Anti-malware vendors unite to fight cybercriminals

Discussion in 'other anti-virus software' started by TonyW, Aug 16, 2011.

Thread Status:
Not open for further replies.
  1. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    In this viewpoint posted on BetaNews, Mikko Hypponen of F-Secure suggests anti-virus vendors share their samples. It's something I always hope they do.
     
  2. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    o_O I thought that the vendors already did share their samples. :doubt:
    Not every single sample, but many of them.
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    An eye-opener for me.
    I didn't know they cooperated to that extent.
    I thought the competitor aspect was too much to overcome.
    The article seemed to imply that only the larger companies cooperate.
     
  4. Matthijs5nl

    Matthijs5nl Guest

    Despite that there are many vendors it is not that evident that it is highly competitive. The big three, Norton, McAfee and Trend Micro, own and will keep a huge market share because they have the money to be distributed on OEM machines. A lot of companies who have acknowledgment on these forums are not really that significant so that they can cause changes in the market, such as Prevx (maybe now with Webroot) and Emsisoft, or companies such as Comodo. Because of this it is not strange that the bigger vendors (so next to the big three companies such as Kaspersky, BitDefender, ESET, avast! and AVG) share samples. Moreover, most consumers don't choose a vendor based on objective test results, assuming that objective test results exist, so how important is it that you actually perform a few tenths of a percent better than competitors?
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Well just a quick glance at the MRG Flash Test results will tell you that MBAM and SAS don't share. We're not talking about a few tenths of a percent there.
     
  6. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    I'm not a virus expert but i did an experiment of my own
    i opened Malwaredomainlist i found a Ransome variant
    downloaded the sample and uploaded it to Virus total
    i found that only three product marked it as malicious
    kaspersky + Norton + bitdefender

    so i upload the sample to another four companies
    Dr web + clam i don't remember the other two
    then after a week i rescan the sample via Virus total
    and i got shocked the scan result was the previous three companies + the ones i submitted the sample to
    it's a very very sad result :(

    it's a publicly available sample and yet it didn't got fully detected even after a week of submission

    Malware and viruses are getting created every day
    and yet we see companies don't collaborate with each other

    so i got this idea in mind i wanted to work on it but sadly i don't know web programming

    the idea is to make a site that when we submit a sample to it
    it will send it to every anti virus company out there
    so that will make their work faster
    what do you think
    if they are not willing to collaborate with each other we will force them to do it ;)
     
  7. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    If I remember correctly VirusTotal already does that, and I think Jotti does also? Also I thought whoever runs MDL also submits them to each vendor but I am not 100% sure.
     
  8. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    They could completely share all samples and still have different detection rates.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    ^Yup. It's not like as soon as they share they get added. Definition updates have to get pushed and probably verified.
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Is that what you mean, because of what Hungry Man said?
    ("It's not like as soon as they share they get added. Definition updates have to get pushed and probably verified.")
    Maybe due to different program default settings too?
     
  11. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    The MGR flash tests are for Zero-Day malware. So, even if they share samples...
     
  12. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    i know some companys do not share, or they are exchanging such an small number, it is not usefull for other companies.
    i can not say names, but this are some well known
     
  13. m0use0ver

    m0use0ver Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    81
    Ok here is what i can conclude about 0 hour malware code detection rates

    1- Either the vendors that score well have better heuristic or detction routines(this is unlikely but might account for a small % improvement)

    or (and more to the truth of the matter)

    2- They have researchers actively scowering the web for 0 hour code instead of reacting to submitted suspect files or files gained via their support channels.

    Eitherway there is some glaringly obvious poor performances that cannot be explained away as mere coincidences.Trends over time will average out any on the day abnomalies:thumb:

    As for sharing samples between vendors...great in principal and idealogy but in truth not practical as in a system with limited resources they can only process as many samples as they have researcher hours to verify the samples.

    A team of 7 researchers pulling 12-14hour days will roast a team of 3 part timers everytime for signature output and speed of threat escalation into their databases.

    Also vendors who shut up shop at the weekend or run skeleton staff also forget the malware servers dont take weekends/holidays off o_O

    Mondays intray most be overflowing and the postman just keeps bringing more:ouch:
     
  14. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Well I meant that each company will take a different approach and get different things from the same sample set. A well made definition will also detect other variants from the same family. Also it's not all about definitions, but other things like behaviour/heuristics, e.g. Malwarebytes blocks certain filenames from running from certain locations, regardless of a formal 'detection'.

    I mean the best I could do from 100,000 samples, would be to produce 100,000 definitions - all based on MD5. Antimalware companies have more elegant ways of going about it, e.g. grabbing bits of code that appears in multiple samples and writing detections for that :)
     
  15. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    yet it didn't got fully detected after a week o_O o_O

    :cautious:
     
  16. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    vt sends not to all companies, but to the big ones i think.
    all listed on vt getting samples.
    but to have an sample do not mean they make an detection, most vendors get so much stuff, i heard from friends, working for av companies, they get over 1 tb malware every week.
     
  17. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    i'm going to Make an email address that will automaticly Forword
    an inbox mail to Virus companies mails

    it's plain and simple

    also i will make it Private and secret so no one get to abuse it :p

    just kidding
     
Loading...
Thread Status:
Not open for further replies.