Where do Antivirus vendors get daily signatures?

Discussion in 'other anti-virus software' started by rOadToIS, Dec 30, 2008.

Thread Status:
Not open for further replies.
  1. rOadToIS

    rOadToIS Registered Member

    Joined:
    Dec 16, 2008
    Posts:
    168
    Where do they get them?
    Do they have some sort of group of people specializing in seaching wild malware samples?
     
  2. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    lol I've never asked,

    Honeypots and submits probably.

    Then analyists analyze, definitions and curing techniques created.

    I could be completely wrong, just a guess really, it's not something I've really thought about. :D

    I know drweb have had quite a few from me Over the years :)
     
  3. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    ye that is an interesting question, never really thought about it myself either, would be interesting to hear a rep from one of the AV companies respond to this.
     
  4. tiagozt

    tiagozt Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    331
    I know that F-Secure gets from me too... :p
     
  5. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Hi,

    as far as I know they first write a signature, then they compile a few matching malware files and in the end they forget how to remove this mess completely. ;)

    Cheers
     
  6. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    I think the major antivirus vendors have automated bots that scour the web for malicious files. With the amount of malware out there in the wild, it's hard to imagine having people search for them manually.
     
  7. rOadToIS

    rOadToIS Registered Member

    Joined:
    Dec 16, 2008
    Posts:
    168
    Is there anyone who can clarify this? o_O
     
  8. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    I know Webroot uses an automated system to collect malware.

    http://www.webroot.com/En_US/about-phileas.html

    Seeing that the major antivirus vendors are bigger companies with more resources, I would think they would invest in a state of the art system that automates malware collection.
     
  9. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    AntiVirus vendors compile their signatures from a variety of sources.

    Take Symantec Security Response, the team ... SSR.

    They have global honeypot sensors; for Symantec it's called "DeepSight" ... it monitors global network activities for zero-day vulnerabilities ... tracks exploits ... and warns end customers ...

    http://www.networkworld.com/best/2006/022706security-management.html
    https://tms.symantec.com/Default.aspx

    According to Wikipedia, a "honeypot" is a trap set to "detect, deflect, or or in some manner counteract attempts at unauthorized use of information system". It is a network of purposely vulnerable computers that seeeeeem to have useful data on them ... so hackers are tempted to break into them. The hackers and their actions are monitored .... it's like watching someone try to break into a bank ...

    SSR also takes user submission ... from me ... often times:

    https://submit.symantec.com/websubmit/retail.cgi

    And SSR also collaborates with other labs ... yes it's true.
     
  10. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Honeypots, submissions, other AVs, VT etc
    Detecting and creating signatures is often automated (I think?)
     
  11. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    Detecting of the virus, I am sure to a degree is automated, along with submissions and honeypots. I seriously doubt that the writing of signatures is automated. The script would have to be de-compiled, examined and it`s effect, interaction with the OS studied prior to the writing of the detection and removal code.

    Only if it were that easy. :doubt:
     
  12. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    Not only antivirus vendors, we ain't a antivirus vendor but have currently have a bigger automatic malware and attack collecting system then most vendors. This because malware and attacks are the weapons of future warfare (terrorism).
     
  13. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    yes...and one gets the feeling certain AV's have a virustotal scanner as their viruslab....aka sample comes in, if it is detected by another av, add the detection with said av's detection name :rolleyes:
     
  14. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Who is "we"? :D
     
  15. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    I had wondered often y vba32 had same name detections as kaspersky on jotti, havent checked their in a while though
     
  16. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    One of the bigger armies on this planet. :D
     
  17. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    pcsecuritylabs
     
  18. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    No no, only replied to some posts of him, we ain't associated with PC Security Labs in any way.
     
    Last edited: Dec 31, 2008
  19. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    So who is "we" o_O
     
  20. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    See post #16 comrade.
     
  21. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    actually, dawg was right, sample processing is largely automated... you don't need to know much about the effects of the malware or how it interacts with the OS in order to generate signatures for detection... all you need is to know what the sample looks like...

    there are exceptional cases, of course, but the head of kaspersky's virus lab was once quoted as saying the average sample takes only 5 minutes to process - i seriously doubt that has a lot of human interaction in it...

    it's removal routines that would probably be the most complicated to automate, but since av's generally don't do a great job of cleaning up the effects of the malware and rather just delete the malware for the most part, i suspect automating that part of things isn't high on their to-do list...
     
  22. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Yep. 5 minutes. SSR has an automated system; if it doesn't determine the file to be malicious, it is stored for human analysis. If it is determined to be malicious/suspicious, then signatures are update immediately and SSR e-mails the person who sent the sample with a link to the updated defs.

    And look at ThreatExpert; their automated analysis only take ~6 to 7 minutes.

    Here is a letter from SSR ...

    "This message is an automatically generated reply. This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries.
    Please contact your Technical Support representative if more detailed
    information about your submission is required. Do not reply to this
    message.

    Below is a status update on your virus submission:

    Date: December 27, 2008

    Dear ______ ______,

    We have analyzed your submission. The following is a report of our
    findings for each file you have submitted:

    filename: malware.exe
    machine: Machine
    result: This file is detected as W32.Spybot.Worm. http://www.symantec.com/avcenter/venc/data/w32.spybot.worm.html

    Customer notes:
    backdoor.rbot~~Tech0


    Developer notes:
    malware.exe is a non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest available definitions.



    Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
    Downloading and Installing RapidRelease Definition Instructions:
    1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
    2. Click this link to the ftp site: ftp://ftp.symantec.com/public/engli...virus/rapidrelease/symrapidreleasedefsi32.exe. If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the address bar of your Web browser and then press Enter.
    3. When a download dialog box appears, save the file to the Windows desktop.
    4. Double-click the downloaded file and follow the prompts.

    Virus definition detail:

    Sequence Number: 89705
    Defs Version: 101227e
    Extended Version: 12/27/2008 rev.5

    Should you have any questions about your submission, please contact
    your regional technical support from the Symantec website and give them
    the tracking number in the subject of this message."
    ------------------------------------------------------------------------------------
    As for removal, Norton was the only product to recieve "++" from AV-test.org in both rootkit detection and removal ... removal seems easy on paper ... the automated analysis tracks the file's actions and all the AV has to do is remove the infected files. However, removal is not always the best option; complete removal can result in serious corruption.
     
  23. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Trend Micro has a similar system in place actually, and I must admit it works very well ;)
     
  24. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Have you got the link for the trend micro virus submision or is it via there product?

    Cheers

    Jlo
     
  25. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
Loading...
Thread Status:
Not open for further replies.