Where do Antivirus vendors get daily signatures?

Where do they get them?
Do they have some sort of group of people specializing in seaching wild malware samples?

 

lol I've never asked,

Honeypots and submits probably.

Then analyists analyze, definitions and curing techniques created.

I could be completely wrong, just a guess really, it's not something I've really thought about.

I know drweb have had quite a few from me Over the years

 

ye that is an interesting question, never really thought about it myself either, would be interesting to hear a rep from one of the AV companies respond to this.

 

I know that F-Secure gets from me too...

 

Hi,

as far as I know they first write a signature, then they compile a few matching malware files and in the end they forget how to remove this mess completely.

Cheers

 

I think the major antivirus vendors have automated bots that scour the web for malicious files. With the amount of malware out there in the wild, it's hard to imagine having people search for them manually.

 

Is there anyone who can clarify this?

 

I know Webroot uses an automated system to collect malware.

http://www.webroot.com/En_US/about-phileas.html

Seeing that the major antivirus vendors are bigger companies with more resources, I would think they would invest in a state of the art system that automates malware collection.

 

AntiVirus vendors compile their signatures from a variety of sources.

Take Symantec Security Response, the team ... SSR.

They have global honeypot sensors; for Symantec it's called "DeepSight" ... it monitors global network activities for zero-day vulnerabilities ... tracks exploits ... and warns end customers ...

http://www.networkworld.com/best/2006/022706security-management.html
https://tms.symantec.com/Default.aspx

According to Wikipedia, a "honeypot" is a trap set to "detect, deflect, or or in some manner counteract attempts at unauthorized use of information system". It is a network of purposely vulnerable computers that seeeeeem to have useful data on them ... so hackers are tempted to break into them. The hackers and their actions are monitored .... it's like watching someone try to break into a bank ...

SSR also takes user submission ... from me ... often times:

https://submit.symantec.com/websubmit/retail.cgi

And SSR also collaborates with other labs ... yes it's true.

 

Honeypots, submissions, other AVs, VT etc
Detecting and creating signatures is often automated (I think?)

 

Detecting of the virus, I am sure to a degree is automated, along with submissions and honeypots. I seriously doubt that the writing of signatures is automated. The script would have to be de-compiled, examined and it`s effect, interaction with the OS studied prior to the writing of the detection and removal code.

Only if it were that easy.

 

Not only antivirus vendors, we ain't a antivirus vendor but have currently have a bigger automatic malware and attack collecting system then most vendors. This because malware and attacks are the weapons of future warfare (terrorism).

 

yes...and one gets the feeling certain AV's have a virustotal scanner as their viruslab....aka sample comes in, if it is detected by another av, add the detection with said av's detection name

 

Who is "we"?

 

I had wondered often y vba32 had same name detections as kaspersky on jotti, havent checked their in a while though

 

One of the bigger armies on this planet.

 

pcsecuritylabs

 

No no, only replied to some posts of him, we ain't associated with PC Security Labs in any way.

 

So who is "we"

 

See post #16 comrade.

 

actually, dawg was right, sample processing is largely automated... you don't need to know much about the effects of the malware or how it interacts with the OS in order to generate signatures for detection... all you need is to know what the sample looks like...

there are exceptional cases, of course, but the head of kaspersky's virus lab was once quoted as saying the average sample takes only 5 minutes to process - i seriously doubt that has a lot of human interaction in it...

it's removal routines that would probably be the most complicated to automate, but since av's generally don't do a great job of cleaning up the effects of the malware and rather just delete the malware for the most part, i suspect automating that part of things isn't high on their to-do list...

 

Yep. 5 minutes. SSR has an automated system; if it doesn't determine the file to be malicious, it is stored for human analysis. If it is determined to be malicious/suspicious, then signatures are update immediately and SSR e-mails the person who sent the sample with a link to the updated defs.

And look at ThreatExpert; their automated analysis only take ~6 to 7 minutes.

Here is a letter from SSR ...

"This message is an automatically generated reply. This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries.
Please contact your Technical Support representative if more detailed
information about your submission is required. Do not reply to this
message.

Below is a status update on your virus submission:

Date: December 27, 2008

Dear ______ ______,

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: malware.exe
machine: Machine
result: This file is detected as W32.Spybot.Worm. http://www.symantec.com/avcenter/venc/data/w32.spybot.worm.html

Customer notes:
backdoor.rbot~~Tech0


Developer notes:
malware.exe is a non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest available definitions.



Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
Downloading and Installing RapidRelease Definition Instructions:
1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
2. Click this link to the ftp site: ftp://ftp.symantec.com/public/engli...virus/rapidrelease/symrapidreleasedefsi32.exe. If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the address bar of your Web browser and then press Enter.
3. When a download dialog box appears, save the file to the Windows desktop.
4. Double-click the downloaded file and follow the prompts.

Virus definition detail:

Sequence Number: 89705
Defs Version: 101227e
Extended Version: 12/27/2008 rev.5

Should you have any questions about your submission, please contact
your regional technical support from the Symantec website and give them
the tracking number in the subject of this message."
------------------------------------------------------------------------------------
As for removal, Norton was the only product to recieve "++" from AV-test.org in both rootkit detection and removal ... removal seems easy on paper ... the automated analysis tracks the file's actions and all the AV has to do is remove the infected files. However, removal is not always the best option; complete removal can result in serious corruption.

 

Trend Micro has a similar system in place actually, and I must admit it works very well

 

Have you got the link for the trend micro virus submision or is it via there product?

Cheers

Jlo

 

http://subwiz.trendmicro.com/SubWiz/Default.asp

Try this