Hi guys,

For the last few weeks I have been casually (and very unscientifically) been monitoring Jotti's to try to determine (in a most unscientific manner) which AV is most likely to catch an AV that is not detected by KAV. Not surprisingly, KAV very rarely misses on Jotti, but there have been those occassions. I would have thought that NOD32 would be the most likely candidate, but very surprisingly, it appears that BitDefender and VBA32 are the mostly likely. Now ... it could be that they are just giving false positives, but I do know that on one occassion, a BitDefender online scan did find some malware on my machine (it was relatively minor - but annoying) that both KAV and NOD32 missed.

So maybe these two products are approaching scanning/detection in a manner that is quite complementary to KAV. I don't know. Has anyone had any direct - and possibly more scientific - experience or knowledge in this area?

Thanks for any comments,
Rich

I take it you have seen the most recent retrospective test at Av-Comparatives?

Hi Hammer,

Tough to say what two AVs complement each other the best. The heuristics of, let's say, AV-1 may be better than that of AV-2, but because of the nature of AV-2, it may be in fact a better complement for a product like KAV. I'm just sort of curiously watching things on Jotti and trying to juxtapose what I see on Jotti on my own personal experiences. And while intuitively it may seem like NOD32 (with its strong heuristics) may be a strong complement for KAV, it just appears that possibly VBA32 or BitDefender may in fact be a better complement. No way of knowing for sure, since my sample size is so small. But it could be that the best complement is the product I already have - which is Ewido. I guess it is all a guess anyway.

Cya around,
Rich

{QUOTE-> Hi Hammer,

Tough to say what two AVs complement each other the best. The heuristics of, let's say, AV-1 may be better than that of AV-2, but because of the nature of AV-2, it may be in fact a better complement for a product like KAV. I'm just sort of curiously watching things on Jotti and trying to juxtapose what I see on Jotti on my own personal experiences. And while intuitively it may seem like NOD32 (with its strong heuristics) may be a strong complement for KAV, it just appears that possibly VBA32 or BitDefender may in fact be a better complement. No way of knowing for sure, since my sample size is so small. But it could be that the best complement is the product I already have - which is Ewido. I guess it is all a guess anyway.

Cya around,
Rich <-QUOTE}
I'm not nearly experienced enough to know myself, and I have never used Jotti's site. But the complaint has been made (and you probably have seen it) that NOD cannot be set up on that site using best possible settings. Are you using Jotti as the sole vehicle for testing your samples?

Hi Hammer,

It is a good point. It's definitely not a good idea to use Jotti as a sole point of reference along with my own experiences, which is why I posted this message. It will probably remain one of those great mysteries in life, until someone actually does the tests to see which two AVs/ATs, in combination, catch the must malware. Personally, I am not holding my breath for this test. :)

Cya around,
Rich

Virus Total has been mentioned as a second test site if you think they are ok.
Bitdefender's heuristics are improving according to info on AV-Comparatives.

Hi Hammer,

If I recollect, Virus Total doesn't disply the results of the tests to the public - only to the person who submitted the test. Thanks for the suggestion.

Rich

Here are some, I noticed, that were missed by KAV but detected by other AVs on Jotti's site.

I don't know if there is any value in this information?

Last file scanned at least one scanner reported something about: Lop.E in Rule_Mp3.exe, detected by:

Scanner Malware name
AntiVir TR/Dldr.Swizzor.CO
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably a variant of Win32/TrojanDownloader.Swizzor
Norman Virus Control Lop.E
UNA X
VBA32 X



----

Last file scanned at least one scanner reported something about: W32/Suspicious_M.gen in v.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Backdoor.SDBot.4B75DA01
ClamAV Worm.Mytob.GH
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably unknown NewHeur_PE
Norman Virus Control W32/Suspicious_M.gen
UNA X
VBA32 X


----

Last file scanned at least one scanner reported something about: W32/Beastdoor.2_06D in 115F7576.upx.dll, detected by:

Scanner Malware name
AntiVir BDS/BeastDoor.205.D
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV Trojan.Beastdoor.206.3
Dr.Web BackDoor.Beast.207
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control W32/Beastdoor.2_06D
UNA X
VBA32 X


---

Last file scanned at least one scanner reported something about: Backdoor.Delphi.62 in unpack_esalas.EXE.aq, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.MulDrop.1923
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
UNA TrojanNotifier.Win32.Small
VBA32 Backdoor.Delphi.62


---

Last file scanned at least one scanner reported something about: a variant of Win32/TrojanDownloader.Zlob.G in vc1_05a.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus Dropper.Small.24.P
BitDefender BehavesLike:Win32.ExplorerHijack
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 a variant of Win32/TrojanDownloader.Zlob.G
Norman Virus Control X
UNA X
VBA32 X


---

Last file scanned at least one scanner reported something about: BDS/SdBot.Gen.Plus in taskmon.exe, detected by:

