Different antivirus software give different results with same suspect files

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I do manual antivirus scanning with three or four different software.  But I'm
losing faith in all of them because the
results are so different...even in the rare event that they spot the same
suspect file, they can't seem to get the name
of the virus right.  One says one thing, the other something completely
different.  I often go online and try to find
information on a named virus(or trojan, or whatever) and usually can't find
anything but a very sketchy few words such
as "yes this is a virus".   Most of the time when I google a virus name the
first 10-20 entries are those web sites that
try to convince you the end of the world is coming (via a virus) and you have to
immediately use their web based scan.

I'm using Avast 4.7, Norton Corporate Antivirus, Solo Antivirus, AVG.   Today a
rare thing happened, two of the software
agreed that a certain file was a "virus".  The problem was they each had a
different identification for it...Norton
called it a "downloader", Avast said it's "Win32: Trojan-gen (Other)".  Avast
likes to use this designation a lot.

Is there a gold standard web site or software that is highly accurate...one that
I could use to double check these flaky
results.  Or do I have to create a new partition and OS just to test every
suspicious file because I have no faith left
with these softwares.  What a lot of time that's going to take!

jc



Re: Different antivirus software give different results with same suspect files


| I do manual antivirus scanning with three or four different software.  But I'm
losing
| faith in all of them because the
| results are so different...even in the rare event that they spot the same
suspect file,
| they can't seem to get the name
| of the virus right.  One says one thing, the other something completely
different.  I
| often go online and try to find
| information on a named virus(or trojan, or whatever) and usually can't find
anything
| but a very sketchy few words such
| as "yes this is a virus".   Most of the time when I google a virus name the
first 10-20
| entries are those web sites that
| try to convince you the end of the world is coming (via a virus) and you have
to
| immediately use their web based scan.

| I'm using Avast 4.7, Norton Corporate Antivirus, Solo Antivirus, AVG.   Today
a rare
| thing happened, two of the software
| agreed that a certain file was a "virus".  The problem was they each had a
different
| identification for it...Norton
| called it a "downloader", Avast said it's "Win32: Trojan-gen (Other)".  Avast
likes to
| use this designation a lot.

| Is there a gold standard web site or software that is highly accurate...one
that I
| could use to double check these flaky
| results.  Or do I have to create a new partition and OS just to test every
suspicious
| file because I have no faith left
| with these softwares.  What a lot of time that's going to take!

| jc


Solo Antivirus is nothing but crap.  Pure worthless crap.

As for naming a given infector, it is true.  It is rare when all AV vendors
identify the
same infector using the same name.  This has always been a problem.  However,
this is NOT
a "flaky" result.  They just don't name the same infector the same.  There no
collaboration.  This doen't mean there flagging a given file is unjustified it
only meand
they have assigned it differently.  Even when they might identify it with the
same
familily name like Zlob, they may assign in a different variant suffix.

This is a problem that had plagued the AV industry from the beginning.  To try
to deal
with this problem, MITRE was contracted by the US CERT to come up with a common
naming
convention for malware that was deemed to have infected numerous systems.  This
the the
MITRE Common Malware Enumerator (CME) list.  MITE will assign a CME number and
provide a
cross-indexed listing.  For example, MITRE assigned 711 to a given downloader
trojan and
thus the name becomes, CME-711.

"CME-711 is a Trojan Downloader that is spread as an attachment to emails with
news
headlines as the subject lines which downloads additional security threats,"

When this happens hopefully the AV company will append their name with !CME-711

http://cme.mitre.org/data/list.html

Unfortunately, I haven't seen MITRE keep up with the new threts so this has
basically
failed.

This is a problem, I am afriad to see, will last.

However systems like Virus Total are helpful in that when you submit a malware
sample you
can see who falsgs and what they flag it as and you can then, hopefully, use
their
encyclopedia/dictionaries to see what the infector is and does.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Different antivirus software give different results with same suspect files

Thanks for the referral to Virus Total, that really helps in the determination.
For example, the file I was most
concerned about was tagged by 23 of 38 antivirus machines, including most of the
big name ones.  That means a lot more
than another file that was mildly tagged by 8 of 38, none of which was a big
name, and only five of which actually put
some kind of name to it (one actually called it "not a virus").

