Hi,

How to convince Virus Analysts at Kaspersky labs about addition of detection? I have many malware samples, which have 0/39~~5/39 detection by Virustotal. Well, first of all I thought they may be false positive, so I sent it to threat experts and concluded that they are malicious. For example I have an online game installer, besides the game it also silently downloads and installs Casino.Adware, Malicious AcitveX, etc.

So I sent the {installer+the downloaded components} to the labs..they said its all clean!!!...lol....

Many of the real malicious samples I send the samples to the Kaspersky lab are considered as "clean".....how to convince KL for addition to the detection bases?

-{ Quote: "Hi,

How to convince Virus Analysts at Kaspersky labs about addition of detection? I have many malware samples, which have 0/39~~5/39 detection by Virustotal. Well, first of all I thought they may be false positive, so I sent it to threat experts and concluded that they are malicious. For example I have an online game installer, besides the game it also silently downloads and installs Casino.Adware, Malicious AcitveX, etc.

So I sent the {installer+the downloaded components} to the labs..they said its all clean!!!...lol....

Many of the real malicious samples I send the samples to the Kaspersky lab are considered as "clean".....how to convince KL for addition to the detection bases?" }-
convince?

if they have checked it, and say its clean.... thats all you will get.

there is no convincing, zero chance. ::)

Send the samples to other vendors and forward the details of said reports to Kaspersky.

THis happened to me 3-4 times with avira &kaspersky.With Avira i posted on their forum telling the "incident nember" & with kaspersky send another email with more details if you are convinced is malware.

Although I forward with threatexpert detailed analysis report...it shows no effect!!!

Take a look here for the malware sample report, "assumed" as clean by KL...

~Copyrighted information removed.~ - Ron~

And take a look at this one...it's the malware I was talking about in Post#1

Care to send me a link to these "infected" files?


If they are indeed malicious I will get them looked at again. If they are not however we will leave it at that.


P.s. I hope they aren't the same infected samples you were sending to Nick ;)


http://www.wilderssecurity.com/showpost.php?p=1352292&postcount=6

Happens to me and SSR as well. They don't really have time to deeply analyze everything you send them.

I believe that sample submission should be based on reputation. If you are a known and highly regular submitter, your samples should have top priority.

Or, I guess that you could release the malware into the wild ... because most AVs have 100% ITW detection, right?

Oh, Kaspersky failed the last VB100 though :(

-{ Quote: "Care to send me a link to these "infected" files?


If they are indeed malicious I will get them looked at again. If they are not however we will leave it at that.


P.s. I hope they aren't the same infected samples you were sending to Nick ;) " }-


Chill Man! No need to further provoke a settled down discussion...

The malware I sent were truly malicious, but unfortunately posting the threatexpert reports (as proof) is against the forum rules...

-{ Quote: "Chill Man! No need to further provoke a settled down discussion...

The malware I sent were truly malicious, but unfortunately posting the threatexpert reports (as proof) is against the forum rules..." }-

oh please, your using threat expert to analyze a sample. ::)

if they have actually taken the time to check your sample, and to take the time to tell you its clean....


whats your beef? :wacko:

sure, they may have made a mistake (doubt it)

but id take kasperskys analysts anyday over a Threat Expert self-analysis.

@ Baz_kasp and C.S.J

STOP IRRITATING ME!

-{ Quote: "@ Baz_kasp and C.S.J

STOP IRRITATING ME!" }-
lol i wasnt intending on irritating you,

you sent, they analyzed, no virus.

you aint happy because they tell you its not a virus? ::)

using a free automated analysis tool does not and will never ever make you an analyst, these people do this for a living, its their profession.

if your looking for sympathy, wrong place my friend. :blink:

Ok, I'm sorry, however the only thing the 3 installers downloaded were jpeg images. Just clean, E rated jpeg emoctions.

-{ Quote: "Ok, I'm sorry, however the only thing the 3 installers downloaded were jpeg images. Just clean, E rated jpeg emoctions." }-

As I PMed you before, those are only a few samples....are you SURE you tested the game installer? Just send the "casino.exe" file to VT, and then see the results...

BTW: Why don't you post VT links here about the three files....

-{ Quote: "
Many of the real malicious samples I send the samples to the Kaspersky lab are considered as "clean".....how to convince KL for addition to the detection bases?" }-
Maybe you are a bit overfocused, like C.S.J say, the Kaspersky Lab analyzers do this for a living, its their profession. Therefore your samples are rated by them as being clean, and you never will be able to convince them the contrary. Nobody like FP's ;)

Happened to me once with KIS 09 the keygen of a game was flaged as keylogger:lurking:

VT links are removed....lol...

-{ Quote: "

@ Baz_kasp and C.S.J

STOP IRRITATING ME!" }-
Please show some maturity and act like an adult even IF you aren't one.

-{ Quote: "BTW: Why don't you post VT links here about the three files...." }-

1) VT is not the end all answer.
2) It is against forum policy to post complete VT results and will result in a Wilders staff snipping your post. Surely you know this by now.

Again, if you feel that your samples are truly malicious send them to other companies for diagnosis instead of trying to rally a mob.

Request to the moderators: Since I am the OP I request to delete this thread, cuz I don't care if Kaspersky does not detect them...

The samples now have approx. 15/39 VT detection....

-{ Quote: "BTW: Why don't you post VT links here about the three files...." }-For two reasons:

1. Reports from Virus Total are not proof that a specific file is malware. It just says that some products detect it as malware. (A specific sample might simply match some simple or generic signatures in some or even many products. But, by hand analysis by professional virus analysts in a lab like KAV's is far more likely to be accurate to a specific file.

2. Because of the above and other reasons, it is against our policy to post VT logs (and has been for a long time):

Announcements: Policy Regarding the Posting of Jotti/Virus Total Results (http://www.wilderssecurity.com/showthread.php?t=180057)

Your posts with VT result links have been removed.

This thread is going no where. KAV labs analysts are among the best in the world. While they may be mistaken, it is unlikely. If they are, well, so be it. You are not a virus analyst expert so you are not going to prove that any specific file is really malicious, and certainly not by posting results from scanners or automated analysis tools.

Thread closed.