kav misses 2 trojans that drweb finds..?

Discussion in 'other anti-virus software' started by tahoma, Nov 19, 2003.

Thread Status:
Not open for further replies.
  1. tahoma

    tahoma Registered Member

    Joined:
    May 31, 2003
    Posts:
    228
    twice in the last 2 weeks my drweb has picked up trojans in files that kav say are clean. i dont remember what the first one was called, but the one i got today drweb identified as trojan.muldrop.310. note that both vere positively identified by drweb and not 'probably blah blah'

    im well aware of drwebs false positives, but the falses usually are identifiefd as smt with 'probably'

    anyhow, since kav decleared this file clean i decided it probably was (it usually is) and unrared it and everything went wild and after a while the pc froze (dont know if that was related to the possible trojan) several reboots later things were working again and the computer clean .not sure exactly what exactly what happened, but smt kept the pc busy at bootup (drweb cleaning up??) and the comp locked.

    in the end things worked as usual and did a fulls can with both drweb and kav and everything was clean. nothing in the drweb logs either (maybe cos i turned off the power when it hung?)

    anyhow, i dont know what my point is by telling this story, but its made me trust drweb moer than i trust kav..i guess

    ive also noticed drweb having very frequent updates lately (like up to 6 updated definitions per day )

    i guess i just want your comments on this, if u have any

    thanks
     
  2. Igor K.

    Igor K. AV Expert

    Joined:
    Feb 5, 2003
    Posts:
    26
    Location:
    Moscow
    Hello, Tahoma!

    KAV releases updates for new viruses rather quickly, if you send in those new viruses (if they indeed are new and not DrWeb falses) they will be added to the next update within several hours and you will be able to check you system with KAV Scanner. It would be great if you could put them in an archive with a password and send to support@kaspersky.com

    Sincerely,

    Igor

    KL H.Q.
    Moscow, Russia
     
  3. tahoma

    tahoma Registered Member

    Joined:
    May 31, 2003
    Posts:
    228
    hey, thanks for reply

    ive spent the last hour looking online for the file i downloaded, without success. so im sorry i cant send it :(
     
  4. Barney

    Barney Registered Member

    Joined:
    Jun 17, 2003
    Posts:
    119
    I have found that DRWEB almost 99% of the time is accurate unless they specifically state "Probably a _____ virus". When they use the word "Probably", I do question it and double check it with KAV. But DRWEB is an EXCELLENT antivirus, the best in my opinion. If it flat out states that it has found a specific virus, I absolutely trust it and delete/cure the file. Out of curiosity, I still double check it with KAV. This whole "False Positive" assumption has really gotton out of hand. very rarely, I do get one, but it will specifically use the word "Probably". Then and only then do I double check it.

    Barney
     
  5. tahoma

    tahoma Registered Member

    Joined:
    May 31, 2003
    Posts:
    228
    barney, thats my exact approach too, i even like the false positives (hijackthis is one), hijack this isnt a malware, but its capable of changing homepages, set stuff to run at startup and modify various system settings, so i actually agree with drweb that is potential malware if used the wrong way (but hijsackthis is a excellent little freebie tho, dont get me wrong, its pure goodness)

    on antoher note ive identified the trojan i had as this one http://www.sophos.com/virusinfo/analyses/trojgraybirda.html (or a mutation of this one), like i said, drweb calls it smt else (scoll upwards)
     
  6. Barney

    Barney Registered Member

    Joined:
    Jun 17, 2003
    Posts:
    119
    Very true Tahome. False positives indicate to me that a specific program has "virus" similarities that require possible attention. I occasionally see these latest and greates freeware programs thought to be harmless and later found to be trojan horses. DRWEB is ahead of the game and labels these as possible virus' or trojans. I find it to be a valuable asset to DRWEB.

    Barney
     
  7. tahoma

    tahoma Registered Member

    Joined:
    May 31, 2003
    Posts:
    228
    someone oughtta make a drweb+kav dual scanner. id buy that right away
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Barney,

    For sure double checking is the way to go; no doubt about that.

