Ewido monster update

Discussion in 'other anti-trojan software' started by TopperID, May 27, 2005.

Thread Status:
Not open for further replies.
  1. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The Ewido database went from 115,000 sigs to 150,000 sigs today.

    Does anyone know what this was about?

    New categories of malware covered perhaps - or was it just 'traces'?
     
  2. chaos16

    chaos16 Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,004
    yep the update was much bigger than normal it was half a mb

    i am happy that its gone so high

    lololol
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I wish vendors would explain these kind of jumps and what is actually in their database. I don't think it is credible to have this kind of jump without some explanation. Feels more like a sales/marketing induced jump as opposed to a real increase in security. I prefer simple and understandable so I know where I am protected and where I am not. Thus my preference for products like ProcessGuard with which I know exactly the kind of protection I am getting.

    Ewido's new database size feels suspicious to me - as does the size of many other databases. Right now, KAV is probably the gold standard to measure by. It measures at around 131,000 in its supersecure database - which includes riskware (that is, not all entries are necessarily viruses/trojans/spyware).

    Rich
     
  4. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    I trust in ewido!!!

    They are a great company, have an excellent support and works a lot to improve its products...
     
  5. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    It is wise to not be so quick to trust :rolleyes:
     
  6. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    The new signatures are mostly from a new malware collection update. No registry traces etc. :)
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Nice to know fish, thanx.
     
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks fish.

    Rich
     
  9. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    35,000 in one day? I'm not saying it can't be done but i find it very hard to believe. Ewido achieves normally 100 a day or less. Then 35,000 in one day. Maths has never been my strong point, but the numbers seem a bit high. Any chance of some enlightenment?

    muf
     
  10. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    is reading a bit of a problem? :)

    From Ewido's Golden Fish: The new signatures are mostly from a new malware collection update. No registry traces etc.

    So: a collection that was added... and that can be anything from 1 to several million.
     
  11. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    I do not mean to hijack this thread however...

    I just tried to dl ewido from there site. The exe downloads but when it does, it is not correct.

    It looks like a batch file vs a exe. What can be causing this? Is there dl corrupted?
     
  12. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Are you using NOD? ;)
     
  13. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    I had the same problem Jaguar and had no idea what was causing it, and yes I do use NOD32. I ended up getting it from download.com, worked fine then.
     
  14. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Yes I am a registered NOD32 user. ;)
     
  15. For all those people who still wonder about the reasons for signature creation ... ;-)

    "Letters: Generic detection - a specific case

    Peter Morley
    McAfee , UK

    Published in Virus Bulletin: December 2004
    By: Peter Morley - McAfee, UK

    This subject has effectively been glossed over for some 10 years. One reason is that anti-virus researchers who could write about it have been slightly scared to do so, lest the information be of value to competition. I feel I can risk it now.

    McAfee received (from Andreas Clementi of the University of Innsbruck) a collection of some 1,350 *.HTM files. These are text files. Any of our customers can look at the contents. The files are mostly from virus/Trojan writing groups, although some are from AV experts, about virus/Trojan authors and their techniques, backgrounds and attitudes.

    Should we detect these files, for any reason other than the fact that we may be reviewed against them? I took a good look. My conclusions may surprise you.

    Some 340 of the files are ones we should certainly not detect. These include:
    An interview with Dr Alan Solomon, by virus author Dark Fiber.
    A report of the death of an Australian virus author.
    The well reported interview with Dark Avenger by AV researcher Sarah Gordon.
    Innocent (and valid!) expressions of opinion by people in the AV industry.
    However, we should detect most of the others, nearly all of which were written to educate and inform virus authors. There are three more reasons:
    IT Managers like to know if this type of material is residing on any of their machines.
    Internet companies which pass high message volumes like to know if they are being used for malware group communication.
    Detection will inconvenience the malware groups, and make them slightly less productive.
    Initially I decided to write the detections so that reviewers could use them, and to make them available for general use later if we decided to do so. The files will, of course, be detected as applications, not as viruses or Trojans.

    So, I had just over 1,000 detections to write, and they needed to be written efficiently. They had to be generic, in order to minimise the workload. I could see it was easy, because the files contained lots of very strong detection strings, many of which occurred in more than one file.

    The generic technique used was simple: where a detection string occurs in more than one file, search for it in a slightly extended area, rather than at a specific offset. Do this so that all files containing that string are detected by a single search.

    The bad news? Well, the 1,340 files came in a collection of 13,500 files of virus-associated material. I still need to look at those. No doubt, the question of whether virus or Trojan source code should be detected will raise its ugly head once more!

    Peter Morley, McAfee, UK"
     
  16. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    :) this could be a general question imo ..
     
  17. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    suspended post
     
    Last edited: May 29, 2005
  18. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
Thread Status:
Not open for further replies.