VBA32

Discussion in 'other anti-virus software' started by shek, Mar 31, 2005.

Thread Status:
Not open for further replies.
  1. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    This is definitely one to keep an eye on :)
     
  2. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    I gave the latest version of VBA32 a try yesterday the collection tested was about 1 month old malware and mostly consisted of Win32 malware like bots and worms.

    First, the scanning speed (win32 console version) was very slow, much slower than for example Bitdefender. Second, the detection rate was not impressive. In fact, it was rather close to A², Ewido detected twice as much samples. The VBA32 detection rate was not even close to 20% of the ones of KAV, Bitdefender, McAfee, Symantec, NOD32, Panda, Trend Micro - or even Dr.Web.
    One thing I noticed is that lots of runtime packers were falsely "detected" as suspicious Win32.Virus (heuristic) - but I can understand why those files were tagged. Those cryptors really look "bad" for heuristics, I had those problems too when I optimized our heuristics. :)

    It seems using Bayes filter to detect malware is not a good approach, but let's see how VBA32 improves.
     
  3. waters

    waters Registered Member

    Joined:
    Nov 8, 2004
    Posts:
    958
    How does heuristics of antivir compare with these.
     
  4. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Or even Dr Web?
     
  5. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    Did you benchmark it on malware collections or on ordinary files? Malware collections usually contain a lot of packed/crypted files which are quite different from what ordinary users have. Also when the program is about to report virus infection, additional cpu cycles are used for some additional checks which skews the performance statistics.

    That's weird. Are you sure you updated virus databases properly? What was the number of virus definitions loaded?

    I'm glad that you understand the problem :) It is just heuristics method based on analyzing events flow from cpu emulator. Usually such complaints are about direct scan for API addresses in kernel export table instead of using own import table (for at least GetModuleHandle/GetProcAddress functions) like all the "normal" programs do. That trick was widely used by win32 viruses a few years ago. Unfortunately many executable packers use this trick too, so in order to suppress this heuristics message we need to add detection for these packers to the database, I would be grateful if you provided these packed samples to fix all these heuristics alarms. Anyway I agree that at least heuristics message is misleading in this case. And this heuristics method is not very useful now as the number of executable packers grows and the number of new real viruses using this method became almost nonexistent (virus makers switch to high level languages and don't need to use such tricks anymore). Probably this heuristics flag will be disabled in the future.

    Not every detection system capable to learn is a Bayes filter. Analogy with spam filters was just to give better understanding of the general idea, not a technical description. You just can't use the same "universal" algorithm for detection of spam in mail messages, malware in executable files or child pornography in multimedia formats for example ;)
     
  6. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    I was thinking the same thing, especially considering Dr.Web is one of the best, if not the best IMO.
     
  7. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    It was a pure malware collection. Of course, the scan is much slower here, as there is CPU emulation, unpacking etc. involved. But compared to other scanners, it was still very slow.
    BTW, that's what I don't understand about the Virus Bulletin performance test. They test on infected files - but a normal user (which I am not ;-) ) is not interested in the performance of scanning malware collections but clean files which is the standard environment.

    Yes, it was correctly updated, it says 61K signatures were loaded.
    Parameters of the scan were /af+ /rw+ /ch+ /ha=2 /mr- /bt- /as- /ok /ar /lng=en

    Yeah, scanning around KERNEL32.DLL became the standard anti-emulation trick these days, alot of protectors do it. We were starting to wonder if we can ship KERNEL32.DLL with our product just to load it into the code emulation. ;-)
    I cannot send the samples, but I can look up the runtime packer on those files and send the packer if I have it in my collection.


    Sorry, that was badly worded by me. Of course, Dr. Web is an excellent product, I like it alot. Alot more than many of the "major" scanners around. But I wouldn't consider it the "best". There is nothing as "the best" malware scanner. Every scan engine has it's flaws and strengths. :)
     
  8. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    Siarheika - I have just finished running a scan on my samples and cannot reproduce the issue as stated before.
    This time the scan completed a test 53k files in 37minutes 48seconds, some may say this is slow but please keep in mind I have the on demand settings maxed out in all areas to try to cause the program to "leak" memory as before. With no luck I might add. So, I believe it was fixed. I used the same sample set as before with all the garbage/goats/etc still in it and it performed well, Ram usage was an average of 25MB/14MB Virtual.
    A little higher after the scan than a fresh reboot.

    //EDIT//
    For further information, VBA32ldr.exe on a fresh boot is 12,396k Physical and 9,816 Virtual.
     
    Last edited: May 6, 2005
  9. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    The beta from the VBA32 ftp (dated 28.4.2005) scored much better, in fact, alot better.

    Heuristic.Win32Virus false positives were mostly on DBPE and Krypton packed executables.
     
  10. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Oh no! Please say it isn't so. :oops:
     
  11. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    How did this beta compare with the other AV's you quoted previously?
     
  12. Siarheika

    Siarheika AV Expert

    Joined:
    Apr 9, 2005
    Posts:
    24
    The number of virus definitions seems to be correct. Anyway console scanner needs to be always updated using 'update.bat'. We do not repackage distributives on every virus database update so ftp can contain rather old snapshots (for example current release version of console scanner for windows on our ftp server contains more than a month old virus definitions included). If it is not immediately updated after unpacking and used for tests, the results would be rather poor.

    Also adding /ml command line switch can improve detection rate (scan for viruses in MIME and mail bases). Otherwise the samples in EML files are not detected.

    Latest beta version has additional heuristics level /ha=3 (it should detect a lot more malware using heuristics, but the risk of encountering false alarms is much higher).

    In everything but heuristics, release and beta are pretty much similar and should detect almost the same number of malware (beta has a bit better executable packers support, but it should not make a big difference).

    Thanks, that should be enough to investigate this issue.
     
  13. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    KAV, Bitdefender, McAfee were ahead all the time. It had better detection rates than Symantec, Panda, Trend, Avast, AVG, AntiVir, Sophos, Norman usually, NOD32 behing close ahead. It also depends if the vendor got the specific collection already "processed" (remember the person wondering that Bitdefender added 2000 signatures in a few days?)

    So I would say it's close behind NOD32 (with AH & generic unpacking enabled) - also speed-wise (on malware), but it still needs optimizing.
     
  14. kkkkkkkkkkk

    kkkkkkkkkkk Guest

    A lot of good posts!

    Can you do the same test now Stefan? It would be interested to see how it performs after 6-7 months :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.