Scanner Malware name
AntiVir BDS/SdBot.Gen.Plus
ArcaVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.ExplorerHijack
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Backdoor
UNA X
VBA32 X


----

Last file scanned at least one scanner reported something about: Lop.E in Support_Proc.exe, detected by:

Scanner Malware name
AntiVir TR/Dldr.Swizzor.CO
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably a variant of Win32/TrojanDownloader.Swizzor
Norman Virus Control Lop.E
UNA X
VBA32 X




----

.exe, detected by:

Scanner Malware name
AntiVir Worm/Dasodt
ArcaVir Trojan.Mosucker.S
Avast Win32:MoSucker-005
AVG Antivirus X
BitDefender Backdoor.Mosucker.N
ClamAV Trojan.Mosucker-5
Dr.Web BackDoor.Mosv
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
UNA X
VBA32 X


----

Last file scanned at least one scanner reported something about: Heuristic/Trojan.Downloader in server.exe, detected by:

Scanner Malware name
AntiVir Heuristic/Trojan.Downloader
ArcaVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.ExplorerHijack
ClamAV X
Dr.Web Trojan.DownLoader.3217
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably unknown NewHeur_PE
Norman Virus Control Sandbox: W32/Downloader
UNA X
VBA32 X




----

Last file scanned at least one scanner reported something about: BackDoor.Wojass in Nowy folder.rar, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web BackDoor.Wojass
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
UNA Backdoor.Wojass
VBA32 BackDoor.Wojass


---

Last file scanned at least one scanner reported something about: a variant of Win32/Adware.MediaTickets application in osoa.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 a variant of Win32/Adware.MediaTickets application
Norman Virus Control X
UNA X
VBA32 X


-----

Last file scanned at least one scanner reported something about: Win32/Adware.HotBar application in wzhjgzyl.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 Win32/Adware.HotBar application
Norman Virus Control X
UNA X
VBA32 X



----

Last file scanned at least one scanner reported something about: AdWare.Lop.m in mhioiott.exe, detected by:

Scanner Malware name
AntiVir TR/Dldr.Swizzor.CO
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 Win32/Adware.Lop application
Norman Virus Control Lop.E
UNA X
VBA32 AdWare.Lop.m

---

Last file scanned at least one scanner reported something about: a variant of Win32/TrojanDownloader.IstBar in iinstall.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV Trojan.Downloader.Istbar-145
Dr.Web Trojan.DownLoader.3316
F-Prot Antivirus X
Fortinet Adware/IstBar
Kaspersky Anti-Virus X
NOD32 a variant of Win32/TrojanDownloader.IstBar
Norman Virus Control X
UNA X
VBA32 X


----

Last file scanned at least one scanner reported something about: Trojan.Win32.Agent.bi in appbr.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 Win32/TrojanDownloader.Agent.BQ
Norman Virus Control X
UNA X
VBA32 Trojan.Win32.Agent.bi


---
Last file scanned at least one scanner reported something about: Backdoor.Win32.Bifrose.d in chess_fritz77_patch.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.ExplorerHijack
ClamAV X
Dr.Web X
F-Prot Antivirus unknown virus
Fortinet X
Kaspersky Anti-Virus X
NOD32 a variant of Win32/Bifrose
Norman Virus Control Bifrose.D
VBA32 Backdoor.Win32.Bifrose.d

{QUOTE-> I don't know if there is any value in this information? <-QUOTE}
Stan999, why do you keep on posting these taken-out-of-context, and by your own admission (previously) meaningless screenshoots?

And why do you never include this rather important info directly beneth the "Last file scanned"?:

You're free to (mis)interpret these automated, flawed statistics at your own discretion.

Hi,

Hmmm ... it appears that the best solution may be to add "behavior" monitoring software as I have - e.g. ProcessGuard, SnS, RegDefend, unless I want to run NOD32 and VBA32 as backup scans - which is possible. Thanks for the help guys.

Rich

{QUOTE-> Hi,

Hmmm ... it appears that the best solution may be to add "behavior" monitoring software as I have - e.g. ProcessGuard, SnS, RegDefend, unless I want to run NOD32 and VBA32 as backup scans - which is possible. Thanks for the help guys.

Rich <-QUOTE}

Isn't the question 'which backup scanner you should run'? The presence of HIPS systems is a given. I have decided on a Bitdefender + Nod32 combo after some research and discussion with a knowledgable source.

Hi Anon,

After looking over some of the published results and my own casual data gathering, it appears even two scanners are not sufficient. In my case, it would appear KAV+NOD32 or KAV+VBA32 would be a possible solution. This is not entirely surprising.

My guess is that for this combination to be at all effective, I would have to run the backup scans pretty regularly, since probably within a very short period of time KAV would have its database updated with the necessary signatures thereby making the backup scan a moot point. Of course, the best situation would be to be able to run both AVs in real-time, but this solution appears to have its own technical problems. For example, I tried installing the lastest version of NOD32 on my system, and I could not after several attempts. There must be some new conflict with KAV on my system that did not exist before.

Rich