F-secure using Norman sigs as well as KAV?

Discussion in 'other anti-virus software' started by jlo, Feb 20, 2007.

Thread Status:
Not open for further replies.
  1. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi All,

    I have noticed this a few times when submitting stuff on VirusTotal that F-secure seem to be using Norman signitures as well as KAV although in this screenshot it could be Norman heuristics which I know some of the technology is carried over in to F-Secure although I have seen it with signitures as well?

    Cheers

    Jlo


    F-Secure 6.70.13030.0 02.20.2007 W32/NetworkWorm.MT
    Ikarus T3.1.0.31 02.20.2007 BehavesLikeWin32.AV-Killer
    Kaspersky 4.0.2.24 02.20.2007 no virus found
    McAfee 4967 02.20.2007 no virus found
    Microsoft 1.2204 02.20.2007 no virus found
    NOD32v2 2072 02.20.2007 probably unknown NewHeur_PE virus
    Norman 5.80.02 02.20.2007 W32/NetworkWorm.MT
    Panda 9.0.0.4 02.20.2007 Suspicious file
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I know they use the Norman firewall which is right now a problem for me. If it were not for my updating issues I would say they cant be touched as the best suite out there. But I dont see how that integrates into AV detection.
     
  3. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    it is the pegasus (norman) av scan engine in f-secure.
     
  4. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Thanks for the clarification IBK.

    Kind Regards

    Jlo
     
  5. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    - W32/Malware, W32/NetworkWorm, W32/Dialer, W32/FileInfector, W32/Backdoor and W32/Downloader (and probably others) are heuristic detections performed by the sandbox, based on "wide" behavioral patterns.

    - [whatever].dropper is a signature detection performed on a file that has been created inside the sandbox by the scanned sample.

    - [whatever].Gen can be either generic detections of the regular scanning engine or generic detections of variants of widespread families (e.g. spybot.gen) performed through the Sandbox. For me, it is not clear whether the latter are based on the actual behavior (i.e. how it alters the sandbox) of the malware, if the sandbox is mainly used as a "generic unpacker" (unlikely), or if it is something else.

    - There are now new kind of detections, named W32/[sandboxdetectionname].PostFix that appear in the list of newly added signatures. The detection you mentionned belongs to this category. Apparently, they are produced by the sandbox. I wonder if this means that they decided to automate the use of spybot.gen-like signatures to less widespread families. And we'll have to wait until next av-comparatives retrospective test to know if it brings any significant improvement...
     
  6. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    Their firewall is a bit of a strange one as discussed here.
     
Loading...
Thread Status:
Not open for further replies.