Many thanks for adding your explaination which does make perfect sense.
500 samples a day sounds an awlful lot of work. :-[
Out of interest what do you mean by your statement ‘(some even initiate the VPS release itself)’ Is it that your sandbox recognuises extremly danerous or speading viruses and can create and issue a VPS automatically or that you would release a VPS straight away on receipt of a dangerous or in the wild virus?
No, there is really no such thing as fully automated VPS release - it could be too dangerous in case of some problem (and about two million users loading it ). I meant that some samples could be of high emergency, so they “cause” the VPS release (as happened many times in the past).
Submitted another one to Alwil. Strange thing about this one is that it is detected by all other av’s. Most see it as Bugbear. Checking the virus library in Avast, it should be detected by Avast. But it is not. Wondering what is causing this ??? A new variant? Could be, but is in my opinion not likely. Think it is a little bug in the vps, but not sure about it. Let’s hope Alwil can shine a light on this.
It is corrupted MIME (missing Content-Type line), so avast! is unable to unpack it. When unpacked manually, avast! detects the Win32:Bugbear-C inside without any problems (so such virus will be detected when somebody will try to execute it).
Ok,i never really had the chance to test this one…
…so theoretically antivirus can detect any virus no matter which packer its using(as long as virus is in VPS)? The only limitation is that it will be detected only upon execution and not on copy/move/create command?
It’s simple: There is a virus which could have several different layers on itself (have you seen Shrek ;D ?). With these layers, it could not be executed directly but must be unpacked first. And it does not matter if it is ZIP, MiME etc. Unless it is unpacked, it is just “data” - it acutally cannot spread in this form.
Of course, the EXE packers are different - with Pklite or UPX, it is decrypted on the fly in the moment of execution - and it could carry its envelope with itself…
Sometimes it is good to detect even the packed “data” form (especially for the mail servers - like the encrypted Beagle variants) but such files can’t be executed directly and after unpacking the virus could be detected in its native form.
OK, I’ll bite – what the heck is a “boring and uninteresting” Trojan, especially to someone in your position? ??? ;D I assume you mean ones that either don’t yet seem to be out ITW, or else they’re essentially non-disruptive other than, say, displaying prank messages?
Most of Trojans are boring and uninteresting ;D - we receive hundreths of them from other AV companies every month, they were not seen ItW and they bring no danger to our users…
Kaspersky simply has more manpower and even Kaspersky sometimes add Malware only if a new Comulative update is released. Not often, but it happens.
BTW: Their respond is not very informative, just Malware(the name of) or not or if an outbreak took place they make an autorespond with an automatic scan-robot. But thats enough for me, maybe Avast could do that too!?
The respond of CA Etrust is intresting, if sending Malware via their Webpage.