39 ответов в этой теме

[Eugeny Gladkih]

the 1st tier companies like Dr.Web is create the signatures themselves. others are pinching and their products even cannot cure the files (take a look at Avira) . that's a very bad way. maybe that companies have not bad the detection rate of dead bodies, but their software cannot do anything reasonable upon the infected system. that's not the AV ;-)

[risl]

Hello Eugeny,

Which is what you consider more important?

Ability to detect much and try to prevent the infection or capability of curing the system if it's been infected.

If I understand this correctly, you cannot cure a system if you don't detect the virus. Without detection, there cannot be a cure.

[Dr33]

if virus is blocked first is better than to cure it later

[Eugeny Gladkih]

If I understand this correctly, you cannot cure a system if you don't detect the virus. Without detection, there cannot be a cure.

yes, you're right. what will they do with the infected ntoskrnl or winlogon, yeah? http://forum.drweb.com/public/style_emoticons/default/wink.png

[Eugeny Gladkih]

if virus is blocked first is better than to cure it later

sure, I've read sir Thomas More a little http://forum.drweb.com/public/style_emoticons/default/wink.png

[userr]

I submit the samples through the website http://vms.drweb.com/sendnew as "suspicious files".

Correct. For better results please
- submit one file in one try
- attach http link to virustotal scan result

I mean the detection rate is low in comparison to how many new links we found - how many of them are detected after I download the file/scan it.

What about comparison to other vendors?

Currently I have 14 files that are undetected even though I've sent them. There are less tickets because I sent one archive containing 8 files. I'll make a specific topic for these if someone from the staff finds it useful.

There is topic for unresolved tickets - http://forum.drweb.com/index.php?showtopic=278050 Pls post your ticket numbers there, but rescan the malware with updated drweb first, may be it's added already.
I think a specific topic for zero-day malware scan results found by your community may be of interest. With virustotal scan links and drweb virlab tickets (if it goes undetected).

[Eugeny Gladkih]

There is topic for unresolved tickets - http://forum.drweb.com/index.php?showtopic=278050 Pls post your ticket numbers there,

maybe, that's better to open the new pinned topic right here in the English forum?

[userr]

here are some strong words from yours truly about it:

The Submission system needs to be scrapped, or re-programmed to create a simple use of adding and detecting these samples that customers submit

What do you mean? adding samples that customers submit automatically, without any testing? It's bad idea. Of course, virlab work can be improved and must be improved, but submitted samples must be checked. Sometimes it's possible to test them automatically (ticket auto resolver), sometimes virlab has to check them by hand.

it does not work (sometimes it does), and 90% of the samples do not get added, replied to and probably forgotten about, this is fact, and drweb should not dismiss these words

90% of the samples do not get added ? With all due respect, it is utter nonsense. Do you have any proofs? What do you know about amount of virus samples drweb receives everyday? How many of them are added and how many of submitted files are useless crap?

improvements could and SHOULD!! be made, they can do it

Undoubtedly! Amen. http://forum.drweb.com/public/style_emoticons/default/smile.png

they need to improve their adware/spyware detection.

What is especially wrong with drweb adware/spyware detection?

maybe, that's better to open the new pinned topic right here in the English forum?

No objections here.

[userr]

if you modify some kind of malware and AV let it pass because it is not harmfull another piece of that malware can mutate the file and you get infected so i dont think its a valid option

If the file is not harmful, (for example it's corrupted and cant start/work at all) it is NOT MALWARE! I might get infected only if I have some real malware on my comp, and these malware of course must be detected and cleaned by AV.
Maybe I didnt understand what you meant, pls put it more clearly.

[risl]

I submit the samples through the website http://vms.drweb.com/sendnew as "suspicious files".

Correct. For better results please
- submit one file in one try
- attach http link to virustotal scan result

I mean the detection rate is low in comparison to how many new links we found - how many of them are detected after I download the file/scan it.

What about comparison to other vendors?

I did post some jotti.org links but I'm not so interested in other vendors that I would scan every file in virustotal and make statistics. Avira, Kaspersky, Avast and Nod32 are usually the "top performers" in almost every test. Scoring consistently over 95%

What concerns me most is that almost none of these files are detected heuristically. I haven't seen "Probably", ".origin", ".Packed", ".based" ".generic" or other similar detection in long time.

But like I already mentioned, I might just be "unlucky" for trying to download ~20 viruses with getting only 1-2 detections.

Yesterday I sent 2 files, which both were resolved by automatic system as Trojan.PWS.Panda.114. Today I sent 2 new files but haven't received the results yet.

These are still unresolved but tickets have been made: http://risl.codename.fi/drweb/viruses.JPG

[sr]

There is topic for unresolved tickets - http://forum.drweb.com/index.php?showtopic=278050 Pls post your ticket numbers there,

maybe, that's better to open the new pinned topic right here in the English forum?

will be good to start with basic things - add in ftp://ftp.drweb.com directory samples for uploading, you may inspire in ftp://ftp.nod.sk. Sending many samples will be very simple.

