Ewido monster update

The Ewido database went from 115,000 sigs to 150,000 sigs today.

Does anyone know what this was about?

New categories of malware covered perhaps - or was it just 'traces'?

 

yep the update was much bigger than normal it was half a mb

i am happy that its gone so high

lololol

 

I wish vendors would explain these kind of jumps and what is actually in their database. I don't think it is credible to have this kind of jump without some explanation. Feels more like a sales/marketing induced jump as opposed to a real increase in security. I prefer simple and understandable so I know where I am protected and where I am not. Thus my preference for products like ProcessGuard with which I know exactly the kind of protection I am getting.

Ewido's new database size feels suspicious to me - as does the size of many other databases. Right now, KAV is probably the gold standard to measure by. It measures at around 131,000 in its supersecure database - which includes riskware (that is, not all entries are necessarily viruses/trojans/spyware).

Rich

 

I trust in ewido!!!

They are a great company, have an excellent support and works a lot to improve its products...

 

It is wise to not be so quick to trust

 

The new signatures are mostly from a new malware collection update. No registry traces etc.

 

Nice to know fish, thanx.

 

Thanks fish.

Rich

 

35,000 in one day? I'm not saying it can't be done but i find it very hard to believe. Ewido achieves normally 100 a day or less. Then 35,000 in one day. Maths has never been my strong point, but the numbers seem a bit high. Any chance of some enlightenment?

muf

 

is reading a bit of a problem?

From Ewido's Golden Fish: The new signatures are mostly from a new malware collection update. No registry traces etc.

So: a collection that was added... and that can be anything from 1 to several million.

 

I do not mean to hijack this thread however...

I just tried to dl ewido from there site. The exe downloads but when it does, it is not correct.

It looks like a batch file vs a exe. What can be causing this? Is there dl corrupted?

 

Are you using NOD?

 

I had the same problem Jaguar and had no idea what was causing it, and yes I do use NOD32. I ended up getting it from download.com, worked fine then.

 

Yes I am a registered NOD32 user.

 

For all those people who still wonder about the reasons for signature creation ... ;-)

"Letters: Generic detection - a specific case

Peter Morley
McAfee , UK

Published in Virus Bulletin: December 2004
By: Peter Morley - McAfee, UK

This subject has effectively been glossed over for some 10 years. One reason is that anti-virus researchers who could write about it have been slightly scared to do so, lest the information be of value to competition. I feel I can risk it now.

McAfee received (from Andreas Clementi of the University of Innsbruck) a collection of some 1,350 *.HTM files. These are text files. Any of our customers can look at the contents. The files are mostly from virus/Trojan writing groups, although some are from AV experts, about virus/Trojan authors and their techniques, backgrounds and attitudes.

Should we detect these files, for any reason other than the fact that we may be reviewed against them? I took a good look. My conclusions may surprise you.

Some 340 of the files are ones we should certainly not detect. These include:
An interview with Dr Alan Solomon, by virus author Dark Fiber.
A report of the death of an Australian virus author.
The well reported interview with Dark Avenger by AV researcher Sarah Gordon.
Innocent (and valid!) expressions of opinion by people in the AV industry.
However, we should detect most of the others, nearly all of which were written to educate and inform virus authors. There are three more reasons:
IT Managers like to know if this type of material is residing on any of their machines.
Internet companies which pass high message volumes like to know if they are being used for malware group communication.
Detection will inconvenience the malware groups, and make them slightly less productive.
Initially I decided to write the detections so that reviewers could use them, and to make them available for general use later if we decided to do so. The files will, of course, be detected as applications, not as viruses or Trojans.

So, I had just over 1,000 detections to write, and they needed to be written efficiently. They had to be generic, in order to minimise the workload. I could see it was easy, because the files contained lots of very strong detection strings, many of which occurred in more than one file.

The generic technique used was simple: where a detection string occurs in more than one file, search for it in a slightly extended area, rather than at a specific offset. Do this so that all files containing that string are detected by a single search.

The bad news? Well, the 1,340 files came in a collection of 13,500 files of virus-associated material. I still need to look at those. No doubt, the question of whether virus or Trojan source code should be detected will raise its ugly head once more!

Peter Morley, McAfee, UK"

 

this could be a general question imo ..

 

suspended post

 

All posts dealing with the new 3.5 beta have been moved to its own thread, ewido security suite 3.5 beta.