Jottis Dilemma Question ?

Evening All,

I saw this thread a little earlier on, and was going to respond, but as expected the poster was told of the TOS regarding HJT logs.

help! trojan infestation?

~snipped link to hjt log~ - since HJT logs are now removed here shortly after they are locked, there's no sense in posting a link to one as it would no longer be viewable - snap

I noticed a few dodgy things in there including this entry.

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - hxxp://www.popcap.com/games/popcaploader_v6.cab

Out of interest i clicked on it and my Zip App downloaded this into a Temp file

http://img169.imageshack.us/img169/8559/zippop19mm.png

I unzipped it and put it a new folder along with something else to scan at the same time, re zipped the whole folder, and uploaded to Jottis as random name cfd.zip, and back came these results, in which the other file doesn't show

http://img169.imageshack.us/img169/1459/jpopcap17qo.png

These are all the AV's that are used on Jottis

http://img169.imageshack.us/img169/2615/jav16na.png

My question then is this. If all these AV's are used on Jottis to scan an uploaded file, then apart from FP's and brand new Viruses etc, how come all the AV's don't pick up on known files that have been scanned before, and must be in their databases at Jottis, if as it states on the main page. ( Viruses uploaded here will be distributed to antivirus vendors without exception )

http://virusscan.jotti.org/

Maybe i'm missing something, or they are ?

TIA


StevieO

 

The thing to keep in mind is that just because Jotti sends companies new malware does it also mean the AV company will automatically add them.
We have seen instances where people send legitimate malware to AV companies and they add it weeks later (or never).

 

This particular dll is a false positive. The vendor complained about the file being detected by AVs so most of them removed detection. If an application downloads some data from the web (let's say updates) it shouldn't be classified as malware just because of this. I can't tell right now what it actually downloads but I remember it was found clean.

 

As far as i can remember, PopCap is an arcade games developer who created games like well known Bejeweled. But don't know what that file suppose to be...

 

I thought that those detections were already among "riskware". So why a FP?

Best regards,
Firefighter!

 

Yes, NOD32 used to detect it, but we removed detection after receiving a complaint from the vendor. Of course, a thorough analysis of the file was made to make sure it's not actually malicious nor risky.

 

Hi All,

Thanks for the responses and answers.

I didn't realise that they had asked for it's reclassification.

Marcos it's good to hear that it was properly checked out for nastyness.

The point that Firefighter makes is a valid one though, "riskware". So why a FP?

VikingStorm i find it incredible that, AV companies add it weeks later (or never).

That's kind of why i started this thread in a way, as i have noticed Very often how many discrepancies there are between vendors on Jottis. I mean not now and then, but i would say 99% of the time ! I have wondered about it before, but just overlooked it as just one of those things. Not any more though, as this time it really got me thinking !

Maybe things might improve from now on ? Hope so anyway. But i do appreciate having the service available, and also the AV companys participation in it. As it has, and continues to provide a very useful tool to be able to access, which has proved it's worth on may occasions.

StevieO

 

This has been my experience too. I regularly send suspect files to kaspersky that are detected by other scanners. I then keep a copy of all files sent and monitor them. Sometimes I get a response and they are added within a few hours (and then detected), and other times I receive no response only to find they are subsequently detected weeks or even months later. The lack of consistancy is sometimes confusing. I can only put it down to resources and them concentrating on adding the most high risk stuff first.

Ned

 

I have asked before, and have yet to receive a definitive answer to this question. Are there any set standards for what will or will not be tested, and if so who sets the standards, and if not why not?

Thanks
Wildman