I wasn't so much concerned about the name disparity as I was by the complete
lack of unanimity between antivirus
programs that I'd used.  I'm also relieved to hear your opinion about Solo
Antivirus, I liked it because it was so quick
but there may be a reason for that.  Why is it you think it's worthless?  How
about some of the unknown(to me) machines
on Virus Total.  Are there some that you pay more attention to than others?

jc



Quoted text here. Click to load it



Re: Different antivirus software give different results with same suspect files


| Thanks for the referral to Virus Total, that really helps in the
determination.  For
| example, the file I was most
| concerned about was tagged by 23 of 38 antivirus machines, including most of
the big
| name ones.  That means a lot more
| than another file that was mildly tagged by 8 of 38, none of which was a big
name, and
| only five of which actually put
| some kind of name to it (one actually called it "not a virus").

| I wasn't so much concerned about the name disparity as I was by the complete
lack of
| unanimity between antivirus
| programs that I'd used.  I'm also relieved to hear your opinion about Solo
Antivirus, I
| liked it because it was so quick
| but there may be a reason for that.  Why is it you think it's worthless?  How
about
| some of the unknown(to me) machines
| on Virus Total.  Are there some that you pay more attention to than others?

| jc

Solo AV has been checked out -- pure crap.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Different antivirus software give different results with same suspect files

Quoted text here. Click to load it


I think these antivirus software companies like to name an alleged
virus with their own label. That gives the impression that they
had something to do with it's detection.
It's all about making money, and the more fear and confusion spread
amongst pc users, there is more chance of selling antivirus products.

I tried Trend Micro's on-line virus scan some time ago.
It picked up a couple of items which I knew about. That's fair enough.
It listed the files correctly and their locations on the disk.
It also listed another immediate danger, something about a backdoor
trojan with a weird name. This time there was no file name or disk address,
just a dire warning that I needed their software.

Same thing recently with BitDefender. I went to their website, tried their
on-line scan. I made sure that I set the options to 'report only' - not to delete
anything that was deemed suspicious.
After the scan was over the report told me that it had found and deleted an
infected
keygen for Acronis Disk Director Suite 10.
I had no such keygen on my disk.

And a in thread recently on this newsgroup (virus or not?) we had AVG telling a
poster
that had sent in a sample of code that it contained a 'new worm trojan' and they
would
add it to their definition table. The file was harmless.

I think a lot of these companies are worse than the viruses they purport to
clean.

 


Re: Different antivirus software give different results with same suspect files

jbclem wrote:

What is with the excessively long 130-character lines?  So why did you
change the default line length in Outlook Express from 76 to 130?

Not all newsreaders have a rewrap function (when replying to reformat to
shorter line length).  Not everyone uses a newsreader that provides for
automatic linewrap, and having to scroll to the right or possibly end up
with truncated lines is a nuisance.  All following lines were truncated
at 76 characters to show you what your post might look to someone else.

Quoted text here. Click to load it

There is no international organization is that is assigned the
responsibility for naming viruses or their variations.  Each antivirus
vendor has their own detection and analysis lab, not just one facility
that they all pay and use together.  

Using multiple partitions for separate instances of antivirus detection
will not alter that each vendor uses their own name, so you will still
be stuck with different names used by different antivirus vendors to
identify the same virus.

As for faith, that is a topic of more contentious newsgroups.  If you
trusted someone to repair your car who was called John by himself but
found out he was called Red by his coworkers because of his hair color,
used Jalopy as his moniker in newsgroups, and found out his legal name
was Ian, would you lose faith in John aka Red aka Jalopy aka Ian to
repair your car?  

"What's in a name? That which we call a rose
By any other name would smell as sweet."
(Juliet, in "Romeo and Juliet", by Shakespeare)

Site Timeline