Does VirusTotal only use signature files ?

Discussion in 'other anti-virus software' started by Joeythedude, May 20, 2009.

Thread Status:
Not open for further replies.
  1. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Did a search for this but didn't find anything.


    Does VirusTotal only use companies signature files ?
    Or does it use the whole engine of the various companies , i.e hueristics as well ?
     
  2. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    You can see here: http://blog.hispasec.com/virustotal/22

    "VirusTotal AV engines are commandline versions, so depending on the product, they will not behave quite like the desktop versions: for instance, in such cases when desktop solutions use techniques based on behavioral analysis and count on personal firewalls that may decrease entry points and mitigate propagation, etc."
     
  3. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Also some products are not using the latest version (either by the wish of the vendor or for some other reason....)
     
  4. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    After a little investigation I found that both NOD32 and Avira command line scanners have heuristic 's options.
    Hopefully thats how virustotal uses them.

    NOD32

    http://kb.eset.com/esetkb/index?pag...earch&viewlocale=en_US&searchid=1242916335258

    Avira



    Usage is: AVCLS [options] [path[\*.ext]] [*.ext]
    where options are:
    -? / -h ......... display the help text
    -allfiles ....... scan all files
    -dmse ........... set exit code to 101 if any macro was found
    -heuristic[:|=]1 heuristic detection rate low
    -heuristic[:|=]2 heuristic detection rate medium
    -heuristic[:|=]3 heuristic detection rate high



    J
     
  5. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    But NOD32´s behavior analysis is not used by VirusTotal. At least that´s what the article from virustotal guys said. Thats what Eset says too:

    "Scanners that use sophisticated behaviour analysis, active heuristics and so on are disadvantaged by this misuse as a comparative test tool, since there is no behaviour to analyse. Generally, command-line scanners simply look at the code passively, rather than running it in a safe environment to see what it does in practice"

    http://www.eset.com/threat-center/blog/?p=150
     
    Last edited: May 21, 2009
  6. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,720
    Location:
    UK
    Also bear in mind some of the scanners are using older engines.
     
  7. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    2 things here.
    Behaviour analysis and "heuristics" are different things

    "Heuristics" , as I understand it , is a passive scan.
    The Scanner, uses its own internal logic to scan a file and see if it thinks its a virus, instead of using checking a file against a signature database.

    I don't know what "Active heuristics" is or how it would be different to my definition though.
     
  8. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    You would need each AV to run in own VM box with maximal settings to fully and deeply analyze suspicious file ...

    i already saw some such projects ...
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.