Dr.Web - Igor Danilov's Interview with CNEWS

I have the same opinion as Technodrome, and really don't understand why people are bashing like this. I see lots of PR activity from other AV vendors as well, and many times they are even more dubious then this.

If we take a look at NOD32's website they state they have the "lowest memory consumption", guess they forgot about Dr Web and F-Prot?

Also, our respected member Inspector (Mike) claims this polipos is peanuts to detect. Then why took it so long for F-Prot to come with good signatures?

One thread doesn't say everything, but it gives us a small look in the future where new advanced malware will spread more and more often. Therefore we shouldn't forget that our experts are all in the AV world, and that they're earning their bread with this, their opinions are always "colored/flavoured" or how else you will name it. Not doubting their knowledge, but business remains business...

 

Ffrom PR text:
But a whole month has passed since then, and there isn't a single anti-virus tool in the world that can detect it.None of those “leaders” who claim to use the world's best technology can detect this virus.

How do you see it and read it’s entirely up to you Rejzor.


tD

 

Mike never said it's hard to detect. He said it's tricky on some parts but nothing to brag about. He however did confirmed pretty strong anti cleaning encryption. And thats the whole thing we're even talking here.
Or maybe DrWeb should start cleaning their translation department.
Coz such badly written news won't do any good to them.
My native language is not english, but if i'd be writting this news i'd certanly write in it that "we detected this virus 1 month before others did" and "we were also the first to provide cleaning routine for it". This would be a 100% correct staement with no missleading info. But it's not like this.

EDIT:
Official news appears to be modified as it was written different back then.
Also Igor doesn't says the same in interview either...

 

English translation - That's something they need to work on, and I am sure they will work harder on this. Sometimes the English translation is a bit aggressive but let's try to be more reasonable in terms of what they are trying to convey. Their support has improved in the last 6 months with more interaction with the forum community.

Please note that Dr.Web is a company that has been quiet for years in terms of PR. Why? We have to understand where they are coming from and what they deal with their business in Russia. I am sure they have a big competitor next to them. (KL). I feel that it's about time for Dr.Web to be not ignorant but state the true facts.

To me the article is interesting to know more about what they deal with and how av businesses work these days. Yeah, but I don't think they are trying to bash other av vendors. Like what Mike said, av-experts are not necessary enemies; they share virus samples and drink together.

 

IBK, an explanation could be that most outbreak sensors/honeypots are covering email, irc and network (exploit), not monitoring p2p networks? Did you got any bigger reports of Polip infections?

To say that the other Av companies had the sample and waited 1 month to add detection is nonsense.

BTW, it is common practise to send newly discovered ITW malware to other vendors. What good is it to sit on some samples - the next outbreak you might be the one that has no sample at hand.
I have to ask our Vlab if they ever got any mail from Dr.Web but AFAIR Dr.Web doesn't share samples.

Did Polip actually made it into the WildList?

 

Because during this time when this Polipop Fuss came up i was in "nomansland". Meaning that i did leave ESET, but not moved to Frisk. All my computers were at this time on a ship traveling to iceland. Except my Apple Laptop. I wrote already long time before Dr.Web a detection for this - because i found it in the P2P Network attached to a installer Setup.exe File. But at this time it was NOT widely spready (and it never got this!)

As ReiZor states in the next posting - i've always said detection is trivial. AND IT IS. Even a company like Ikarus managed it. So what's the fuss about being difficult to detect? IT IS NOT DIFFICULT TO DETECT. NOT A BIT. But it is of course more advanced to clean this virus - because of the fact that you cannot determine which infected files are already corrupted by the virus. Corrupted Files you cannot repair. But it's also difficult to determine such files before trying to disinfect them. But more about this you will read in the next VB issue, july 2006.

 

McAfee for example is monitoring p2p networks quite good i think. I (or better my collegues in Innsbruck) had no PC's received infected by Polip. All I saw were posts in various forums (e.g. trojanerboard falls in my mind now) from users which were infected by it. You are right, of course if no user reports it to the appropriate peoples (av vendor) and the av companies that saw that the sample is around do not warn / send it to other companies, its hard to add detection for it .
But I think that maybe some other big companies also had the sample already and they just mis-classified it as low risk and did not add it immediatly. Dunno, but could be possible.

 

Problem of P2P networks is that malware doesn't get pushed to user (email, IM, exploits), but user has to download it by himself. ANd if they don't download that very specific sample, it simply won't spread or at very low rate.

 

Strange thing is, wouldn't someone have uploaded a Polip-infected sample to a service like Jotti or something? At least that way the AV vendors would have recieved the samples sooner

About the whole issue, I need to say that its just PR. Never let PR comments change your opinion of any company. Its not the marketing that matters, its the effectiveness of the product itself. All words in the interview are subject to personal interpretation. It does not matter what words someone uses to express something, you have to catch the purpose of saying it and what he means by saying it.

As for Polipos, I don't blame anyone for it. Perhaps P2P monitoring should be increased.

 

I'll wisely leave the technical discussion of Mr. Danilov's comments to those who know what they're talking about (specifically Inspector, Technodrome, Stefan, Severyanin, & IBK). As to Mr. Danilov himself, I like him! I like his attitudes. I like his expressed philosophy...

I'm sure Mr. Danilov doesn't fully live up to his philosophy. NO one does so. But I like what he is shooting for. I do hope he preseves DrWeb, & doesn't go the way of Ewido, RAV, DrSolomon, etc.

 

Igor Danilov: "Everybody in the anti-virus software market knows that there are only five companies worldwide that offer technology of their own. The rest steal it from others."

Yikes.... I wonder whether he ever tried counting with more than one hand.... There are a lot more than 5 companies with their own scanning engines! Yes there are many resellers/engine licensing companies, but 5? Come on Igor, you must know better than that...

Writing an emergency detection for polip without use of an emu or anything advanced requires only a few minutes if you already have basic PE handling functions, it may not be the 'nicest' way of detecting it but it works without much of a false positive risk. Yes it is that simple to detect. Cleaning it is something different though.

 

Convinced - http://forum.drweb.com/viewtopic.php?t=4337

 

lol,

i just love it when someone adds fuel to the fire, creates a nice long interesting thread for everyone to participate in

love it, dr.web

although i dont understand why this interview as only just come up, i read it many moons ago.

 

The first post in this thread was made on May 31, 2006

 

oh, well thats why.... lol

thought id read it, was thinking it might have been a deja-vu