Do you use sample submiting?

Discussion in 'other anti-virus software' started by EsoxLucius, Dec 5, 2006.

Thread Status:
Not open for further replies.
  1. EsoxLucius

    EsoxLucius Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    125
    Location:
    Bucharest, Romania
    I'm very curious to know how often do you submit samples you catch or simply threats detected just with heuristics?
     
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I have submitted three samples to DrWeb these latest two months. One was a live undetected trojan. Two where false positives detected by DrWeb heuristic. They where all dealt with in less than two hours. I submitted the trojan late in the evening (I presume I submitted the sample to russia? I live in sweden.) and they had someone there who took care of it quickly :thumb:

    I do not submit too often though (I just don't attract malware :( ) maybe two or three times a year. All forwarded from friends.
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I submit all samples which are not detected via signatures by an AV, regardless of whether the samples are detected heuristically or not. :)

    Of course, I don't receive such samples every day :)
     
  4. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I submitt very often samples. (about 30-50 per month or even more). Of course sometimes I don't have time to "get them. :D Just today I've submitted somethng to ESET and it was added. :thumb: Hope they'll be so fast everytime. :)
     
  5. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    If I find something I think is malware I test it on virustotal/sandbox etc to see if it is really 'dangerous', then send it to those on virustotal that don't detect it. There are a few AV companies that rarely (or never!) add anything I send, so i gave up on those a long time ago and don't bother sending anything to those ones. :thumbd: But most are quick and efficient at adding the samples I send.

    Londonbeat
     
  6. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i sent one to dr.web and within 12hours got a reply saying, it was a false positive, now fixed.

    :D

    i dont usually send them, as i dont tend to get much malware, but when i do, i send to whoever im using, and for the next 2 years, the green dr gets it.
     
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Dr.Web is fast at fixing FPs but not so fast at adding samples (I find the Korean Virus Chaser analysts to be better at adding samples than Dr.Web itself).
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Well, I´ve submited a FP report to Dr. Web more than a month ago and still it isn´t fixed
    Not really a complaint but ........
     
  9. EsoxLucius

    EsoxLucius Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    125
    Location:
    Bucharest, Romania
    I asked this question because I saw a lot of complains about many FP or even real threats that weren't fixed in time or at all. I was wondering if users are doing something to help the developers.
    I know I did in the past for Eset, but I've never tracked-back if they did any change. Do you think they should answer at any submission they receive? I know I would feel better if they do, but I don't think that's possible.
     
  10. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    There have been many complaints about Eset not adding submitted samples properly. I would appreciate a reply whenever I submit samples, but I realise that it may be difficult to provide individual analysis reports for thousands of files. So, basically a short message like "Hello, we have added your samples" is good enough for me.

    In this regard I appreciate the BitDefender and Virus Chaser support team as they have always replied to all my submissions. :)
     
  11. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Drweb and Prevx1*answers back and tells me what their conclusion is, quite fast too. I definitely feel better knowing that I have contributed (ie get feedback) and it motivates me to send samples. Knowing that they take it seriously. Otherwise it just feels like throwing things in a black hole, wheres the fun in that :)

    * I forgot to mention in my earlier post that I have submitted samples to Prevx1 too.
     
  12. EsoxLucius

    EsoxLucius Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    125
    Location:
    Bucharest, Romania
    I've noticed that certain companies have also an e-mail address for sample submission not only the module from the software.
    How do you send them? I think there are better chances to get a reply when using a classic e-mail.
     
  13. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    To Drweb by mail. To Prevx1 through their module
     
  14. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    By classic email, usually to the support teams of the various companies (exceptions: McAfee, Eset, Dr.Web). IMO its better to simply send out a classic email to the support teams, it gets you a more satisfactory response. :)
     
  15. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I never send samples before I check them with a few multi engine scans first. It allows you to know if it is because your av is improperly configured or a false positive. It also allows you to know which other AV's actually detected it. It also has an auto submission to all the member companies. As such you send the samples to a large numbers of Anti virus makers instead of just one.

    You can find those here:
    http://www.virustotal.com/en/indexf.html
    http://virusscan.jotti.org/

    Also for those interested in finding out what the virus names may be from one AV to another you can use the vgrep database
    It's Dos but it works great while at client sites doing research on a nasty virus. Here is the link for it:
    http://www.virusbtn.com/resources/vgrep

    Here is an example of a successfully submitted virus sample with a positive result:
     

    Attached Files:

    Last edited: Dec 7, 2006
  16. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Question. Based on the above, where the update section for each vendor is, does that mean that F-Prot and Autentium were the first to add it to their updates.
     
  17. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?

    It only means at the time of the scan the reported database of different products did or did not assign a name or did not detect it at all. In the case of the stration virus my own av had to update the Dat files at least 6 times within a 14 hour period. Between updates submitting new variants would report a failed detection. While some other av's would actually already detect it... nasty piece of work that stration bug...
     
Loading...
Thread Status:
Not open for further replies.