How to convince Virus Analysts at Kaspersky labs for addition of a detection?

Discussion in 'other anti-virus software' started by xpsunny, Jan 18, 2009.

Thread Status:
Not open for further replies.
  1. xpsunny

    xpsunny Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    163
    Hi,

    How to convince Virus Analysts at Kaspersky labs about addition of detection? I have many malware samples, which have 0/39~~5/39 detection by Virustotal. Well, first of all I thought they may be false positive, so I sent it to threat experts and concluded that they are malicious. For example I have an online game installer, besides the game it also silently downloads and installs Casino.Adware, Malicious AcitveX, etc.

    So I sent the {installer+the downloaded components} to the labs..they said its all clean!!!...lol....

    Many of the real malicious samples I send the samples to the Kaspersky lab are considered as "clean".....how to convince KL for addition to the detection bases?
     
  2. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    convince?

    if they have checked it, and say its clean.... thats all you will get.

    there is no convincing, zero chance. :rolleyes:
     
  3. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    Send the samples to other vendors and forward the details of said reports to Kaspersky.
     
  4. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    501
    THis happened to me 3-4 times with avira &kaspersky.With Avira i posted on their forum telling the "incident nember" & with kaspersky send another email with more details if you are convinced is malware.
     
  5. xpsunny

    xpsunny Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    163
    Although I forward with threatexpert detailed analysis report...it shows no effect!!!

    Take a look here for the malware sample report, "assumed" as clean by KL...

    ~Copyrighted information removed.~ - Ron~

    And take a look at this one...it's the malware I was talking about in Post#1
     
    Last edited by a moderator: Jan 18, 2009
  6. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
  7. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Happens to me and SSR as well. They don't really have time to deeply analyze everything you send them.

    I believe that sample submission should be based on reputation. If you are a known and highly regular submitter, your samples should have top priority.

    Or, I guess that you could release the malware into the wild ... because most AVs have 100% ITW detection, right?

    Oh, Kaspersky failed the last VB100 though :(
     
  8. xpsunny

    xpsunny Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    163

    Chill Man! No need to further provoke a settled down discussion...

    The malware I sent were truly malicious, but unfortunately posting the threatexpert reports (as proof) is against the forum rules...
     
    Last edited: Jan 18, 2009
  9. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    oh please, your using threat expert to analyze a sample. :rolleyes:

    if they have actually taken the time to check your sample, and to take the time to tell you its clean....


    whats your beef? o_O

    sure, they may have made a mistake (doubt it)

    but id take kasperskys analysts anyday over a Threat Expert self-analysis.
     
  10. xpsunny

    xpsunny Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    163
    @ Baz_kasp and C.S.J

    STOP IRRITATING ME!
     
  11. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    lol i wasnt intending on irritating you,

    you sent, they analyzed, no virus.

    you aint happy because they tell you its not a virus? :rolleyes:

    using a free automated analysis tool does not and will never ever make you an analyst, these people do this for a living, its their profession.

    if your looking for sympathy, wrong place my friend. :blink:
     
  12. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Ok, I'm sorry, however the only thing the 3 installers downloaded were jpeg images. Just clean, E rated jpeg emoctions.
     
  13. xpsunny

    xpsunny Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    163
    As I PMed you before, those are only a few samples....are you SURE you tested the game installer? Just send the "casino.exe" file to VT, and then see the results...

    BTW: Why don't you post VT links here about the three files....
     
  14. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Maybe you are a bit overfocused, like C.S.J say, the Kaspersky Lab analyzers do this for a living, its their profession. Therefore your samples are rated by them as being clean, and you never will be able to convince them the contrary. Nobody like FP's ;)
     
  15. icr

    icr Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    1,588
    Location:
    Mumbai
    Happened to me once with KIS 09 the keygen of a game was flaged as keylogger:ninja:
     
  16. xpsunny

    xpsunny Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    163
    VT links are removed....lol...
     
  17. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    Please show some maturity and act like an adult even IF you aren't one.

    1) VT is not the end all answer.
    2) It is against forum policy to post complete VT results and will result in a Wilders staff snipping your post. Surely you know this by now.

    Again, if you feel that your samples are truly malicious send them to other companies for diagnosis instead of trying to rally a mob.
     
  18. xpsunny

    xpsunny Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    163
    Request to the moderators: Since I am the OP I request to delete this thread, cuz I don't care if Kaspersky does not detect them...

    The samples now have approx. 15/39 VT detection....
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    For two reasons:

    1. Reports from Virus Total are not proof that a specific file is malware. It just says that some products detect it as malware. (A specific sample might simply match some simple or generic signatures in some or even many products. But, by hand analysis by professional virus analysts in a lab like KAV's is far more likely to be accurate to a specific file.

    2. Because of the above and other reasons, it is against our policy to post VT logs (and has been for a long time):

    Announcements: Policy Regarding the Posting of Jotti/Virus Total Results

    Your posts with VT result links have been removed.

    This thread is going no where. KAV labs analysts are among the best in the world. While they may be mistaken, it is unlikely. If they are, well, so be it. You are not a virus analyst expert so you are not going to prove that any specific file is really malicious, and certainly not by posting results from scanners or automated analysis tools.

    Thread closed.
     
Loading...
Thread Status:
Not open for further replies.