ITW Viruses a Priority?

Eset boasts that NOD32 is "the only antivirus program in the world which has not missed a single "In The Wild" virus in more than five years in independent tests conducted by the prestigious antivirus industry trade journal, Virus Bulletin. ( www.virusbtn.com )"

In a related post, Ronjor noted that NOD32 had again scored 100%. I believe ITW (In The Wild) viruses are those that are, and have been, in global circulation for a while. Is this correct? And if so, would everyone agree that the ability to detect ITW viruses is the single most imporatant aspect of an AV tool? If not, why not?

 

Jup they are the 1st on priority list. ITW viruses are those that you will actually get/find out there and are not just a lab speciments.
They work hard on ITW viruses,but they also have to work on others,because in these days,chance of getting non-ITW virus is pretty high,especially if you don't know anything about these parasites and how to prevent infection in first place (still using Kazaa?)

Most of your second part of the post is correct

RejZoR
www.security-ops.tk

 

Thanks, RejZor! Why is the chance of getting a non-ITW virus high? If my understanding is correct, a non-ITW virus is one that is new? Don't most reliable AV companies update their signature files relatively quickly for new virii that are considered very high threats? And when they do, these in effect become ITW viruses, don't they? Maybe where I'm getting confused is in my understanding of what is considered an ITW virus, and wha't a non-ITW virus.

 

Very helpful, Ronjor. Thanks! Though it doesn't really explain why the chance of catching a non-ITW virus is high.

 

dear Dazed, ITW viruses are the ones which are reported by atleast two of the 78 virus experts around the world. as the name suggests these viruses are on the prowl and they are considered as the main threat. but there is another group called the ITZ or In-The-Zoo variety. these are generally lab viruses and some regional wildfire. note that if a virus doesn't get reported by atleast two of the 78 WildList reporters its not a ITW virus but still it can be a regional threat. sometimes when a virus-writer creates a virus, he/she reports it to an AV company and they add it to their detection list. its done because it makes the author's virus in the "Virus list", it makes some people happy. please don't ask me how or why. in addition to this a lot of people submit unknown samples to AV companies. then those AV companies releases updates and a new virus enters as their lab sample. sometimes a writer creates a cool virus and keeps it with him/her and some friends. these all are ITZ viruses. as you can see the ITZ viruses can have a promising career or a boring lab-life.

 

Well there are other things out there other than viruses or worms that typically are tested for in the VB or included in the Wild List. Trojans and spyware for example some of which are very much "ITW" so to speak. Depending upon the user's practices and security one can be "bitten" by things other than viruses and worms that are recognized as being ITW. (To further complicate matters many worms out now ITW can install a backdoor app which would be considered a trojan. So some worms are not just worms in their infection cababilities.)

For that reason, AV's aren't really pure AV's anymore. Which leads to the various arguments between those who want an AV to catch everything and be an all in one solution and those who prefer to use more specialized products to deal with the variety of threats.

Other than that, yes I think a good AV should at least be able to deal with recognized ITW viruses and worms and update in a timely fashion or have sufficient heuristic abilities to deal with new threats, certainly at least in the virus/worm category. No product is always perfect in this regard but some are better than others in terms of timeliness in dealing with such new threats.

As to overall detection of all sorts of malware, that's where the discussions begin and it depends on the user's preference in dealing with the other sorts of malware as I noted above as to which AV might better suit their needs/wants and their specific system. (The "best" AV in the world is of no use if for some reason it doesn't run well on one's system and creates other problems. This is a YMMV area as we've seen.)

 

Thanks, AMRX. I learned a new term. Before I got smart and purchased NOD32, I used a number of inferior products (McAffee, Norton, etc). When I've gotten viruses in the past, they have always been of the type that have been around for a while. My AV just somehow missed it (never could explain it). For the most part, I practice VERY safe computing, and even take it up another notch when I hear of a newbie virus/worm going around. So, for me I don't think it's likely I'm going to catch something new.

 

not all ITZ viruses r threats. for example some virus writers creates a virus and keeps it to himself/herself only. AV companies doesn't infect computers with theirs. a lot of virus coders keep their piece of codes in their circle but some release them. a good virus has delayed payload delivery and fast infection rate. so it happens that after an incubation period a ITZ virus leaps forward to become a ITW. sometimes by accident a ITZ virus infects a public computer and goes ITW. so my point is that non-ITZ viruses are threats alright but the level is lower than that of the ITW viruses.

