2006-03 AV-test from Jotti's 6 x 100 snapshots

I can again confirm what Happy Bytes, Marcos and others are saying. Lots of files are installers, broken files etc. An AV which detects an incomplete file could just be using something at the top of the file to detect. A tester does NOT know unless they take the extreme time to analyse the sample completely x 100,000 = long time

Michael may I have that Upack file please

 

Let's hope at least that these snapshots taken from my last test were as a result of some kind of heuristics.

Best reagrds,
Firefighter!

 

As far as i remember it was "WinUpack 0.31 beta" lemme check the MD5 of it...
MD5 is: 9fd5d0445992ed686d31558f4438448c

Kaspersky fixed this f/p ( i'm not suprised, becaus i know that Roel was reading this thread ) ClamAV, Fortinet, VBA32 and ArcaVir still detecting it. As for ArcaVir it's another case - it was in the first instance detected via signature - they removed it - and now detected via heuristics.

 

You are refering to ThretSense and Advanced heuristics. I meant standard heuristics which can detect another big bunch of nasties without the appropriate signature.

 

It´s realy funny to read such comments, as if NOD32 is gods gift to the AV industry. Come on, not every signature in your database is based on a strict scientific aproach, not failsafe and sometimes it´s realy ridiculous how you and other vendors try to identifiy malware. Matching a packer is one thing, matching plain textfiles as a usualy binary based trojan is another. And i refuse to give a public example - feel free to pm me.

 

That's why I wrote in my report.

"...there have to be AT LEAST TWO detections to minimize those False Alarms!" so, there was not that, "...to stop those False Alarms!"

I believe of course that your example was only one among those many others, which were real infected ones.

Best regards,
Firefighter!

 

Nope, popcaploader is another suchlike example. Should we search for more?

 

If you wish, but check out the % (or is it better to use ‰ ?) of False Alarms too picked from Jotti's snapshots detected by AT LEAST TWO scanners as well, so that we all can get a bit more information from Jotti's.

Best regards,
Firefighter!

 

False positives may comprise a very small portion out of all samples tested, but how many of them were undetected installers and the threats were actually detected during installation? I for one found about 1000 installers in a week and this is not a small number compared to those 6x100 whose scan result screenshots you captured. Hence I'm saying the results must be taken with a lump of salt.

 

Thank's about that. If that 1k is about the total amount of installers scanned in Jotti's per a week, I'd say that in my 6x100 snapshot sample collection were about 3...8 % installers. This estimate was taken from those hours spent to finish that 6x100 snapshot collection. Here you can see what kind of snapshots I mean.

Best regards,
Firefighter!

PS. Just checked from the snapshot sample names, where were some of these words, "setup", "install" and "installer", and I got 5.3 % of them from those 6x100 snapshots.

 

Hi Marcos

Has Jotti's now setup NOD32 correctly.

 

Nope, many samples are not shown as detected though they actually are. From the service provider I got a reply that it's due to memory exhaustion caused by AV scanners that scan files before NOD32. Sometimes submitting an undetected file again will show it as detected.

 

And he can't fix this problem somehow?
All other AVs from NOD32 to the end of the scanners are affected I guess..
I have a suggestion...one month NOD32, VBA32, Norman to be the first scanners, and one month the firt: AntiVir, Avast, BD...etc .

 

In my mind that test was only a test about Jotti's. I have found several samples detected by DrWeb 4.33.2 but not with DrWeb in Jotti's albeit DrWeb was the best in my Jotti's 6 x 100 comparison.

Best regards,
Firefighter!