    As for false positives: "flat out positives"as you call them have been proven false positives (due to strong heuristics) on many, many ocassions - we have received hundreds of emails from Dr.Web users who actually crippled their system by deleting perfectly sound files that way. On one of our test systems we have been able to verify this in the past.

    Bottom line: Dr.Web surely belongs to the top notch antiviruses range, but should be handled with the upmost care, and by no means by the äverage Joe" = 99% of pc users.

    regards,

    paul
     
  9. Barney

    Barney Registered Member

    Joined:
    Jun 17, 2003
    Posts:
    119
    Paul,

    If I am not mistaken, an AV with Heuristics mean that it has the capability to detect unknown viruses (creating false positives on occasion)? I had DRWEB a few days ago detect the Slammer worm on my system. This is already a known worm in DRWEB's signiture database. Are you saying that this could still be a fast positive? Doesn't the fact that this worm is already accounted for ensure the reliability of it's detection by DRWEB. If not, I better get a few more back up AV's. Anybody have any input on this please let me know.

    Thanks.

    Barney
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    It boils down to that ;)

    I'll take it, Slammer has been detected a while after the relevant database update, during an on-demand scan, and System Restore isn't an issue here?

    In principal: yes, it could be a false positive.

    Providing you've updated the database timely and System restore is a non issue, the resident running scanner would have picked it up. In case an on demand system scan did cause this alert, I would recommend submitting the file for further investignation.

    regards.

    paul
     
  11. Igor K.

    Igor K. AV Expert

    Joined:
    Feb 5, 2003
    Posts:
    26
    Location:
    Moscow
    hello, Barney!

    Also kindly bear in mind, that Slammer exists only in memory of the computer and does not make any hard copies on the hard drive. ;)

    Sincerely,

    Igor
     
  12. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    What I want to know, seriously, is: Where do you guys go, and what do you do, to come across so much malware? I download stuff constantly, and never come across anything (unless TDS-3, BOClean, PC-cillin, Norton, Panda, RAV, McAfee, BitDefender, NOD32, TrojanHunter, a2, and KAV are all wrong).

    I am NOT bragging or making light here--I seriously want to know, out of innocent curiosity.
     
  13. controler

    controler Guest

    nameless

    they get samples from people like you and I..

    I know there is a few Av's that don't scan zipped files. they feel ther is no need to and then try to catch them when unzipped or executed.
    I have to shut down my firewall to make posts here and I don't think that is right either.

    con
     
  14. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I meant, where do people like the OP (tahoma) come across trojans and such? I get the impression that people download software just like I do, but somehow have worse luck.
     
  15. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    http://www.wilderssecurity.com/showthread.php?t=13706;start=msg87299#msg87299

    I had posted this awhile ago and did not get any replys, but it may be of interest to bring it up again here. Maybe this SQL worm identification is a FP. No file was downloaded in my case, and as I mentioned I was only online for about an hour. Mostly browsing this forum.

    A few strange things to note is that I do not have SQL installed, I was fully patched and running a firewall (even with a couple of rules blocking the SQL worm traffic heh), and that it was even found in the running process of my firewall.
     
  16. Barney

    Barney Registered Member

    Joined:
    Jun 17, 2003
    Posts:
    119
    Rerun2, that is very strange. I am also running DRWEB and it detected the following worm a few days ago: "WIN32.SQL.SLAMMER.376". I don't have any proof, but I suspect that it was a positive indication. DRWEB's website indicates that their unique way of detection is what allow DRWEB to pick up this virus. It was supposedly the first AV able to detect this virus in memory. Check the site out if you want more info. Later dude.

    Barney
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Barney,

    See my reply on th first page from this thread. A Question: how did you get "infected" in the first place, following your presumption?

    regards.

    pau
     
  18. tahoma

    tahoma Registered Member

    Joined:
    May 31, 2003
    Posts:
    228
    without admitting anything regarding my own habits, trojans/viruses can (ive heard) in general frequently be encountered on more or less illegal websites with contents like cracks and keygens for commercial software
     
Loading...
Thread Status:
Not open for further replies.