 

McAfee is definitely not an inferior AV product. IMO, it's one of the best engines in
production today, competing neck-to-neck with KAV and F-Secure. However, I can't
say the same for NAV.

Regards,
AgentX

 

thats good, you wanna know a secret? if you patch your OS well and if you use your computing resources well then your well of without an AV. well i admit it depends a lot on your computing habits. when it comes to stopping ITW viruses Norton does a good job and currently McAfee is ruling the nest. read the forum posts and keep yourself updated.

 

AMRX raises another good point. Some zoo viruses are not ITW and never have been but some AV's detect them and some AV tests test for them. And then other AV's may put them in their databases since they looked bad in such tests and their customers were upset. Such tests for me are largely database tests and not necessarily a test of protection against potential iminent threats.

I think Rodzilla has mentioned in the past that the VB tests only for zoo viruses that have previously been in the wild so it's not just testing lab rats. Those results can be interesting if one thinks an AV should at least catch zoo viruses that were known to have been in the wild.

The best one can do is to try to learn the issues as discussed here and then decide, based on one's use, what sort of product you feel most suits your needs based on your practices. No AV is perfect all the time. Which is why I regard an AV as a backup to my computing practices in case I screw up, not my main defense against malware.

But for others who aren't particularly knowledgeable and engage in high risk activities and might pick up some interesting specimen that I'd never see, I'd be inclined to recommend an AV with good overall detection, even if it includes some crud or lab rats, and an AT as well.

(If their PC and OS can take it, that is. It seems to me that the more capacities for detection [in terms of packed and archived files, etc] the more resources are used and perhaps more system intrusive the AV has to be. Which is why, for example, some people could not or would not use the KAV 4's or tweaked them so that they wouldn't unduly affect system performance. Which is also why some people looked forward to KAV 5's release to see if that aspect had been improved. And also why still others look to further improvements in NOD in the hopes that it will improve its proactive detection capabilities all around and yet retain a lighter touch on the system.)

 

sorry Ronjor, i'm not into inflicting injuries. i don't wanna talk about this but be sure that i never did or will do anything to harm other people. everything i do its just for my knowledge and with that 2bit little thing i try to help people. thats why i'm here. i won't talk about this anymore. this is not my personal forum and it was my mistake to disclose something i shouldn't have. i apologise to all.

 

I would hope "Firefighter" is one of them LOL.. But seriously, he DOES test a lot of stuff out there..

 

To everyone from Firefighter!

If ITW viruses were really the most possible infections to everyone's PC, why DrWeb, still a small av-producer, had updated it's program with 368 new VIRUS entries during the first three months this year, as u can see from the links below?

http://www.dials.ru/english/inf/news.php?id=754


There has been added totally 64 ITW viruses in the same time to the official ITW list.

http://www.wildlist.org/WildList/200403.htm

http://www.wildlist.org/WildList/200312.htm


Some weeks before I wrote that there were even less new ITW viruses, but I forgot that they also have removed 13 not anymore ITW viruses from their official ITW list.

During this three months, VB has made one new av-test against ITW viruses, where were only about the same amount of not before tested ITW viruses. Is that 64 new viruses enough to say if an av is REAL WORLD ITW and a VB 100% Award winner? In my mind not.

In the same time when DrWeb added 368 new viruses, DrWeb had added many times more trojans & backdoors to their own database (1192 or 1570, depending on how we are reading this DrWeb summary table). Those nasties were even not tested by VirusBulletin, maybe because it is only V I R U S Bulletin. But if those trojans are totally harmless, why DrWeb added 3...4 times more trojans to their database? Actually in that DrWeb summary table there are some 81 % new trojans & backdoors and the rest is that virus stuff.

Are those 304 new not ITW viruses added to DrWeb's database only "laboratory" viruses? I don't think so. In certain countries, where english is not the language we are using for, those viruses may be quite common. Be Global, Act Local, is the only way to secure your av-product worldwide! That's why ITW viruses with VB 100% Awards are only a myth.

Best regards,
Firefighter!

 

Yeah most of us know that VB100% is not the one and only to be trusted.
I have pretty close contact with Alwil guys (avast! Antivirus) and they usually try to explain us what went wrong on specific VB100% test if we ask them. In lots of FAILED cases there were minor (technical) problems or those VB100% guys didn't know how to use certain function and they gave FAILED because of it (yeah sounds stupid). But it certanly raises software quality since they check standard tests and if something goes wrong,AV developers can fix it. Also it shows certain overall software quality.

