Does VirusTotal only use signature files ?

Discussion in 'other anti-virus software' started by Joeythedude, May 20, 2009.

Thread Status:
Not open for further replies.
  1. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Did a search for this but didn't find anything.


    Does VirusTotal only use companies signature files ?
    Or does it use the whole engine of the various companies , i.e hueristics as well ?
     
  2. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    You can see here: http://blog.hispasec.com/virustotal/22

    "VirusTotal AV engines are commandline versions, so depending on the product, they will not behave quite like the desktop versions: for instance, in such cases when desktop solutions use techniques based on behavioral analysis and count on personal firewalls that may decrease entry points and mitigate propagation, etc."
     
  3. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Also some products are not using the latest version (either by the wish of the vendor or for some other reason....)
     
  4. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    After a little investigation I found that both NOD32 and Avira command line scanners have heuristic 's options.
    Hopefully thats how virustotal uses them.

    NOD32

    http://kb.eset.com/esetkb/index?pag...earch&viewlocale=en_US&searchid=1242916335258

    Avira



    Usage is: AVCLS [options] [path[\*.ext]] [*.ext]
    where options are:
    -? / -h ......... display the help text
    -allfiles ....... scan all files
    -dmse ........... set exit code to 101 if any macro was found
    -heuristic[:|=]1 heuristic detection rate low
    -heuristic[:|=]2 heuristic detection rate medium
    -heuristic[:|=]3 heuristic detection rate high



    J
     
  5. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    But NOD32´s behavior analysis is not used by VirusTotal. At least that´s what the article from virustotal guys said. Thats what Eset says too:

    "Scanners that use sophisticated behaviour analysis, active heuristics and so on are disadvantaged by this misuse as a comparative test tool, since there is no behaviour to analyse. Generally, command-line scanners simply look at the code passively, rather than running it in a safe environment to see what it does in practice"

    http://www.eset.com/threat-center/blog/?p=150
     
    Last edited: May 21, 2009
  6. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    Also bear in mind some of the scanners are using older engines.
     
  7. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    2 things here.
    Behaviour analysis and "heuristics" are different things

    "Heuristics" , as I understand it , is a passive scan.
    The Scanner, uses its own internal logic to scan a file and see if it thinks its a virus, instead of using checking a file against a signature database.

    I don't know what "Active heuristics" is or how it would be different to my definition though.
     
  8. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    You would need each AV to run in own VM box with maximal settings to fully and deeply analyze suspicious file ...

    i already saw some such projects ...
     
Loading...
Thread Status:
Not open for further replies.