Why large virusbase?

Discussion in 'other anti-virus software' started by Firefighter, Apr 30, 2003.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I (my kids!) have got a virus to my PC from KaZaa network. Now you all can enjoy to it! I used BitDefender 6.5 Pro some weeks ago when I was infected by a worm (Win32.P2P.Tanked.B = BitDefender virus name after my feedback), in the F-Secure virus list it was (Trojan.W32/sdDrop.c) or somenthing like that. I did that mistake when my "StarDownloader 1.42" virus checker was BitDefender and not for example F-Secure 5.41, which was my Backup in that time.

    Now is the time to the main point. The virus was not in the Wild list. I checked the virus 3 days after that I recognized that infection, wich was some a week old, with other av:s when I had time to it. Only Panda Online scanner and of course KAV online scanner were capable to detect it.

    Those programs that missed the virus in my checks were PC-cillin 2003, NOD32, McAfee on line scanner, DrWeb on line scanner, RAV 8.6. 104. So there isn't such a myth as "in the Wild viruses", only it is truth that some viruses are more common than the others. Even WormGuard, TrojanHunter, Trojan Remover and PC DoorGuard missed that worm, so that's about the so called layered defence!

    After that my case I decided to improve BitDefender's virusbase with all my virus detections afterwards with all my detected viruses I ever met, because BitDefender is the only AV that is still capable to scan all those files from your PC.

    After that I classified DrWeb and NOD32 more or less "hype" in total defense category, because they have so small virusbase! o_O

    PS. The virus was in "exe" extension when I checked that with those other AV:s and AT:s! o_O

    "The truth is out there, but it hurts"

    Best Regards,
    Firefighter! o_O
     
  2. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    We should clarify first some expressions:

    a virus is a program that spreads while infecting other programs
    a worm is a program that spreads through networks (as email or via shares for example)
    a trojan is a program that does not spread. Also a it is defined as a program that does something different from what you aspect the program to do.

    So in you description you mixed up the three words which stands for three different malware types.

    As it looks like to me you either not catched a virus or a worm but a trojan. As the F-Secure states a "dropper" for zombie bot (which is a program that allows to hackers to attack other computers)

    This is true because it is a trojan. The wildlist covers only viruses or worms.

    The difficulty with the malware you downloaded is that it is just a "dropper". The only change to detect such "droppers" is that the av companies got this special file to create a signature. Heuristic detection does not apply in this cases.

    The truth is that this is not a real problem as long as the user sticks to the general rule not to use executable files out of unthrustworthy sources. The danger of getting infected while using software out of warez sites or filesharing tool is extremly high. Especially filesharing tools are a 'good source' for hackers to spread trojans and other malware. The spead of distribution is so fast that there is hardly a change for av programs to catch up with this.

    So the best approach in getting protection from such threats is not to count on a software but on the pure and simple rule not to use software out of unreliable sources.

    Bullshit. All other products can deal with such malware easily (as long they get a chance to grap a signature).

    Neither DrWeb or NOD32 have a small database. I don't know how you come to such conclusions.

    wizard
     
  3. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Wizard from Firefighter!

    After all those clarifyings, I still trust most of in Kaspersky av-enginge, because it is the only one that can detect most of those "nasties"!

    Those anti-trojans and anti-worms were the best I could use with my understandings, TDS-3 is in my mind to security specialists! :rolleyes:

    "The truth is out there, but it hurts!"

    Best Regards,
    Firefighter! :rolleyes:
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    TDS does already detect all 3 common variants of TankEd

    DDoS.RAT.TankEd 1.1
    DDoS.RAT.TankEd 1.3
    DDoS.RAT.TankEd 1.4

    Otherwise known as Worm.P2P.TankEd.11 , 13 , 14 (Kaspersky)

    An entirely different worm, is Worm.P2P.SDDrop.c (same name for Kaspersky). This is a DDoS.RAT.SDBot dropper and worm in one..
     
  5. Firefighter, could I suggest to you that you try GAV?

    Gladiator AntiVirus...

    I don't know if you ever did or not.

    But since you have Kaspersky, you're okay..
    I just purchased AVK Pro, with Kaspersky engine.. Did you ever try that one..?

    You have a good, strong point,. though. Okay, per Wizard's argument, if TankEd is a trojan, why doesn't TrojanHunter cover it? Oh, it's a "dropper".. So, now, it's optional whether TankEd is a trojan or not...Viruslist.com calls it a worm...

    Ah, I'd love to use TDS.. It would not work right with my WinXp... Maybe Ver 4...

    Oh, well....LOL..

    I'd be interested to hear from Michael of GAV. I have a strong when it comes to Kazaa, GAV has it covered...
     
  6. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    ...because it is always better to use unfinished software that never has been officially reviewed/tested for protection... :D

    wizard
     
  7. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    !! Please not again!! ;) :D
     
  8. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Please please please DON`T mess up with viruses ! And please teach youngsters not to do too ......there is no AV thingy to protect your valuable data ...it doesn´t exist....There are about 250 new viruses on every month.....

    best wishes and happy spring - Ari
     
  9. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    And I forgot to specify : Please do not mess up with email attachments either, and avoid suspecious sites too, avoid troubles.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.