kav misses 2 trojans that drweb finds..?

[tahoma]

twice in the last 2 weeks my drweb has picked up trojans in files that kav say are clean. i dont remember what the first one was called, but the one i got today drweb identified as trojan.muldrop.310. note that both vere positively identified by drweb and not 'probably blah blah'

im well aware of drwebs false positives, but the falses usually are identifiefd as smt with 'probably'

anyhow, since kav decleared this file clean i decided it probably was (it usually is) and unrared it and everything went wild and after a while the pc froze (dont know if that was related to the possible trojan) several reboots later things were working again and the computer clean .not sure exactly what exactly what happened, but smt kept the pc busy at bootup (drweb cleaning up??) and the comp locked.

in the end things worked as usual and did a fulls can with both drweb and kav and everything was clean. nothing in the drweb logs either (maybe cos i turned off the power when it hung?)

anyhow, i dont know what my point is by telling this story, but its made me trust drweb moer than i trust kav..i guess

ive also noticed drweb having very frequent updates lately (like up to 6 updated definitions per day )

i guess i just want your comments on this, if u have any

thanks

[Igor K.]

Hello, Tahoma!

KAV releases updates for new viruses rather quickly, if you send in those new viruses (if they indeed are new and not DrWeb falses) they will be added to the next update within several hours and you will be able to check you system with KAV Scanner. It would be great if you could put them in an archive with a password and send to support@kaspersky.com

Sincerely,

Igor

KL H.Q.
Moscow, Russia

[tahoma]

hey, thanks for reply

ive spent the last hour looking online for the file i downloaded, without success. so im sorry i cant send it

[Barney]

I have found that DRWEB almost 99% of the time is accurate unless they specifically state "Probably a _____ virus". When they use the word "Probably", I do question it and double check it with KAV. But DRWEB is an EXCELLENT antivirus, the best in my opinion. If it flat out states that it has found a specific virus, I absolutely trust it and delete/cure the file. Out of curiosity, I still double check it with KAV. This whole "False Positive" assumption has really gotton out of hand. very rarely, I do get one, but it will specifically use the word "Probably". Then and only then do I double check it.

Barney

[tahoma]

barney, thats my exact approach too, i even like the false positives (hijackthis is one), hijack this isnt a malware, but its capable of changing homepages, set stuff to run at startup and modify various system settings, so i actually agree with drweb that is potential malware if used the wrong way (but hijsackthis is a excellent little freebie tho, dont get me wrong, its pure goodness)

on antoher note ive identified the trojan i had as this one http://www.sophos.com/virusinfo/analyses/trojgraybirda.html (or a mutation of this one), like i said, drweb calls it smt else (scoll upwards)

[Barney]

Very true Tahome. False positives indicate to me that a specific program has "virus" similarities that require possible attention. I occasionally see these latest and greates freeware programs thought to be harmless and later found to be trojan horses. DRWEB is ahead of the game and labels these as possible virus' or trojans. I find it to be a valuable asset to DRWEB.

Barney

[tahoma]

someone oughtta make a drweb+kav dual scanner. id buy that right away

[Paul Wilders]

Quote:

quoting: Barney link=board=24;threadid=16559;start=0#msg102625 date=1069259651]
I have found that DRWEB almost 99% of the time is accurate unless they specifically state "Probably a _____ virus". When they use the word "Probably", I do question it and double check it with KAV. But DRWEB is an EXCELLENT antivirus, the best in my opinion. If it flat out states that it has found a specific virus, I absolutely trust it and delete/cure the file. Out of curiosity, I still double check it with KAV. This whole "False Positive" assumption has really gotton out of hand. very rarely, I do get one, but it will specifically use the word "Probably". Then and only then do I double check it.

Barney

Barney,

For sure double checking is the way to go; no doubt about that.

As for false positives: "flat out positives"as you call them have been proven false positives (due to strong heuristics) on many, many ocassions - we have received hundreds of emails from Dr.Web users who actually crippled their system by deleting perfectly sound files that way. On one of our test systems we have been able to verify this in the past.

