I've found virustotal.com (VT) to be a great resource, but whenever I'm prompted that the file I'm uploading has been scanned previously, I always rescan it. That way I know that it's been done with what are supposed to be the latest definitions from all vendors and I can gauge whether it should pose a threat or if it's one that should be filtered out. I know from using VIPRE that Sunbelt pushes new defs at least daily and sometimes twice daily, so if something doesn't get picked up by VT, it's not always an accurate indicator of what will be picked up by the client. Sunbelt has indicated as well that VT shouldn't be a definitive YES/NO answer for detections because they're sometimes a version or two behind with their defs. If something I send to VT comes back as unknown to Sunbelt, I submit it to them just in case. I figure it's only a matter of time before one of my users encounters whatever the threat is, so it's saving me a headache and handful of Excedrin later :) Jon Jon Galbreath MCSE/Security+ Systems Administrator International Studies and Programs Ph: 517-884-2144 [log in to unmask] -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Al Puzzuoli Sent: Thursday, June 18, 2009 4:33 PM To: [log in to unmask] Subject: [MSUNAG] Disparity in Antivirus Detection Between Scanners. A spam email contained the following link to a .exe file: http://mercadoabc.com.br/report_7070.exe This file undoubtedly does bad things but out of curiosity, I downloaded it. The first thing I found interesting was that Nod32 let me download it at all. Once the file was downloaded, I scanned it with Nod32, no badware detected. I then uploaded the file to virustotal.com, which indicated that the file had been previously submitted. Instead of letting the site rescan the file, I chose to look at the previous report. I was struck by the results. Although a number of scanners flagged this as a trojan, what was more interesting was the number that didn't, including nod32, Symantec, and Sunbelt. I wonder, if I let Virustotal reanalyze the file, if more scanners would detect something bad. Not sure what, if anything can be gleaned from this. Are the scanners that detected it updating their definitions more frequently, just more sensitive or what? Al Puzzuoli Michigan State University Information Technologist http://www.rcpd.msu.edu Resource Center for Persons with Disabilities 120 Bessey Hall East Lansing, MI 48824-1033 517-884-1915