Alternate to Web mail submission of malicious samples?

Discussion in 'ESET NOD32 Antivirus' started by harsha_mic, Mar 27, 2009.

Thread Status:
Not open for further replies.
  1. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Hello All,

    I usually send many samples to samples@eset.com. But very rarely they get added to the database that too after a long time :(

    So, i would like to know is there any alternate way for submitting malicious samples other than web mail. Or is it possible to give it to ESET moderator, So, he can direclty give it to ESET Labs/Dev team. Here is the screenshot, the way i send the samples via Web MAil

    Thanks,
    Harsha.
     

    Attached Files:

  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I personally send them several files daily, I would contact Marcos via PM and see where your emails are landing.
     
  3. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Thanks funkydude! for your immediate and kind reply.
    If you need any more details, i can give it to you (like e-mail id from which i am sending) via PM.

    Just one Question - are the defs being added for the samples which you sent?
    Wat about any alternate submisson method? Is there any?

    Thanks,
    Harsha.
     
  4. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Great! All the samples have been added to the database. I got around 7 mails for different samples quoting Thanks :D
    Atlast, these definitions have been added after 5 days...
    Is there anyother way for submitting samples other than Web Mail?

    -Harsha
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    As far as I know, nope. At least not a better one anyway. But I usually get a response on the same day, or none at all and it's just added. What I usually do is zip them up in 1 passworded 1 non passworded. Quarantine the non-passworded and send the passworded. Then you can scan the entire zip after restoring it from quarantine and see what's been added. Some viruses are prioritized over others so don't be disappointed if not all were added, they are probably in the queue for a later update.

    I also separate my emails into virus families: FakeAV, ZBot, PDF, etc and "unknown" for everything else. This helps prioritize and manage by importance, since ESET dedicates different analysts to different threats.
     
  6. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Thanks for the information funkydude.
    I just sent 8 samples (each file made password archive) to Labs with virustotal and CIMA results and let me check when they get added to the database.

    From next time onwards, i'll send all the samples in a singe password archive. i guess it might be better...

    -Harsha.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    How did you manage to infect your computer with such stuff? Some of the files are blocked by the web scanner.
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Disable AV, download file, scan file, send file.

    I don't think he's infecting he's PC, he's probably doing it as a hobby like me.
     
  9. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    As funkydude said, It's a kind of hobby, to fight against viruses and help the antivirus company. I'm not at all infecting my machine.

    Marcos, Almost all the samples which i sent to labs are missed by webscanner and every other module NOD32 has. So, do i need to mention in my e-mail, that these samples are missed by webscanner. So, that dev team will try to tweak the web scanner to catch these at first line of defense?
    One more thing, i download various malicious samples while every module of NOD32 are enabled only. I even check by double-clicking the file to know whether this will get caught by NOD32 at runtime or not through Sanboxie only (but unfortunately none are caught). So, that it will not infect my system permanently

    Precautions i take while playing with these samples -
    1. i'll run these samples only under sandboxie.
    2. i have CIS 3.8, so, these samples can be isolated at any point of time. Believe me, it really does an excellent Job (D+)
    3. i'll test these samples at CIMA/threatfire. To compare whether these files/registry are present in my system or not. As, i use sandboxie, i never get these bastards copied into my system :) :)

    Marcos, one more question, What to do if i have file which cannot be unpacked NOD32. Where to send this file. Please let me know about the procedure?

    Thanks (for such a small post),
    Harsha
     
    Last edited: Mar 28, 2009
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Send it to the same place, sometimes they use a customized version of a packer, and another tip, don't expect a reply on the weekend, it is very rare (happened only twice to me).
     
Thread Status:
Not open for further replies.