You guys did an absolutely GREAT JOB with the test against re-based malware that was conducted on that site that I can't link to! (and you did it without having to change/add to anything you already had in place!!! ).

WAY...TO...GO!! Pete

Of course they have. Congratulations! ;)

Yep - 10 out of 11 ain't bad at all (NOD did the same when Advanced Heuristics were being used): Beast 1.92 remained undetected (by TDS) and TheefLE 1.11 was not detected. (by NOD).

Wonder how come just one can slip through and the others couldn't?

Anyone from TDS looking into that? Pete

Pete, I am surprised at that, look in your TDS primaries list and it is listed. I'm sure Gavin will answer soon

I don't care that it didn't detect a re-based Beast 1.92, Pilli - I'm more curious as to why it would detect the others that were re-based but not that one.

And, I haven't seen any effort to answer that on DCS's part as of yet. Pete

-{ Quote: " quoting: spy1 link=board=5;threadid=25383;start=0#msg148045 date=1079980294]
You guys did an absolutely GREAT JOB with the test against re-based malware that was conducted on that site that I can't link to! (and you did it without having to change/add to anything you already had in place!!! ).

WAY...TO...GO!! Pete
" }-


LOL Pete and I will congratulate BOClean for you..but who the heck still uses the CLEANER


:o

Hi Pete, Maybe DCS do not know where to look? I do not, so maybe an email to Gavin will help, with the appropriate link. Also maybe posting in the private TDS licenced ops forum would help.

Pilli - NP, I'll do it in a minute.

John - A lot of people still use The Cleaner. Sales-wise, I'm surprised it wasn't included to start with in ntl's test on that page. Pete

Rebasing is a good example of why automatic signature extraction is insufficient for detecting malware, because rebasing will almost certainly throw off detection. It takes us a bit longer to manually disassemble, analyse and find a quality signature, but the result is a strong signature (a strong signature being 1) a signature that's not easy to modify, 2) a signature that will comprehensively make a positive detection, and 3) a signature that won't give off any false alerts). This is the main reason why TDS did so well in Nautilus' rebase test, and it's a tribute to Gavin's analyses and TDS' detection techniques. I'm not sure why the Beast variant failed the test, especially because all others passed. I just tried then with a rebased Beast and it detected it ok so that's a strange one, but just to be safe we'll have a closer look at it later this afternoon and if a change needs to be made it'll be included in tonights database update.

Best regards,
Wayne

-{ Quote: " quoting: Primrose link=board=5;threadid=25383;start=0#msg148543 date=1080061003]
-{ Quote: " quoting: spy1 link=board=5;threadid=25383;start=0#msg148045 date=1079980294]
You guys did an absolutely GREAT JOB with the test against re-based malware that was conducted on that site that I can't link to! (and you did it without having to change/add to anything you already had in place!!! ).

WAY...TO...GO!! Pete
" }-


LOL Pete and I will congratulate BOClean for you..but who the heck still uses the CLEANER


:o
" }-

Heya John,
Please forgive me my friend (!!!), but this is the TDS-3 public support forum-section and not the "Other Anti-Trojan" forum-section ;).

Warm regards, Jan.

It should be noted that (due to its inherent nature) object mem scanning will not be affected by rebasing. TDS supports object mem scanning.

Object mem scanning was not part of the rebasing test since it has nothing to do with it.

In consequence, it would be misleading to say that TDS did not detect the rebased Beast sample at all. On the other hand, it would also be misleading to say that TDS passed the rebasing test in respect of this sample. (Please note that object mem scanning can be easily bypassed. Therefore, it does not substitute but merely complements ordinary scanning techniques.)