[Suggestion]: Not directly related with Prevx application, or... maybe it could be ;)

Discussion in 'Prevx Releases' started by m00nbl00d, Mar 1, 2011.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I was to post this in the Prevx 4.0 beta release date thread, but I have decided to put it here, just in case.

    So, my idea is as follows.

    We all know that Prevx is part of the antimalware group at VirusTotal, and that eventually Prevx will get malware samples uploaded there. But, and if I still well remember VirusTotal FAQ, only if either 1 or 2 of them flag something. Also, Prevx wouldn't get those samples straightaway.

    So, my idea would be to create an on-line service where anyone could submit samples and URLs to be analysed, and obviously also collect any resulting files from the analysis of the URLs. This way, Prevx malware research team would get the samples directly.

    It could be also implemented a feature in the future 4.0 version (perhaps, in some advanced features section) where users could also upload the samples and the URLs to be submitted, without having to go to the on-line service.

    It would be something quite faster than getting samples or URLs, then open e-mail account, save samples in zip file, send them over to Prevx, and also send URLs and no longer being active when they verify them.

    What do you folks think?

    -edit-

    It would be great if it would be possible to submit more than just one URL at a time. ;)
     
    Last edited: Mar 1, 2011
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Last edited: Mar 1, 2011
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    But, my suggestion is not regarding FPs, but rather undetected malware samples that any Prevx follower/user or simply followers who install Prevx to relatives and friends, and to help achieve better detections they rather want to send samples and submit URLs in a more friendly and faster way.

    Also, regarding URLs, and I previously mentioned, if I send an e-mail now with URLs, when Prevx research team finally sees the e-mail, none of the URLs may still be up and that means they won't collect any samples.

    An on-line service would, precisely, prevent this gap. And, as suggested, there could even exist a coordination between Prevx application and the on-line service, so people can just submit via Prevx UI.

    -edit-

    Also, be aware that not everyone has super-speedy Internet connections, nor do they have unlimited monthly traffic. By submitting URLs in an on-line service, they would be helping Prevx malware research team to get samples, and get them while the URLs are still up. This way, they wouldn't waste their monthly traffic on downloading and uploading malware samples.
     
    Last edited: Mar 1, 2011
  4. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    The same problem could exist with using an online service as you describe. Although the time-frame may be shortened somewhat as against sending by email, by the time the Prevx researchers receive the submission (depends on frequency of checking?), the URLs may no longer exist, especially if they use fast-fluxing domains/IP addresses. This is a problem not limited to Prevx; I suspect other vendors have the same issues in this area.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Far from what I am suggesting. Obviously, I'm not suggesting a simple submit form for people to submit URLs, just like that. No! An on-line service that would SCAN the URL and SAVE/GRAB the resulted file from it.

    I submit URL -http://maliciousdomain/some_file.exe (Just an example. It could be some other type of file; even something triggered by an exploit.)

    The on-line service would save the file, for later analysis.
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Most malware tends to give back files based on the IP and once the IP has downloaded a file, it will be unable to download it again so I'm not certain if this would work well for server-side polymorphic threats. Additionally, if malware authors see that some Prevx server is always downloading their files, they can just block it from downloading so we wouldn't see the samples. This is why we generally recommend sending the file itself as it is more accurate.

    Prevx 4 offers much more in terms of local submission of files which should help improve this but while I certainly understand the benefits of being able to submit a URL, I'm not sure that in practical use it ends up working long term.
     
Thread Status:
Not open for further replies.