Submitting virus samples

Discussion in 'NOD32 version 2 Forum' started by Webby, Jan 1, 2006.

Thread Status:
Not open for further replies.
  1. Webby

    Webby Registered Member

    Joined:
    Jan 1, 2006
    Posts:
    93
    Hi all,

    I just read the post from ronjor about submitting virus samples and here's a quote

    Whats got me is the "'meaningless' benign signatures" bit, can somebody explain that please.

    My NOD32 has the default settings and picks up virus warnings with great regularity as I crawl the web. I had between 20 & 30 one night after a mega crawling session on a project that I have joined.

    What I would like to know is should I submit them to Eset to have a look at or will I just be wasting there time? I thought maybe more samples returned would make for a stronger and more reliable AV.

    Thanks
    Webby
     
  2. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I believe you can tell if it's a heuristic or signature detection from the virus warning. I would submit the heuristic ones since the signature ones are already in the database.
     
  3. Webby

    Webby Registered Member

    Joined:
    Jan 1, 2006
    Posts:
    93
    Hi and thanks for the reply.

    I must admit I'm not to savy on the technical stuff, thats why I have NOD32 set to default :D

    Not at all sure about any of this :) I can only tell you that most... or all? of the warnings were "Probably a varient of.........."

    Cheers Webby
     
  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    You should submit any "Probably variant of ....." and "Probable New Heur PE" or other such messages. If it gives you a name like Win32/TrojDownloader.BA for example, don't bother as they already had the sample as it is a signature detection
     
  5. Webby

    Webby Registered Member

    Joined:
    Jan 1, 2006
    Posts:
    93
    Hi all,

    Ok guys thanks for helping me out with this question, I shall submit the ones that are not a 100% named.

    Cheers Webby
     
  6. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I'm going to take a guess here, but I think what's meant is non-working viruses (viruses that fail to do any damage or have been corrupted in some way). Also, some spyware/adware installs lots of files on your computer (could be even text-files or help files); PestPatrol for example sometimes even detect the harmless files that were part of the spyware (for example the text-files), and NOD32 only sticks to detecting the "real" threats. Or it could be that certain antiviruses (or antimalware programs, rather) react to chat clients (mIRC) being installed on a system or peer-2-peer programs (LimeWire). I have not yet seen NOD32 react to any program in this category. (It does seem a bit meaningless to add detection for these types of programs as they aren't really malware.)
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Submit the variants and NewHeur_PE samples via ThreatSense only unless you are more or less positive they are false positives. In this case, they should go to samples[at]eset.com directly.
     
  8. Webby

    Webby Registered Member

    Joined:
    Jan 1, 2006
    Posts:
    93
    kjempen & Marcos

    Thanks for your input and explanation, I've set up NOD32 to submit these samples

    Cheers Webby
     
Thread Status:
Not open for further replies.