I've found virustotal.com (VT) to be a great resource, but whenever I'm prompted that the file I'm uploading has been scanned previously, I always rescan it. That way I know that it's been done with what are supposed to be the latest definitions from all vendors and I can gauge whether it should pose a threat or if it's one that should be filtered out.
I know from using VIPRE that Sunbelt pushes new defs at least daily and sometimes twice daily, so if something doesn't get picked up by VT, it's not always an accurate indicator of what will be picked up by the client. Sunbelt has indicated as well that VT shouldn't be a definitive YES/NO answer for detections because they're sometimes a version or two behind with their defs. If something I send to VT comes back as unknown to Sunbelt, I submit it to them just in case. I figure it's only a matter of time before one of my users encounters whatever the threat is, so it's saving me a headache and handful of Excedrin later :)
Jon
Jon Galbreath
MCSE/Security+
Systems Administrator
International Studies and Programs
Ph: 517-884-2144
[log in to unmask]
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Al Puzzuoli
Sent: Thursday, June 18, 2009 4:33 PM
To: [log in to unmask]
Subject: [MSUNAG] Disparity in Antivirus Detection Between Scanners.
A spam email contained the following link to a .exe file:
http://mercadoabc.com.br/report_7070.exe
This file undoubtedly does bad things but out of curiosity, I downloaded
it. The first thing I found interesting was that Nod32 let me download
it at all. Once the file was downloaded, I scanned it with Nod32, no
badware detected. I then uploaded the file to virustotal.com, which
indicated that the file had been previously submitted. Instead of
letting the site rescan the file, I chose to look at the previous
report. I was struck by the results. Although a number of scanners
flagged this as a trojan, what was more interesting was the number that
didn't, including nod32, Symantec, and Sunbelt. I wonder, if I let
Virustotal reanalyze the file, if more scanners would detect something
bad. Not sure what, if anything can be gleaned from this. Are the
scanners that detected it updating their definitions more frequently,
just more sensitive or what?
Al Puzzuoli
Michigan State University
Information Technologist
http://www.rcpd.msu.edu
Resource Center for Persons with Disabilities
120 Bessey Hall East Lansing, MI 48824-1033
517-884-1915
|