Dr.Web - Igor Danilov's Interview with CNEWS

Wanted to share with you all the English translation of Igor's recent interview with CNEWS in Russia. Nice pictures of him (drinking coffee) are available.

http://company.drweb.com/press/igor daniloff cnews interview may 2006/?lng=en

I would like to "personally" comment that he's a very humble and philosophical person. Learn more about what he and his team classify their virus databases, what they face daily, and how he keeps to improve and devout his entire company. Enjoy,

 

> Igor Danilov: "Everybody in the anti-virus software market knows that there are only five companies worldwide that offer technology of their own. The rest steal it from others."


Because I suppose that the vast majority of Wilders members are out of the av-business, can someone tell to us which are these other 4 "actual" players in that business?

DrWeb, F-Prot...?

Best regards,
Firefighter!

 

Saying "rest steals it from others" is kinda harsh if you ask me.
Some are pretty obvious stuff that are just borrowed and not stolen.
It's not like they steal their tech, they just get ideas from them.
Lets say some company creates new feature that no one offers. It's very likely that in few upcoming weeks or months, someone will impliment similar tech in their solution. Of course if it was proven to be effective by original company. This is used for ages in cars and electronic devices so i really don't see why AV world should be any different.

EDIT:
He's talking bullshit about Polip virus again. It's not that companies were not capable of detecting it, they were simply not aware of it's presence. The capability o repair infected files however is indeed the thing that DrWeb provided first. BitDefender followed as second. But yes, some companies are still not able to detect advanced polymorphic/metamorphic viruses because of not so good emulation engine (would be way too slow to process such files). At least thats what some major virus analysts and experts warn about.

 

VirusChaser and ?

Igor/Dr Web are certainly pushing out their PR of late!; Myths about Dr Web, the Win32.Polipos virus.

 

No bullshit about Polip. The news was not published right after the detection was added to the Dr.Web bases. It was published 1 month after it appeared. 30 days in P2P networks is not 3 hours. I don't think any of the big AVs don't care for P2P netwroks to the extent not to monitor them.

 

As i said, companies were simply not aware of it. After they got aware of this malware they've added it in very small timeframe, basically matter of hours or few days at most.
Now saying that companies couldn't add this sample for >30 days even though they were aware of it is pure BS, because thats simply not true.
Providing repair routines for successful file repairing is something else and most of companies indeed aren't capable of cleaning.
But detection != cleaning!
I first thought it was just a typo in news but seeing same stuff again here just confirms it. I HARDLY even think that big AV companies like Symantec, McAfee, BitDefender etc are so stupid that they can't add detection for such "simple" thing. Remember we're talkinga bout detection not cleaning.
And thats where DrWeb's PR is screaming like all other companies are a joke because they can't add detection in 30 days and more. Now, GOTO Line 0 and read again...

 

Igor Danilov wrote.

> There are many evaluation criteria. One is the ability to detect sophisticated polymorphic viruses without any exception. While testing our product we make, say, 10,000 copies of one and the same complicated virus. If at least one of those is left undetected, it's an emergency for us, and we send our anti-virus tool back for re-development.

Is this what he meant? You can't clean without detecting 100 % of them.

Best regards,
Firefighter!

 

Read the lines... Exact quaote from interview...

This is just one along few such lines. And it's clearly a bullshit of massive proportions. 1 months for such malware? If other AV companies would be that incapable i highly doubt they'd be still around here. Well, because they aren't so incapable. 100% detection has nothing to do with Polip sample as cleaning is a completelly different thing (as mentioned before because of usage of XTA crypter algo on infected files).
Besides avast! as very small company scores a complete 100% detection. So i really don't see any reason why McAfee or Symantec (and all others) couldn't do the same... Again please note we're talking about detection where DrWeb guys state that all other AVs were "unable to detect", where it was actually "were not aware of it". Thats a huge difference.

Who knows what lets say avast! detected before anyone else ever did (even till today). They could also start same marketing BS if they'd wanted for what? All i see here is covert promotion. But i never fell on such PR crap and i won't here either. I have nothing against anyone but i hate when companies talk BS just to get attention. Fine, you detected it first, can't argue with that but all i see here is direct bashing of other companies as being complete dorks and incapable analysts. Not so direct but i see it like this and nothing else.

 

During reading this i spilled my coffee.

Reference: http://pferrie.tripod.com/

If somebody would ask me to place some bet i would certainly go with Peter Ferrie, since he has in this field by FAR more expierence than Igor, who's blaming now the 2nd time other competitors. Peter Ferrie wrote a 800 lines ASM Code cleaner. Completely without Emulation. I know this because there was some kind of "private competition" between us.

 

I meant that with company size and number of experts in it, let alone Peter Ferrie (Symantec) as master guru for polymorphic and fileinfector stuff...
But ok, got the point

 

Proud of you

 

Stop drinking that poison. Take a cup of tea instead of it! It's more healthy.

