Hi malware fighters,

Anyone using this online malware file scanner: http://www.fortiguardcenter.com/antivirus/virus_scanner.html

polonus

No, not really, what would be the advantage compared to virustotal?

No, not really, what would be the advantage compared to virustotal?

This is a list of the companies that participate in VirusTotal with their antivirus engines.

* AhnLab (V3)
* Aladdin (eSafe)
* ALWIL (Avast! Antivirus)
* Authentium (Command Antivirus)
* AVG Technologies (AVG)
* Avira (AntiVir)
* Cat Computer Services (Quick Heal)
* ClamAV (ClamAV)
* Comodo (Comodo)
* CA Inc. (Vet)
* Doctor Web, Ltd. (DrWeb)
* Emsi Software GmbH (a-squared)
* Eset Software (ESET NOD32)

* Fortinet (Fortinet)
* FRISK Software (F-Prot)
* F-Secure (F-Secure)
* G DATA Software (GData)
* Hacksoft (The Hacker)
* Hauri (ViRobot)
* Ikarus Software (Ikarus)
* INCA Internet (nProtect)
* K7 Computing (K7AntiVirus)
* Kaspersky Lab (AVP)
* McAfee (VirusScan)
* Microsoft (Malware Protection)
* Norman (Norman Antivirus)
* Panda Security (Panda Platinum)
* PC Tools (PCTools)
* Prevx (Prevx1)
* Rising Antivirus (Rising)
* Secure Computing (SecureWeb)
* BitDefender GmbH (BitDefender)
* Sophos (SAV)
* Sunbelt Software (Antivirus)
* Symantec (Norton Antivirus)
* VirusBlokAda (VBA32)
* Trend Micro (TrendMicro)
* VirusBuster (VirusBuster)

Dear Tech and “scythe944”,

The scanners bundled at virustotal aren’t the real scanners, because for instance they lack heuristic finds, then for instance DrWeb general av scanner does not find certain malware that DrWebCureIt will find.

So the one tool is not the other tool, remember, not under all circumstances for all types of malware,
this just for the record…

pol

Ok, thanks Polonus.

All that I can say is that I hope ALL A/V companies don’t start making web scanners, otherwise we’ll have a LOT more links to give to people to scan for FP’s… lol

-= Even though they VT doesn’t use the real scanners, I guess its still worth having a scan with it…

What do you mean by not using the real scanners?

The scanners bundled at virustotal aren't the real scanners, because for instance they lack heuristic finds, then for instance DrWeb general av scanner does not find certain malware that DrWebCureIt will find.

Hmmm… something is strange. I believe the engines must be the same. The antivirus company do not ship a special version of it to VirusTotal. Are we talking about different settings and different virus databases? I can’t imagine a different engine running…

Polonus?

Yeah… we’ll wait for his input…

Hi scythe944 and Tech,

I have this information from a respectable virusinfo site, and I remember well they said there that all the engines worked on virustotal.com was without heuristic scanning. I also got the information from our user uniqueman here in the virus and worms that he brought home some infected computer and the normal DrWeb scanner did not flag it while the DrWeb CureIt, their on demand-scanner flagship did flag this malware (avast missed that one there, that is why he reported the issue). If I read these things at several places (4 or 5 times getting the same information) I will consider it as valid information, because virus detection is being manipulated by the advanced malcreants, so I could well imagine that av vendors have a varied response to versions of the same malware, that is also why the big av vendors have a larger open vulnerability window during a certain period after the virus was being detected, so “in the cloud” will be a new approach as was heuristic and behavioral scanning,

polonus

I honestly can’t see how this is the case (and we have talked about it before) as there are many files on VT that are detect as suspicious/heuristic, so I really can’t see how this is possible if they don’t run the heuristic element of an AV.

I haven’t read the reviews, I just see the results of many VT scans in these forums and the links to the results, etc. so we are seeing anecdotal evidence that heuristic scanning appears to be running.

I understand that your information may be true Polonus, but you also have to consider that the online virustotal.com might not have the most up-to-date definitions as well…

That could be the reason for stories such as this:

he brought home some infected computer and the normal DrWeb scanner did not flag it while the DrWeb CureIt, their on demand-scanner flagship did flag this malware

I don’t know the differences between Dr. Web normal (on-access) and Dr. Web CureIt.
But I tend to agree with David. I can’t imagine a different engine being used by Virus Total.

Hi Tech, DavidR and scythe944,

I’d hammer down my point here about the lack of complete heuristic scanning at virustotal.com as you can read from this quote:

For instance, a famous website has been attacked and malicious code has been injected inside the main page some days ago. Whilst lots of users tested the dropped malware on VirusTotal and drawing wrong conclusions, Prevx Edge has been able to heuristically block it since the beginning.

This is because many new heuristic techniques that we use can’t be included inside the on-demand scanner, which will simply check if the plain file signature is present inside the community database.

I’ve exposed the situation as it is for Prevx, but this is common to other security software too. They often include new techniques - behavior blockers, heuristic behavior analyzers, dynamic heuristic engines and so on - used to mitigate (or override, most of times) the gap between malware creation and signature release.

So no heuristic scanning, not quite, but hampered and incomplete, so the variation for the real McCain and the bundled McCain is obvious,

polonus

Well, I think I’m talking about a different thing.
I was talking about engines, not virus database or extra scannings done on-access. I understand perfectly what Polonus is trying to say.
So, Virus Total uses the same engines but, extra options that come on-access won’t be present in the on-demand scanning of these check-webpages. There is heuristics somehow, but not completely.

But, Polonus, does fortiguardcenter scanning add this extra level of scanning for their particular scanner I think, nothing for the others. Am I wrong?

Well what this article is about isn’t the purpose we are putting VT too, we primarily send people to VT for confirmation a detection or suspicion one way or another on a single file.

Where I totally disagree, is the use of VirusTotal online scanner as the primary tool to check effectiveness of antivirus solutions. VirusTotal is a great and useful service and it can give users some statistics about detection rates, it can't be used as the tool that allow testers to write comparatives and judge antivirus's effectiveness.

Sadly, a number of so-called “independent” comparatives are relying upon VirusTotal results. This can’t give a complete overview of security software’s efficiency.

As for ‘sadly a number’ well not all comparatives solely use VT but gather their own data.

The problem is the use and labelling of Heuristics as one clear definition when if you asked each AV that uses it what they define it as, you would get many different definitions of what it means. So given that some would call avasts generic and algorithmic signatures as a form of heuristics and the same must be true of other AVs.

This is because many new heuristic techniques that we use can't be included inside the on-demand scanner, which will simply check if the plain file signature is present inside the community database.

So it isn’t quite so clear cut when we see physical detections suspicious/heuristic, something other than conventional signature detection is going on and that isn’t stated that there are no heuristics used on VT (as you first claimed) just that some may not be able to be used, a clear distinction; so heuristics are used as the article doesn’t say all heuristic methods aren’t used.

Tech,

For some answers on your questions, re:
http://hype-free.blogspot.com/2009/01/can-you-test-av-using-virustotal.html

pol