Something wierd with CAV? Why are the results inconsistent..?

Well I was downloading some malwares today, I found one file a little funny. CAVs don’t seems to be that consistent with the result when you scan this file, The MD5 and SHA1 value are the same… But the results when scanning this file has been a little inconsistent, as can be seen here:

on VT COMODO says: TrojWare.Win32.TrojanDownloader.Swizzor.Gen

on Virscan COMODO says: TrojWare.Win32.Trojan.KillAV.~BYG

Both was using DB 3264 during this scan (according to the pages…)…

However, when I scan this file at home, testing all from heuristic OFF to heuristic HIGH… I get no detection what so ever…? (Iam using DB 3264 as well)…

Iam thinking perhaps virscan just uses some sort of name shortening… And perhaps Iam using some sort of corrupted database…? I guess this can have something with how VT and virscan sets the heuristic… but its still wierd I got no detection… If someone wants to scan this file as well I be happy to send it, just PM…

Hmm… Uploaded it once more…

VirScan - 多引擎文件在线检测平台 Not detected by CIS… Same DB…

DB 3264…

[attachment deleted by admin]

I will contact Umesh about this.

Hi,
As of this topic, i see following issues mentioned:

1. Detection difference between virscan and virustotal
2. Non-detection of same file on virscan in two different uploads
3. Non-detection of file on one user machine while same gets detected on other user with same name as detected on virscan.

I will get back to you after investigating it.

Thanks
-umesh

http://www.rapidshare.com/

Why don'y you upload it to rapidshare and pm "umesh" and give him the rapidshare link to the sample. That'll propably make it much easier to narrow the problem down :)

If Umesh asks for that I will do that… But I don’t think he have to, he can download samples directly from VT I think…

i’ll just bump so i can find this later.

Guys, i have the sample.
Will let you know asap as what we find.

Thanks
-umesh

Sounds good Umesh, the intention with this thread was/is to find out why the results is differencing so much. :-TU

[at]jay2007tech thanks for the suggestion tho, my previous response was written in a hurry, since my gf and I was watching a movie and she wanted me to let go off the computer… :o

Out of curiosity, if you like to answer Umesh since Iam not so sure myself, I just heard this…

Can AV companies just DL any file straight from VT?

In general VT sends us samples not detected by us, so we do get samples on daily basis. But there are range of paid services from VT for AV vendors to download files on-demand. Apart from what we get by default via mail from VT, we can download only 100 files free on-demand.
Thanks to community, we get plenty of new malware from you via CIS and do not have to get from VT explicitly.

Btw this sample in question was uploaded to us via CIMA so you guys help us alot.

Thanks
-umesh

To add further to this:
http://camas.comodo.com/cgi-bin/submit?file=3588603b4a4af5a73cb9041b60ae05a39bb27c585c340b0732fa58f786eb3d0c

is the report link for CIMA, where not only CIMA reported it as malware but also gave it proper name. Although we already had generic detection for this sample so it was detected by default by CIS even though we didn’t have this sample. So that’s the power of generic signs we released after CIS 3.13 release and also CIMA.

Thanks
-umesh

Yeah, CIMA is great…

But CAV’s not as powerful, as can be seen by this slightly modified version:
VT
virscan
UD by CIS…

However CIMA still catches it with proper naming!

Anyway, I like what comodo has done with version 3.13, at least the heuristic feels a bit cooler than before, seems like the scanner is doing some kind of unpacking as well… =O

Hi Guys,
An update to this issue, we have identified the problem and we will be releasing a CIS update next week.

Thanks
-umesh

Thanks Umesh sounds good. (:KWL) :■■■■ Locking this topic in about an hour, unless someone has something to add.

EDIT: Topic locked. PM a mod/me if you want it reopened for whatever reason. :-TU