Virus Weekly Stats....0Day

bunk, I still ain't sure

Waiting for someone to find out if it is

By either way, alot of malware is tested and drweb detects alot of it, so, so far I'm happy

I never rely on tests but some ppl do, to me ... I know from personal experience that drweb is better than most ppl think here on wilders.

 

Most of these critics have never even used Dr Web!

 

numerous posts totally un-related to the thread topic at hand moved to a thread of their own for further discussion.

Moved here---> https://www.wilderssecurity.com/showthread.php?t=197113

 

Got a reply and they're using the publicly available signatures for all of the scanners and are testing all products against the same set of binaries. So the numbers are true.

Patrik

 

Evening all,

Richard here from Shadowserver. You can blame me for any mistakes on our web pages. In the future if anyone has a question about any of the statistics, our methods on generating them, or anything, please drop me an email.

Now on to the more specific questions.

All the results that you see on our pages are really controlled by several factors. The primary being what types of binaries we actually gathered in the last day, and which ones were queued up for the testing. Some of the AV vendors do very well against certain types of malware and not as well against others.

We get in between 50k to 200k new unique binaries each day. We are only able to test a portion of those because of resource constraints. We generate the test list and each vendor is tested against the exact same list. Not all vendors were created equal, and some can take a large amount of time to test the same set of binaries. So, this limits us on how many we can test. Unless of course someone wants to donate more dual quad-core machines for us to use...

The specific results are those that each vendor spits out. We did our best to write a generic parser to catch each of the 'real' names that the vendors uses, but even that can never be perfect.

We treat each of the vendors equally and are not sponsored by any of them. Several have donated licenses for us to us, but we have paid for the majority of them ourselves. Any vendor that donates a license will be sent up to 10k binaries each day that they do not detect. Assuming that do not detect that many.

Each vendor is updated once an hour from the normal public repositories that any normal user would be using. So, depending on your version and options, YMWV. You can see the specifics on our command usage here:

http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.Viruses

We have tried to show the data as impartially as possible, so, if anyone has any suggestions on how to improve upon what we are showing, I am happy to take in any suggestions that you may have. I just cannot promise to try to reply to all the posts, unless someone warns me that I should..

Hopefully this helped clarify some of how we are generating the statistics that seemed to have created some confusion.


Richard

 

The problem is, people have a tendency to see numbers as an absolute, while often (as in this case) they do not mean exactly what they think they do.
Admittedly that's not really the fault of Shadowserver, but you may want to add something about the numbers explaining there is a heavy bias towards samples of a malware variant that you receive very often.

Taking todays stats as an example:
Total number of samples: 67400
Brontok.Z.1: 63334

So, ~93% of the sample set are actually one and the same malware strain. Binary-different maybe, but that's not really relevant here now is it?

Dear Forum Folks, you should know by now that you can't take such values as absolute indicators of detection rate.

@freed0: You really should add something mentioning that bias to your stats pages, it might even prevent some misunderstandings of what you guys do and keep random accusations off your backs. In very large red letters

 

well done for drweb then

 

Does that web site not like Firefox? The 0Day Summary and ReTry Summary (whatever that is) is not there. Two large blank spots.

 

works fine with Firefox for me,
perhaps an add-on is causing the problem?

 

Yes it works fine for me too. Maybe just refer to the screenies posted before.

 

I don't know what it could be. I only have 7 extensions and none of them should affect the display of the page like that. I tried on both Fx 1.5.12 and Fx 2.0.

I then tried on Opera 9.24 and I can see it there. Fx displays EVERYTHING on that website in a weird manner. I didn't realize how strange the display is of the part of the page I can see on Fx until I tried Opera there.

 

I have Fx and no problems at all.

 

Same here, Firefox and Opera work perfectly. It must a plug in or something Mele

 

or something with how Proxomitron is handling things....

Blue

 

Norman is doing great here
http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.VirusWeeklyStats

 

there are many 99% avs this week for zero day

 

Indeed
They did well