|
Slow Anti-Virus signatures....
The following fairly unscientific test may interest some of you.
Over the last 72 hours I received a number of zero-day viruses fresh from the wild. What has interested me is the state of play in virus signatures being created by the vendors.... Commercial vendors F-Secure and Avira were the quickest in analysing my file and pushing out new definitions .... they did so within 2-3 hours of me submitting the file. The rest of the vendors had updates by the end of the day, except for all the freebie providers Avast, AVG, Malwarebytes etc. who didn't release updates until the afternoon of the next day. Interestingly enough, for two of my files, little known Vietnamese AV company CMC already had definitions..... But what's more interesting is the current state of play, I've just re-analysed the original file from the 1st of October ..... The following vendors all have definitions : AVG,Ad-Aware,Avast,Avira,Baidu-International,BitDefender,CMC,ESET-NOD32,Emsisoft,F-Secure,Fortinet,GData,Ikarus,Malwarebytes,McAfee,Micro World-eScan,NANO-Antivirus,Norman,Panda,Qihoo-360,Sophos But the virus still goes undetected in the following : AVware,AegisLab,Agnitum,AhnLab-V3,Antiy-AVL,Bkav,ByteHero,CAT-QuickHeal,ClamAV,Comodo,Cyren,DrWeb,F-Prot,Jiangmin,K7AntiVirus,K7GW,Kaspersky,Kingsoft,McAf ee-GW-Edition,Microsoft,Rising,SUPERAntiSpyware,Symantec,Tenc ent,TheHacker,TotalDefense,TrendMicro,TrendMicro-HouseCall,VBA32,VIPRE,ViRobot,Zillya,Zoner So I guess the old story remains with unsolicited attachments .... caveat emptor. Looks like the virus writers are currently temporarily ahead in the game at the moment.... |
Hmm. Interesting. I would have thought Kaspersky with dodgy Russian heritage would be quicker off the mark :8
What kind of attachments / files are we talking about? Dodgy PDFs? Or something that can be filtered by an email server e.g. .exe or .bin or something? |
I would have thought Kaspersky with dodgy Russian heritage would be quicker off the mark What kind of attachments / files are we talking about? Dodgy PDFs? Or something that can be filtered by an email server e.g. .exe or .bin or something? I'm guessing the rar must be self-expanding because not many people will have rar extractors installed (unless newer versions of Windows natively support rar ? its been a while since I tried). One of the files I looked at leaves the following traces of its presence in the registry.... HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\IP HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Options HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\RTF HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Settings HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Text HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Word6 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Write The background process makes lookups to domain names that start with : stahltech jotoocourt test.quimall okmax (I have omitted the domain suffixes) |
You're doing copypasta from the sophos.com website and I claim my 5 pounds.
|
You're doing copypasta from the sophos.com website and I claim my 5 pounds. As I said, before I reported it to Sophos & others, their software did not detect the malware. So there. I'll have 5 squid please. |
| All times are GMT. The time now is 20:08. |
Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.