply #29 on: September 20, 2004, 06:11:29 PM »
Thanks for the feedback Pavel, appreciated.