VBA32 and KAV, same bases ?

Hi,
It's not the first time I see VBA32 using the same name than KAV for a malware...
and if KAV detect some samples VBA32 don't detect (and vice-versa), I wonder if they don't share a part of their bases...
Thanks for your observations gents !

 

There are a few strange things comparing them. They both use the IDENTICAL naming conventions, and both seem to have excellent signature detections. Both are Russian companies. In some tests VBA32 seemingly can keep up with KAV on detections (using same naming conventions).

At a security convention here there was a "Rumor" that VBA32 purchased the KAV definition base early on, and spent a great deal of time stripping out the bloat from it. I have no idea if this is true or not, but there is some evidence.

 

Yes...
And VBA32 seems to be kinda clone of AVP 3.x.
And stranger to see VBA32 detecting malwares KAV don't catch (and vice-versa). Same bases, not the same, partially the same ?

 

I doubt they bought bases from them. But they could obtain samples from them (and later add them manually to their own bases).

 

No, I do not think that KAV shares samples with VBA32. There must be some other unknown reasons.

 

IBK does VBA32 reach the "magical" 85% on your samples yet? Or you not gonna tell us? If it does, will it be included in the tests of 2006?

 

No, does not reach the 85%. And I predict that it will also not reach in Feb2006, so it will be not included in the on-demand tests next year (but maybe in the retrospective tests; i have to change a bit some rules).

 

Thanks for that.
Is it mainly DOS samples it misses (or can you not say that?)

 

In my limited selection, it has mainly been Dos nasties that VBA32 misses, and a few ad-related backdoor's/Trojans.

note: Before anyone asks, as I stated before I cannot rightfully test VBA32 and produce non-biases results, due to the fact that as I weed through my small collection of about 15,000 I send them to VBA32.

HTH

 

No, it is not due the DOS samples; it is low in all categories. Do not ask for more details, I tested it only for the companies.

 

In my opinion they only use the name of malware. Here is a sample that VBA32 found but KAV not.
http://jotti1.jpg

 

They name straight viruses different.
VBA32


KAV5

 

Many thanks for the info.

 

And another example of KAV and VBA detecting something with different names.

Cheers

Jlo

Last file scanned at least one scanner reported something about: Server.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Backdoor.Win32.Amitis.143
NOD32 X
Norman Virus Control X
UNA X
VBA32 Backdoor.Amitis.1

 

Don't you think VBA32 is too good to detect malwares as well as KAV ?
I can't imagine they don't use (partially) the same bases...
This compagny seems to be too little to perform like this.

 

One more example :
http://jotti3.jpg

 

That is strange, I ran VBA32 over 61,000 samples this month and VBA32 scores 94.6%, while Kaspersky scores 96.1% on the same subset.. But my samples are generally Win/Win32 samples, I have zero interest in DOS detections - does anyone?

I'm rather dubious of any claims VBA32 scores less than 85%, especially given its incredible performance at Jotti(and anyone can refresh to see VBA32 detecting stuff nothing else does), and my personal test experiance with VBA.

PS: on those 61,000 samples, the vast majority have identical naming conventions between VBA32 and Kaspersky. That has yet to be explained to me, but is most mysterious.

 

I agree. This is why I purged all DOS samples from my inventory - why would I care how a AV performs on DOS? Who the hell runs dos anymore anyway? VBA32 performance on DOS samples is lackluster, while i've witnessed better than KAV performance in many other aspects.

Not to mention I think VBA32 is light and reasonably bug free. Which is difficult to say for some other AVs.

 

I agree. They just can't be mostly False Positives or Crap files that Vba32 detects but the most REAL ItW stuff, especially trojan like nasties, where Vba is among the top of scanners. It just seems to be the "wrong" top 3 av:s, that are now in Jotti's according to many here at Wilders.

Best regards,
Firefighter!

 

This brings up another point - doesn't VBA32 score high for you in your samples Firefighter? Similar to what it scores for me?

 

Maybe even too high. It scored the second, very close to KAV engined av:s and with a few samples more than the third, BitDefender 8.0 Free/9.0 Std, against my 2699 randomly picked nasties collection.

Best regards,
Firefighter!

 

BUT if they are not one of the chosen AV's tested how can they obtain the missed samples? Catch 22!

 

They get them also from their sources (e.g. other AV companies) or somewhere else, like I do. The reason why companies get missed samples from me is primary not because they do not have already those samples (they usually have them already), it is just in order that they can see that the results are not invented/faked/biased. Due the conditions of the av companies, I am allowed to send missed samples only in accordance with the test conditions and if all conditions are filled.
But as I said, I am planning to include them probably in the other tests (FP and retrospective, where the results may be interesting).

 

Maybe a stupid question but anyway. If those av-vendors already have those missed samples, why do they not add them to their definions then?

Best regards,
Firefighter!

 

Overload of work? Other priorities? no interest to add them? dunno...
well, they add samples, but I heard e.g. from a company that they have a backlog of 100.000 samples still to check , and adding all those takes time (esp. if the company is small and does not have a lot of analysts etc.), so they will first give priority to single samples they get from users (or are currently 'really' ITW), then small collections they get from users, than if time remains and the samples are still undetected, they will samples coming from big collections of other vendors or testers (IMO).