Does VirusTotal only use signature files ?

Did a search for this but didn't find anything.


Does VirusTotal only use companies signature files ?
Or does it use the whole engine of the various companies , i.e hueristics as well ?

 

You can see here: http://blog.hispasec.com/virustotal/22

"VirusTotal AV engines are commandline versions, so depending on the product, they will not behave quite like the desktop versions: for instance, in such cases when desktop solutions use techniques based on behavioral analysis and count on personal firewalls that may decrease entry points and mitigate propagation, etc."

 

Also some products are not using the latest version (either by the wish of the vendor or for some other reason....)

 

After a little investigation I found that both NOD32 and Avira command line scanners have heuristic 's options.
Hopefully thats how virustotal uses them.

NOD32

http://kb.eset.com/esetkb/index?pag...earch&viewlocale=en_US&searchid=1242916335258

Avira


Usage is: AVCLS [options] [path[\*.ext]] [*.ext]
where options are:
-? / -h ......... display the help text
-allfiles ....... scan all files
-dmse ........... set exit code to 101 if any macro was found
-heuristic[:|=]1 heuristic detection rate low
-heuristic[:|=]2 heuristic detection rate medium
-heuristic[:|=]3 heuristic detection rate high


J

 

But NOD32´s behavior analysis is not used by VirusTotal. At least that´s what the article from virustotal guys said. Thats what Eset says too:

"Scanners that use sophisticated behaviour analysis, active heuristics and so on are disadvantaged by this misuse as a comparative test tool, since there is no behaviour to analyse. Generally, command-line scanners simply look at the code passively, rather than running it in a safe environment to see what it does in practice"

http://www.eset.com/threat-center/blog/?p=150

 

Also bear in mind some of the scanners are using older engines.

 

2 things here.
Behaviour analysis and "heuristics" are different things

"Heuristics" , as I understand it , is a passive scan.
The Scanner, uses its own internal logic to scan a file and see if it thinks its a virus, instead of using checking a file against a signature database.

I don't know what "Active heuristics" is or how it would be different to my definition though.

 

You would need each AV to run in own VM box with maximal settings to fully and deeply analyze suspicious file ...

i already saw some such projects ...