Best regards,
Firefighter!

 

Looks like a poor attempt of desperately trying to distinguish their product from the competitors. Win32.Polip was *one* case, in how many other cases the competitors were (much) faster in reacting than Dr.Web?

 

Please be more specific. If you do a little research you will see how many people were infected by polip. They only had to wait a month to discover that their machine was infected.

It looks like polymorphic viruses were forgotten by the companies and nobody cared about polip. Everybody is focusing on Trojan downloaders nowadays…

So Stefan what took you guys so long to detect this virus?


tD

 

Everybody does that. Is this something new to you? Take a look around and you'll see that every single av company promoting itself as being the best or detected something before competitor etc. It’s a common business practice....

How do you know all this? There are so many malware samples that they are aware of it and yet they need months to detect it.


tD

 

It took a couple of hours to write & test a detection, detecting Win32.Polip is not very difficult as the virus author made the usual standard mistakes. Actually it took more time to replicate sufficient number of samples for testing than writing the detection.

It took us so long (did it?) because simply no customer reported problems or submitted samples. And yes, they would submit samples even without detection because the virus damaged exeuctables and would cause support calls. There was *one* Classic Edition user posting on our support forum and after that we added detection.

So what's all the fuss about? It was not a major ITW outbreak and there are alot of daily targeted attacks that stay below the "radar".
Even Dr.Web must prioritize to the order how they add detection for malware, so something gets added first and something later.

 

No user reported problem from another 20 companies either? How about R&D department? I don't expect for your company to have a big R&D department, but what about the big names.?

No fuss they published a small article and everybody got pissed. We have a million downloaders but once a while we get hit with the polymorphic virus (Oh wait, it was a virus and not some other malware). Something interesting for a change….


tD

 

The R&D does not decide the priority in which malware detection is added.
The vlab decides that, depending on various sources (customer reports, honeypots and so on).

And only because Win32.Polip was a new EPO poly virus after a long time it doesn't matter. We don't add detection based on if the malware is technical interesting for us researchers. We want to maximize the protection of *our* customers. Don't confuse "don't want to add detection right now (because it has no top priority)" with "we are not able to add detection because in reality we are a clueless bunch and cheat our customers". ;-)

And don't you think it's strange that Dr.Web was the only company that reacted this way and every single other AV company did not? Dr. Web is
the only one with a world-wide customer and honeypot network and detects every single outbreak at once? Hm...

 

Technodrome, how do i know that? It's a matter of simple logic, nothing else. I might not be a virus analyst but i'm not dumb. Sniffing around at Malware Research and learning from experts can sometimes yeld great results, even if it's just theoretical stuff and general malware things that everyone thats more into AVs should know. And in the end such PR big talk looks like cheap joke. For me of course, others might even bought this one as best thing after sliced bread.
But hey, who will complain? Maybe react to such accusations? I think no one, because no one wants to look like some childish "you did that, we did that" scenario. I don't work for either of AVs so i can tell whatever is on my mind.

I wouldn't even complain if DrWeb guys would say they detected it first and also first provided cleaning for it. Thats all true. But saying others were not able to detect it for more than 30 days and stuff like that, well thats something that i just can't accept and is actually an insult for other AV vendors. Maybe they should think twice before releasing such stupid stuff into public.

 

Nero
Plesk
Eserv

 

Thanks Andrey

 

Cheap joke? Why?They only stated true facts and there is nothing wrong about. As said, look around and you'll find similar statements from other AV vendors. I don't know why this particular statement from DrWeb folks pissed so many people here or elsewhere.


tD

 

Yes… and yet some of "these" av vendors and researchers are willing to add some test zoo viruses…*cough*…just to look better in the eyes of public.

A famous myth...

tD

 

The thing is they're not stating true facts! From what i understand from their PR text, they're saying other AV vendors were incapable of detecting Polip sample for more than 30 days. NOT TRUE. As i said, they were so damn capable of detecting it, they were just not aware of it. Stefan (AntiVir) got it because 1 user reported something. I mean 1 compared to few milion number userbase? So it's kinda obvious there's very small chance that someone else also got it before this major announcemement.

I seem to repeat myself over few posts with same stuff over and over again.
To make long story short, some "facts" are not true, thats why some of us aren't exactly happy with the way DrWeb is promoting itself.

 

I think to agree with Severyanin. Fact is that the virus was around in P2P networks for ~1 month and that in this case only DrWeb saw that peoples were really infected by it and a detection&cleaning is needed. Maybe there is a (translation?) misunderstanding of what Dr.Web says, as I think that "other companies were after - a month we did - still not able to provide detection for polip" could mean the same as "other companies added detection/cleaning for polip a month after we did". just my opinion....