 

Just give Cat/Quickheal some time.. It may surprise us all..

http://www.virusbtn.com/vb100/archives/products.xml?quickheal.xml

 

To Paul Wilders from Firefighter!

Is it that's why when only I am making LOCAL deciosions by choosing those sites where I want to visit? Those decisions are truly LOCAL, not GLOBAL, as we all do LOCAL decisions in our habits.

Because I don't have a clue in regard to the subject, I can still read. According to The WildList Organization International:

http://www.wildlist.org/WildList/RTWL.htm

"The list (ITW-list) should not be considered a list of "the most common viruses", however, since no specific provision is made for a commonness factor.

This data indicates only "which" viruses are In-the-Wild, but viruses reported by many (or most) participants are obviously widespread."


The WildList Organization International is recognizing that these viruses in their ITW list are not even the most common viruses. Actually these are viruses picked from 78 professionals own ITW lists. What more to add? Only those professionals have classified which viruses will be found all around the world in the near future! They have not decided which kind of sites he or she is visiting and so what kind of viruses there are hiding.

My main message was only that, what ever you do in the web, every step you take, you are making LOCAL decisions, those sites you visit are mainly LOCAL, there is no universal defined safe web-world, only more or less safe places where you can't suspect all possible risks waiting for you. You just need not to download anything, but still there is a possibility to get infected.

Secondly, when I don't have a clue in regard to testing overall, I'm just happy to announce that in the beginning of April, when I started my testing, it took some two weeks when "the King of ITW scanners" had added over ten infections to their database. But just now, when I have picked more new infections from the web, the same scanner had added the same amount of new findings to their database only 5 days after my last test. This all happened even though I didn't submit any sample to any av-producer. Obviously I am closing the REAL ITW virus WORLD!

Best regards,
Firefighter!

 

Read this last remark by "QSection"...

https://www.wilderssecurity.com/showthread.php?p=187687#post187687

Typical Nod32 users reaction... "Oh, it's a worm, don't blame NOD32 for that!"...

Is there something I or anyone can blame NOD32 for?

Let me put it to you this way...

1. My AV must be able to detect ITW, that is a given.. How it did 4 years ago doesn't matter... AV Software changes.... Recent performance is my priority (say, the past two years,,,)... BUT..

It must also detect most of the new malware, because that is all prevalent today, too, and who is to say what won't be ITW tommorow...the way things are going...

Yes, I agree with layered defense.. BUT I would rather have two or more products on my computer doing a crisscross of the same detection than have one product detcting strictly worms, another strictly viruses, another strictly trojans...etc...

removed

 

To everyone from Firefighter!

Once again, when I tried to show some facts about ITW viruses published by The WildList Organization International, the result will be that I do not understand nothing. Is it my fault that those some 21 new viruses in the official ITW list per month looks like a drop in the sea against those more than 500 new entries DrWeb has per month? Or is it because several av-vendors are continuously using that VB 100% Award as a main advertising factor? Yes, my fault again!

What ever I wrote, the answer will be the same against my facts. When I have told about the tests of my own, the answer will be that of course they are rubbish.

I have also some 162 "clean" file collection picked from the same sources as my infected samples. That collection was proved as clean by AntiVir 6.25, Avast 4.1 Home, AVG 6.0, BitDefender 7.2 Free, DrWeb 4.31b, KAV 5.0, NOD32 with AH, Panda Platinum 7.05.07 and RAV online scan. Few days ago, I scanned my "clean" collection with McAfee 7.03. It suddenly found about ten infected archives where was two viruses and the rest were trojans, today Panda found an archive as infected with a macro virus, W97M/Wmvg.B, some weeks ago Panda found nothing. Just now ClamWin 0.35 found a new macro virus from that "clean" collection, W97M.Furio.A. Obviously my collections aren't so rubbish at all, although I have never sent a single file to any av-vendor. NOD32 with AH is capable to detect from my "infected" collection more and more new infections week after week, why?

PS. OK, that W97M.Furio.A may be a false positive with ClamWin 0.35, because that was first detected 2002, and BDF 7.2, KAV and Panda found nothing, just checked.

Best regards,
Firefighter!