I came across some new malware the other day (not for the first time), nothing detected it. So I started the arduous task of submitting it to all and sundry, (who after a day or two started to detect it).
Every AV company is different, some don’t seem to have a method to submit, some want ftp but don’t promise to look at it, some want password protected zips, some want unprotected zips, some have a webform that requires registration and blood, some want emails - I don’t really want a virus hiding in my email thanks, some say you can quarantine it yourself, and if you click a few buttons, it will automatically submit at the next update - I don’t really want it stuck in my quarantine.
So powers that be, here is a simple idea - Front page of your companies website, submit button, browse button, box for filename. If you want to detect malware before the competition, make it easy to submit samples, otherwise people will give up sending them to you.
It might be safe, but not the point really, I don’t want or need it on my computer anywhere, it wasn’t on there to start with, the person that got infected didn’t use Avast.
I want to submit it and forget about it, and no company makes that easy, it’s already been submitted from the chest, it may have gone into a black hole for all I know.
The other AV companies I submitted to manually have picked it up, but the rest of the virustotal/jotti members haven’t.
Just seems good business sense to me, if you want to be a market leader in detection, make it easy to submit samples, if you want to lag behind the competition, make it hard.
I disagree with you, I don’t find it hard to submit a sample to Avast at all
If it is in the chest because it has already been detected by Avast, there is no point, unless it’s a suspected FP.
If it is a file you think is infected that Avast doesn’t detect, what is easier than right clicking it and submitting? It’s actually no more difficult than submitting it to virustotal or jotti.
If you don’t want anything in the chest, feel free to delete it. That’s what the option is for.
OK, Lets imagine I’m not an Avast user. I’ve come across a new (undetected by anything) bank password stealing trojan.
I want to tell Avast/Norton/Kaspersky/Mcafee/Sunbelt/Bitdefender/AVG etc about it to help them in their aim of detecting malware quickly before it does damage… and the only method of telling them is to install their trial or free software one by one, quarantine the file, and send it into a black hole with no confirmation or guarantee that it will ever be assessed.
That isn’t a non-issue, because no-one will bother, and the thing will remain undetected by avast etc, for possibly months or years.
It’s easier to code a simple webform on the front page of a website, than to code the send from quarantine routine, and there is no reason not to have both.
I see your point, now. The only option I see (without installing the software) is to email them: virus@avast.com which, as you alluded to, involves zipping/passwording the file, which may deter a lot of users- especially of other products.
I must admit, it’s rather seldom I email (or otherwise notify) the software makers of AV’s I don’t use about suspect files. I suspect in the wider community the same is true, with only a small percentage of well motivated and competent users making useful submissions to AV companies.
To tell the truth, it’s very seldom I actually come across a suspect file at all.
When I do,my first port of call is usually virustotal.
But then, all my software is aimed at “prevention is better than cure”.
Someone like Polonus would be more involved in this sort of level of question, I think.
In theory virustotal etc is supposed to distribute the files automatically, but from past experience I know that the system falls down somewhere, because months or years later, many of the vendors still don’t pick up infections submitted there.
Actually, sometimes, Alwil doesn’t add detections to suspicious files submitted, either. I think it depends on a number of different factors, but have seen this not happen. There are periodically threads here about this.
The factors probably include:
-Potential for damage/spread,
-How widespread is it,
-Does it morph (ie: do we need to add this one, or keep updating detections for its latest variant)
-Does it affect current, or old little used software,
etc.
The easiest way to send samples is the one that Ad-Aware have.
Right click a file and then " Send with threatwork alliance " done…
Superantispyware is almost as simple if using the sample uploader, you just drag and dropp or you can browse
The primary issue I have with having to submit it as an password protected file is that you have to EXTRACT the contents to put it back into a password protected zip.
You don’t have to do that, with the sample in the chest, you only need to right click on it and select Submit to virus labs, complete a few details and end. It is uploaded during the next avast update no email or having to zip and password protect the file.
What guarantee do I have that the suspicious file arrives? because actually I sent undetected malwares for several months ago. That to this day, avast! not detected. And I’m not unique, others are also waiting for results, and if I’m not mistaken Tech is one of them. I do not know if it was solved.
The same guarantee that the file arrives if you send it by email, it is just that it is easier to do.
When you submit from the chest, do a manual update right after that and watch the progress as you will see the file being uploaded (see image), the last one I sent up.
Now that doesn’t have to go through a number of email servers, etc. where it may be intercepted and my presumption is that if the upload failed you would see that in the setup.log file. So this would be a reasonable assumption that it would be received, after that I can’t say what the process is, so I as an avast user can’t give any guarantees.
One thing I do know is if you don’t send it then it has zero chance of getting there.
I agree with you. Also, If avast! Lab accepts archive in 7z format, is the best option. Since mail providers can not scan this type of format. This should be the right way.
