Detecting polymorphics!

In VirusBulletin tests many av:s were detecting almost all polymorphic samples, because they were unchanged over a year.

In real life, a friend of mine got infected with "W32/Pate.b" (= Win32.Parite.b by KAV) by using an updated AntiVir PE, a polymorphic virus being ITW over a year. VB was still testing only one sample of this virus and in ITW category, Why?

http://www.virusbtn.com/old/comparatives/NetWare/2004/test_sets.html

Maybe this why? According to VGrep, too many av:s were performed really bad in real situation.

Best regards,
Firefighter!

 

@FF- Interesting. Thanks!

3X Winners:
BitDefender {Softwin}
Sophos
Kaspersky
DrWeb {Dialogue Science}
McAfee

 

Actually, when you look at the all 37 variants in VGrep, McAfee 37/37, KAV 36/37, the others, who cares!

PS. Just checked these variants by using "Win32.Parite.b" as the entry in VGrep, there was 70 variants of "Win32.Parite.b" in VGrep, don't have counted the "winners" yet.

Best regards,
Firefighter!

 

Usually in VirusBulletin polymorphic tests, 6 scanners are scoring full 100% detectings test after test against 43 polymorphic viruses and almost 15 500 samples (outcluding KAV and DrWeb clones). In alphabetical order they are, DrWeb, Kaspersky, McAfee, NOD, Norton and Sophos.

How is it then against those 70 Win32.Parite.b varaints? Here they are,

97.1 % -- 68/70 - Kaspersky

95.7 % -- 67/70 - McAfee & Norton

94.3 % -- 66/70 - DrWeb

92.9 % -- 65/70 - Sophos

74.3 % -- 52/70 - NOD

---------------------- because the infected PC was protected by a "free" av, here they are

87.1 % -- 61/70 - Panda

67.1 % -- 49/70 - F-Prot

60.0 % -- 42/70 - Avast & AVG

58.6 % -- 41/70 - BitDefender

47.1 % -- 33/70 - AntiVir

All these when this Win32.Parite.b has been ITW over a year! I just can't imagine how poor the other scanners will be in this comparison.

Best regards,
Firefighter!

 

Thanks Firefighter.After all i ve read about VirusBulettin,IMHO,it's just a basic index,nothing to rely upon heavily.It's good for commercial purposes though ,allowing companies to put the "100%" mark on their websites ,impressing the unaware customer

 

Firefighter:

Do you believe that KAV engined AVs, such as F-Secure, which I use, will show the same ability to detect polymorphic viruses as KAV itself has?

Thanks

 

Basicly it's the engine and signatures that's matters, so I think that with F-secure, at least as good as Kaspersky.

PS. Just added some "free or free offer" scanners to my list above.

Best regards,
Firefighter!

 

After taking a close look to VGrep results, I think that the biggest problem is probably that some of these 76 samples are actually not samples of W32/Parite.b (or maybe multi-infected samples ?). A lot of the samples are flagged as Parite.b by KAV whereas other AVs do recognize another malware (or nothing), mostly Spybots/SDbots/Agobots* (also happens to FProt and Bitdefender)... There also seem to be damaged samples (look for Pate.b.dam McAffee detections).

For example, I doubt that the 6th sample (1rst on your picture) actually is a Parite.b.

--
*Could sometimes be explained by the fact that the file dropped by Parite is packed with UPX, and that some scanners cannot unpack it ?

 

I don't think that it matters so much. Even with Sophos signature, "W32/Parite-B", there are 59 of these polyinfectors, the situation still remains about the same. Sophos has no heuristics and the false positives are very uncommon.

Best regards,
Firefighter!

 

1. VGrep is _NOT_ intended to compare the detection rate of scanners. A polymorphic comparison based on the VGrep database is really poor. It should be only used for virus naming conventions.
2. The VGrep database contains a lot of garbage files, so results are flawed.
3. You do not know which settings were used. Also you must note that usually command line scanners are used to make the VGrep database.

just my 2 cents...

 

welcome back

 

Good to know that even Sophos uses garbage files to increase it's detection! Or, is it simply, money talks?

PS. What worries me most after all this, there isn't any av-test organisations that will test real ItW polymorphic sample collections, the last what added to VirusBulletin's testbed was 29 samples of W32/Etap, over a year ago, very promising!

Best regards,
Firefighter!

 

In german magazines I see Marx does make also polymorphic tests.

I am planning to do polymorphic tests in probably one year; I think it is interesting to see such tests too, but using VGrep for such things is the wrong approach.

 

To everyone from Firefighter!

I'm sorry about heuristics in Sophos, see this,

http://www.acu.edu/technology/team55/sophosfaqs.html

maybe Technodrome knows a bit more about that Sophos now!

Best regards,
Firefighter!

 

Sophos uses genetic approach to detect viruses heuristically. Nothing like NOD32, Norman or DrWeb.


tECHNODROME

 

Have I done something wrong by publishing these VGrep tables as there is in post 4. this thread? Look at the new picture of this "Win32.Parite.b" taken just now in VGrep. In my mind there are some av-vendors missing (BitDefender and NOD).

http://www.virusbtn.com/resources/vgrep/which_products/

Is there some good reason to drop these av:s out?

Best regards,
Firefighter!

 

Per FF's latest post, all 3 freebies (Avast, AVG, AVPE) bombed out according to this very narrow indicator.