Study reveals if AV does not detect within a few days, it may never detect...

For the study see: http://www.carbonblack.com/second-av-study-reveals-small-window-for-catching-new-malware/
Article authors = R.M. Gerard + Mike Viscuso
Conclusion:

Undetected Immediately May Mean Undetected Forever
, so one should use non-residential solution next to your single residential av

Less Detection on Day 30 than on Day 1,
so virus detection results have a particular expiration date AV does not protect for a particular attack:
In a malware attack time is of the essence, and no single AV gives you adequate protection.
quotes taken from above link article... Maybe all av has to come with a VT plug-in?

polonus

Hi Pol,
That would be great,nice suggestion :slight_smile: .
Philip,
Regards

Hi Left123,

Here you see how developers make these VirusTotal plug-ins: http://www.hexblog.com/?p=324
Also see this work from Bryce Boe: http://www.bryceboe.com/2010/09/01/submitting-binaries-to-virustotal/
The VTChromizer extension that I have installed in Google Chrome to scan using VT “on the fly”,
see: https://www.virustotal.com/documentation/browser-extensions/google-chrome/
A small tool by the name of VirusTotal uploader: http://blog.hispasec.com/virustotal/23
download here: http://www.virustotal.com/vtsetup.exe File MD5:9edab310d6d226164026e555a2daed97
a great little tool that is,

polonus

Hi Polonus,

Do AV vendors not use malicious databases to collect more samples? Are some skipped?

Can be associated with only 1 detecting the jquerys.org site, hence the familiar jquery name.

~!Donovan

Hi !Donovan,

They all get the samples offered to include in their databases, what they include and for how long is their policy only and exclusively and that is OK.
Some decide to whitelist files, some “do not do casino’s”, some do not flag jokes, others even flag very comical hoaxes because of the risk one could choke during an outburst of laughter (DrWeb once had such a detection). It all is not that simple and straight-forward as it seems. Some detections cannot be added, because the malware did not survive the processing of the malcode by the av analysts.
We only catch the fish so to say, they decide what is being brought to the market…
That is also why one can never be fully secure with one resident av-solution. You need to include at least MBAM, SAS non-residential for added security.
I would also would like to suggest the avast av-solution would come with a built-in VT plug-in to alert on eventual non-detects, FPs. Well as a kind of inbuilt “second op” tool so to say,

polonus

The authors1. claim to have tested two hypotheses: “1) if the signatures of all AVs collectively were considerably better than using any one signature set individually
2) if over time it was reasonable to expect each piece of malware to be detected by all antivirus products.”

The first hypothesis is blindingly obvious: taking 43 shots at malware, one from each antivirus product, will result in significantly more hits. No surprise here.

The second hypothesis should be stated more specific, since “… the results, just like the previous study, are limited to static signatures.” I do not find it reasonable to expect antivirus producers to analyze, develop, test and distribute signatures for each and every piece of malware. After all, there are other techniques of detection and aiming for 100% coverage by signatures would constitute a waste of effort. And if a signature is to be developed, I’d expect this to be done shortly after a new outbreak. Again, this is exactly what their results show.

So, what’s the big news?

1. R.M. Gerard writes in plural “we conducted a study” etcetera, so it’s they, their and authors.

Hi Kwartet!,

Attentive, so I found the other contributer to the article in the “click-through link” for “we”. Added, thanks…
The big news is not so big. But it has more to do with the reality of every day.
Sometimes reporting existing av detections to be added does not work.
My experience for instance different av engines have a different scope.
A striking example for me has always been DrWeb’s versus avast.
often when DrWeb flags urls for malware, avast does not have these and v.v.
So what you like to do is fill up the blind spots…
Also after a couple of hours malware is mostly being taken down,
sample has not been filed, detection is not being added.

Some make exemptions for certain whitelisted programs (Kaspersky’s), where other do detect.
Some av solutions like avast do not flag casino’s.
Others do malware that is not malware but the pure panick could cause health-riks,
for instance a joke virus, e.g. virtual representation of the hard disk being wiped
(DrWeb flags that one, because there was a lady that got a heart-attack,
because she thought her hard disk was actually really being wiped)

Then virus detection has a span of time for which it is being detected and then again may disappear,
depending the size of the virus definition database (that is restricted).
So it is always a cocktail that should fit the average user of the av-solution best.
Added shields detection was the best avast av solution added as an additional security layer,

polonus

Hi Polonus,

Another site testing the response of antivirus products to new threats is http://www.mrg-effitas.com/current-tests/flash-test-results/.

They do take into account other means of detection beside signatures. Unfortunately, they do not disclose the size of their malware samples.

Best regards,

Hi Kwartet!,

Bookmarked that link. And yes, establishing the real full protection range of a residential av solution is not that easy. Remember there is also a lot being done through third party blacklisting and so preventing users to go out to infected sites (Google Safebrowsing for instance, url webchecker extensions, etc). I closed the vulnerability gap further through non-residential MBAM and SAS installed on my machine, and Bitdefender’s QuickScan from within the Click&Clean browser extension. In-browser protection like script blocking (NoScript/NotScripts, RequestPolicy, Better Pop up Blocker and ABP with malware list filter subscription also helps to be/feel better protected. O also have VTchromizer in the browser to scan urls on the fly with VirusTotal,

polonus

David Harley of ESET published an excellent review of this study: http://blog.eset.com/2012/08/23/carbon-dating-and-malware-detection

Hi Kwartett,

Thanks for giving the link. I was aware it existed. The quintessence is that it is not that easy to assess the detection range of an av solution and how that should be related to the overall VTdetection results,

polonus