Bottom line: Dr.Web surely belongs to the top notch antiviruses range, but should be handled with the upmost care, and by no means by the äverage Joe" = 99% of pc users.

regards,

paul

[Barney]

Paul,

If I am not mistaken, an AV with Heuristics mean that it has the capability to detect unknown viruses (creating false positives on occasion)? I had DRWEB a few days ago detect the Slammer worm on my system. This is already a known worm in DRWEB's signiture database. Are you saying that this could still be a fast positive? Doesn't the fact that this worm is already accounted for ensure the reliability of it's detection by DRWEB. If not, I better get a few more back up AV's. Anybody have any input on this please let me know.

Thanks.

Barney

[Paul Wilders]

Quote:

quoting: Barney link=board=24;threadid=16559;start=0#msg103438 date=1069550566]
Paul,

If I am not mistaken, an AV with Heuristics mean that it has the capability to detect unknown viruses (creating false positives on occasion)?

It boils down to that

Quote:

I had DRWEB a few days ago detect the Slammer worm on my system.This is already a known worm in DRWEB's signiture database.

I'll take it, Slammer has been detected a while after the relevant database update, during an on-demand scan, and System Restore isn't an issue here?

Quote:

Are you saying that this could still be a fast positive?

In principal: yes, it could be a false positive.

Quote:

Doesn't the fact that this worm is already accounted for ensure the reliability of it's detection by DRWEB.

Providing you've updated the database timely and System restore is a non issue, the resident running scanner would have picked it up. In case an on demand system scan did cause this alert, I would recommend submitting the file for further investignation.

regards.

paul

[Igor K.]

hello, Barney!

Also kindly bear in mind, that Slammer exists only in memory of the computer and does not make any hard copies on the hard drive.

Sincerely,

Igor

[nameless]

What I want to know, seriously, is: Where do you guys go, and what do you do, to come across so much malware? I download stuff constantly, and never come across anything (unless TDS-3, BOClean, PC-cillin, Norton, Panda, RAV, McAfee, BitDefender, NOD32, TrojanHunter, a2, and KAV are all wrong).

I am NOT bragging or making light here--I seriously want to know, out of innocent curiosity.

[controler]

nameless

they get samples from people like you and I..

I know there is a few Av's that don't scan zipped files. they feel ther is no need to and then try to catch them when unzipped or executed.
I have to shut down my firewall to make posts here and I don't think that is right either.

con

[nameless]

I meant, where do people like the OP (tahoma) come across trojans and such? I get the impression that people download software just like I do, but somehow have worse luck.

[rerun2]

http://www.wilderssecurity.com/showthread.php?t=13706;start=msg87299#msg87299

I had posted this awhile ago and did not get any replys, but it may be of interest to bring it up again here. Maybe this SQL worm identification is a FP. No file was downloaded in my case, and as I mentioned I was only online for about an hour. Mostly browsing this forum.

A few strange things to note is that I do not have SQL installed, I was fully patched and running a firewall (even with a couple of rules blocking the SQL worm traffic heh), and that it was even found in the running process of my firewall.

[Barney]

Rerun2, that is very strange. I am also running DRWEB and it detected the following worm a few days ago: "WIN32.SQL.SLAMMER.376". I don't have any proof, but I suspect that it was a positive indication. DRWEB's website indicates that their unique way of detection is what allow DRWEB to pick up this virus. It was supposedly the first AV able to detect this virus in memory. Check the site out if you want more info. Later dude.

Barney

[Paul Wilders]

Barney,

See my reply on th first page from this thread. A Question: how did you get "infected" in the first place, following your presumption?

regards.

pau

[tahoma]

without admitting anything regarding my own habits, trojans/viruses can (ive heard) in general frequently be encountered on more or less illegal websites with contents like cracks and keygens for commercial software