Go to vgrep viruslist!

General Topics
1

Hi malware fighters,

Part of the viruspool project, this is a good info site. Compare and comment, go here:
http://vgrep.viruspool.net/

polonus

2

An interesting comparason.

3

notice that it is the number of NAMES in the database. Avast! leverages on its generic detection capabilities

4

strange is that’s using Avast Lguard name schemes from obsolote DOS/Avast3 times …

5

The choice is made by the ones doing the research using ALWIL AVAST! LGUARD 7.70-96 and reading the output from their.
Any serious research needs to use commandline tools unless you can make it a full time job. It using commandline tools results in other names then the AV manufacturer at hand should rethink the value of commandline tools.

But you might get other results once my own database is rebuild and the code fitted into the new site. Somehow I end up refitting all of it once or twice a year to keep up with all the changes in AV land. Maybe some day I migh finish this “scanners in vmware” project so I can compare some more scanners. But there is a lot of work to be done yet.

6

From the overview page (http://vgrep.viruspool.net/overview.cms)

ALWIL AVAST! LGUARD 7.70-96 10-Mar-2006
Number of names in the database: 46472 out of 369888 live samples ( 12.6 %)

(emphasis mine)

Yet the avast! web site dates that at 10/18/05 and lists a 2/16/06 update.

So my question to viruspool is, were obsolete defs used in testing all the avs and then also mislabled as to the date? Not that I would necessarily find that type of thing appalling if anyone presented it as serious, accurate research. I just want to get the process in the open for all to understand.

Also from the site:

"The comparison is extensive but done somewhat infrequently. It’s main usage is to compare names assigned betweeen scanners. "

This being the case, wouldn’t this statement be far outside the bounds of the study’s design?

“These results seem to indicate there are a lot of samples out there that are caught by only 1 scanner while the rest of them could not care less.

One can only hope …

7

Hi mauserme,

Well the project should be welcomed, because there are not that many people helpful in tearing down the barriers of virus terminology. These positive sceptical offensives should be embraced and need our full support.
Vested anti-virus technology is a two-sided sword, on-the fly scanners and false positives can ruin many an OS. Read on the softpanorama site about this. There are alternate ways for getting malware off operational systems. To-day I have visited a place where people commited signature files to ClamWin, and we must be very grateful for this kind of volunteers that help us in the fight against the malware authors and their products.

polonus aka Damian

8

You’re right about this, Damien. I suppose my feelings about the “… could not care less” statement made on the viruspool website prevented me seeing the overall value of this type of endeavor. Still, I think the wording could be chosen more carefully.

mauserme aka Keith

edited for clarity

9

I think there are some misunderstandings.

  1. The VGREP database is out there. It is is just rather hard to use it to lookup names. So that is the added value I hope to bring for those staring at a name they get from a friend and wondering what name their own virus tool has assigned to that infection.

  2. The VGREP database is relative old before I start to load it. It is in fact usually a month old before it appears on the Virus Bulletin website.

  3. I can not vouch for how recent each product is that is recorded in the VGREP database. I can just show you the information that is recorded and let you draw your own conclusions.

  4. My own research is based on scanners I can update and run daily. Due to the manual labor still involved (partlially by design) the website will not be loaded daily with a new database. One may notice that the spread among AV manufacturers is less in my own database. I am currently loading scanner number 13 in there.

  5. As I do this besides a regular job I might sometimes be slow in updating scanner software. I have to find time to do this once in a while.

  6. Some AV manufacturers made it rather clear how they think about scanning for ‘jokes’ or malware written in 1988. So the phrase ‘could not care less’ is in fact a milder version.

  7. There is room for improvement. No question about that. The mere point is that it takes time. Comments are best send per email at the listed address. I am not a frequent forum visitor and I would like to store suggestions somewhere near so I can easily check on them and provide feedback.

Before I started the project some years ago there was almost no way to compare names. Now there is a less then perfect way to do it. I hope to keep it transparant enough so people can see how the information is gathered.

10

Hi viruspool,

What would you think about the following statements put forward here:
http://galahad.elte.hu/ThematicInstitute/Shir.ppt
Isn’t this also at the background of this initiative. I am rather interested in your view in this respect,

greets,

polonus

11

Hi virsupool,

First let me extend a friendlier welcome to the forums that expressed in my original posts.

I recognize the work you’re doing is difficult and is certainly needed. My original reaction (or over reaction) to your site was based on my interpretation of the previously quoted wording as being an indictment of all AV’s other than AntiVir. Certainly some do not care, but obviously many do and I see now that your intent was not what I perceived.

In any event I have added your site to my favorites as a source of information not available elsewhere and look forward to any enhancements you’re able to provide.

M