Detecting polymorphics!

Discussion in 'other anti-virus software' started by Firefighter, Nov 14, 2004.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    In VirusBulletin tests many av:s were detecting almost all polymorphic samples, because they were unchanged over a year.

    In real life, a friend of mine got infected with "W32/Pate.b" (= Win32.Parite.b by KAV) by using an updated AntiVir PE, a polymorphic virus being ITW over a year. VB was still testing only one sample of this virus and in ITW category, Why?

    http://www.virusbtn.com/old/comparatives/NetWare/2004/test_sets.html

    Maybe this why? According to VGrep, too many av:s were performed really bad in real situation.

    Best regards,
    Firefighter!
     

    Attached Files:

    • Pate.gif
      Pate.gif
      File size:
      18.2 KB
      Views:
      668
    Last edited: Nov 14, 2004
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    @FF- Interesting. Thanks!

    3X Winners:
    BitDefender {Softwin}
    Sophos
    Kaspersky
    DrWeb {Dialogue Science}
    McAfee
     
  3. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Actually, when you look at the all 37 variants in VGrep, McAfee 37/37, KAV 36/37, the others, who cares!

    PS. Just checked these variants by using "Win32.Parite.b" as the entry in VGrep, there was 70 variants of "Win32.Parite.b" in VGrep, don't have counted the "winners" yet.

    Best regards,
    Firefighter!
     
    Last edited: Nov 14, 2004
  4. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Usually in VirusBulletin polymorphic tests, 6 scanners are scoring full 100% detectings test after test against 43 polymorphic viruses and almost 15 500 samples (outcluding KAV and DrWeb clones). In alphabetical order they are, DrWeb, Kaspersky, McAfee, NOD, Norton and Sophos.

    How is it then against those 70 Win32.Parite.b varaints? Here they are,

    97.1 % -- 68/70 - Kaspersky

    95.7 % -- 67/70 - McAfee & Norton

    94.3 % -- 66/70 - DrWeb

    92.9 % -- 65/70 - Sophos

    74.3 % -- 52/70 - NOD

    ---------------------- because the infected PC was protected by a "free" av, here they are

    87.1 % -- 61/70 - Panda

    67.1 % -- 49/70 - F-Prot

    60.0 % -- 42/70 - Avast & AVG

    58.6 % -- 41/70 - BitDefender

    47.1 % -- 33/70 - AntiVir

    All these when this Win32.Parite.b has been ITW over a year! I just can't imagine how poor the other scanners will be in this comparison.

    Best regards,
    Firefighter!
     

    Attached Files:

    Last edited: Nov 15, 2004
  5. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    Thanks Firefighter.After all i ve read about VirusBulettin,IMHO,it's just a basic index,nothing to rely upon heavily.It's good for commercial purposes though ,allowing companies to put the "100%" mark on their websites ,impressing the unaware customer:D
     
  6. profhsg

    profhsg Registered Member

    Joined:
    May 18, 2004
    Posts:
    145
    Firefighter:

    Do you believe that KAV engined AVs, such as F-Secure, which I use, will show the same ability to detect polymorphic viruses as KAV itself has?

    Thanks
     
  7. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Basicly it's the engine and signatures that's matters, so I think that with F-secure, at least as good as Kaspersky.

    PS. Just added some "free or free offer" scanners to my list above.

    Best regards,
    Firefighter!
     
    Last edited: Nov 15, 2004
  8. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    After taking a close look to VGrep results, I think that the biggest problem is probably that some of these 76 samples are actually not samples of W32/Parite.b (or maybe multi-infected samples ?). A lot of the samples are flagged as Parite.b by KAV whereas other AVs do recognize another malware (or nothing), mostly Spybots/SDbots/Agobots* (also happens to FProt and Bitdefender)... There also seem to be damaged samples (look for Pate.b.dam McAffee detections).

    For example, I doubt that the 6th sample (1rst on your picture) actually is a Parite.b.

    --
    *Could sometimes be explained by the fact that the file dropped by Parite is packed with UPX, and that some scanners cannot unpack it ?
     
  9. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I don't think that it matters so much. Even with Sophos signature, "W32/Parite-B", there are 59 of these polyinfectors, the situation still remains about the same. Sophos has no heuristics and the false positives are very uncommon.

    Best regards,
    Firefighter!
     

    Attached Files:

  10. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    1. VGrep is _NOT_ intended to compare the detection rate of scanners. A polymorphic comparison based on the VGrep database is really poor. It should be only used for virus naming conventions.
    2. The VGrep database contains a lot of garbage files, so results are flawed.
    3. You do not know which settings were used. Also you must note that usually command line scanners are used to make the VGrep database.

    just my 2 cents... ;)
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ...couldn't agree more :)
     
  12. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks :)
     
  14. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Good to know that even Sophos uses garbage files to increase it's detection! Or, is it simply, money talks?

    PS. What worries me most after all this, there isn't any av-test organisations that will test real ItW polymorphic sample collections, the last what added to VirusBulletin's testbed was 29 samples of W32/Etap, over a year ago, very promising!

    Best regards,
    Firefighter!
     
    Last edited: Nov 16, 2004
  15. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    In german magazines I see Marx does make also polymorphic tests.

    I am planning to do polymorphic tests in probably one year; I think it is interesting to see such tests too, but using VGrep for such things is the wrong approach.
     
  16. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
  17. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Sophos uses genetic approach to detect viruses heuristically. Nothing like NOD32, Norman or DrWeb.


    tECHNODROME
     
  18. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Have I done something wrong by publishing these VGrep tables as there is in post 4. this thread? Look at the new picture of this "Win32.Parite.b" taken just now in VGrep. In my mind there are some av-vendors missing (BitDefender and NOD).

    http://www.virusbtn.com/resources/vgrep/which_products/

    Is there some good reason to drop these av:s out?

    Best regards,
    Firefighter!
     

    Attached Files:

    Last edited: Nov 27, 2004
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Per FF's latest post, all 3 freebies (Avast, AVG, AVPE) bombed out according to this very narrow indicator.
     
Loading...
Thread Status:
Not open for further replies.