Jottis Dilemma Question ?

Discussion in 'other anti-virus software' started by StevieO, Nov 22, 2005.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Guest

    Evening All,

    I saw this thread a little earlier on, and was going to respond, but as expected the poster was told of the TOS regarding HJT logs.

    help! trojan infestation?

    ~snipped link to hjt log~ - since HJT logs are now removed here shortly after they are locked, there's no sense in posting a link to one as it would no longer be viewable - snap

    I noticed a few dodgy things in there including this entry.

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - hxxp://www.popcap.com/games/popcaploader_v6.cab

    Out of interest i clicked on it and my Zip App downloaded this into a Temp file

    http://img169.imageshack.us/img169/8559/zippop19mm.png

    I unzipped it and put it a new folder along with something else to scan at the same time, re zipped the whole folder, and uploaded to Jottis as random name cfd.zip, and back came these results, in which the other file doesn't show

    http://img169.imageshack.us/img169/1459/jpopcap17qo.png

    These are all the AV's that are used on Jottis

    http://img169.imageshack.us/img169/2615/jav16na.png

    My question then is this. If all these AV's are used on Jottis to scan an uploaded file, then apart from FP's and brand new Viruses etc, how come all the AV's don't pick up on known files that have been scanned before, and must be in their databases at Jottis, if as it states on the main page. ( Viruses uploaded here will be distributed to antivirus vendors without exception )

    http://virusscan.jotti.org/

    Maybe i'm missing something, or they are ?

    TIA


    StevieO
     
    Last edited by a moderator: Nov 26, 2005
  2. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    The thing to keep in mind is that just because Jotti sends companies new malware does it also mean the AV company will automatically add them.
    We have seen instances where people send legitimate malware to AV companies and they add it weeks later (or never).
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    This particular dll is a false positive. The vendor complained about the file being detected by AVs so most of them removed detection. If an application downloads some data from the web (let's say updates) it shouldn't be classified as malware just because of this. I can't tell right now what it actually downloads but I remember it was found clean.
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    As far as i can remember, PopCap is an arcade games developer who created games like well known Bejeweled. But don't know what that file suppose to be...
     
  5. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I thought that those detections were already among "riskware". So why a FP?

    Best regards,
    Firefighter!
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Yes, NOD32 used to detect it, but we removed detection after receiving a complaint from the vendor. Of course, a thorough analysis of the file was made to make sure it's not actually malicious nor risky.
     
  7. StevieO

    StevieO Guest

    Hi All,

    Thanks for the responses and answers.

    I didn't realise that they had asked for it's reclassification.

    Marcos it's good to hear that it was properly checked out for nastyness.

    The point that Firefighter makes is a valid one though, "riskware". So why a FP?

    VikingStorm i find it incredible that, AV companies add it weeks later (or never).

    That's kind of why i started this thread in a way, as i have noticed Very often how many discrepancies there are between vendors on Jottis. I mean not now and then, but i would say 99% of the time ! I have wondered about it before, but just overlooked it as just one of those things. Not any more though, as this time it really got me thinking !

    Maybe things might improve from now on ? Hope so anyway. But i do appreciate having the service available, and also the AV companys participation in it. As it has, and continues to provide a very useful tool to be able to access, which has proved it's worth on may occasions.

    StevieO
     
  8. Ned Slider

    Ned Slider Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    169
    This has been my experience too. I regularly send suspect files to kaspersky that are detected by other scanners. I then keep a copy of all files sent and monitor them. Sometimes I get a response and they are added within a few hours (and then detected), and other times I receive no response only to find they are subsequently detected weeks or even months later. The lack of consistancy is sometimes confusing. I can only put it down to resources and them concentrating on adding the most high risk stuff first.

    Ned
     
  9. wildman

    wildman Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    2,179
    Location:
    Home on the range.
    o_O I have asked before, and have yet to receive a definitive answer to this question. Are there any set standards for what will or will not be tested, and if so who sets the standards, and if not why not?

    Thanks
    Wildman
    o_O :doubt:
     
Loading...
Thread Status:
Not open for further replies.