[C.S.J]

here are some strong words from yours truly about it:

The Submission system needs to be scrapped, or re-programmed to create a simple use of adding and detecting these samples that customers submit

What do you mean? adding samples that customers submit automatically, without any testing? It's bad idea. Of course, virlab work can be improved and must be improved, but submitted samples must be checked. Sometimes it's possible to test them automatically (ticket auto resolver), sometimes virlab has to check them by hand.

it does not work (sometimes it does), and 90% of the samples do not get added, replied to and probably forgotten about, this is fact, and drweb should not dismiss these words

90% of the samples do not get added ? With all due respect, it is utter nonsense. Do you have any proofs? What do you know about amount of virus samples drweb receives everyday? How many of them are added and how many of submitted files are useless crap?

improvements could and SHOULD!! be made, they can do it

Undoubtedly! Amen. http://forum.drweb.com/public/style_emoticons/default/smile.png

they need to improve their adware/spyware detection.

What is especially wrong with drweb adware/spyware detection?

maybe, that's better to open the new pinned topic right here in the English forum?

No objections here.

Of course, the samples need to be checked. I think you mis-understood my post userr, i meant the automatic ticket resolver could be improved to get more samples processed automatically.

as for the 90% of samples do not get added, this is not utter nonsense, maybe not for you, but for some of us, this is a fact, infact in alot of cases, i still receive replies on submitted viruses from 12 months ago, the system does not work.

sure, it may work sometimes,as it works sometimes even with me on this side of the globe, but its not reliable

i really question the fact that most likely russian samples, or samples from russian users get a higher priority OR... they just aint doing enough to add these samples.

all AV's, need to improve their adware/spyware detection, sure.. its not poor, but its average and should be improved. This is not just a Drweb problem, ALL Anti-Virus companys just dont have the type of detection for these threats as a stand-a-lone spyware company.

so while some of my comments may remain useless to you, they are hard truths, maybe not what everyone see's, but it does exist and Drweb need to recognise.

the potential with this anti-virus is NOT being addressed, Drweb is a company slowly moving along with the times, treading water and not really fulfilling what it COULD achieve.

this was the case, and still is the case and i fear will ALWAYS be the case for the future.

if the tools are there, use them!

however, its not all doom and gloom, there are many positives as my past threads or people who read my words would see, hence why i still use the software.

[userr]

Of course, the samples need to be checked. I think you mis-understood my post userr, i meant the automatic ticket resolver could be improved to get more samples processed automatically.

Quite agree. http://forum.drweb.com/public/style_emoticons/default/smile.png

as for the 90% of samples do not get added, this is not utter nonsense, maybe not for you, but for some of us, this is a fact, infact in alot of cases, i still receive replies on submitted viruses from 12 months ago, the system does not work.

Ah, now you are talking about yourself, not about 90% of the whole amount of samples coming to Drweb virlab, this is much more correct. Let's consider it in detail.
How many files have you sent?
How many of them were real in-the-wild malware, found by you (and other real people, your friends, colleagues, etc.) on real comps and web links? Not some obscure "virus collections" of unknown origin?
The "send virus" page says: Please, include only one file per submission. Also it says In the comments field you can enter any additional information about a suspicious file. The more details you provide, the sooner we’ll be able to process your submission. Virustotal links are ideal for this field.
Did you (and do you) follow these rules ?
And how many of them havent got added? How have you checked it? Maybe, there wasnt reply from virlab (it's bad, I agree), but the sample got added.

"some of us" - who are they? They are very welcome here.
As I said, Drweb virlab functioning can and must be improved. But please, be more accurate with digits.

all AV's, need to improve their adware/spyware detection, sure.. its not poor, but its average and should be improved. This is not just a Drweb problem, ALL Anti-Virus companys just dont have the type of detection for these threats as a stand-a-lone spyware company.

Just the contrary, "universal" AV's and Drweb among them pay great attention to adware/spyware detection now. The time for stand-a-lone spyware companies has gone, they are no more effective than good "classic" AV's. I hope we will not talk about such nonsense as "detecting" cookies and other garbage.

[C.S.J]

Of course, the samples need to be checked. I think you mis-understood my post userr, i meant the automatic ticket resolver could be improved to get more samples processed automatically.

Quite agree. http://forum.drweb.com/public/style_emoticons/default/smile.png

as for the 90% of samples do not get added, this is not utter nonsense, maybe not for you, but for some of us, this is a fact, infact in alot of cases, i still receive replies on submitted viruses from 12 months ago, the system does not work.

Ah, now you are talking about yourself, not about 90% of the whole amount of samples coming to Drweb virlab, this is much more correct. Let's consider it in detail.
How many files have you sent?
How many of them were real in-the-wild malware, found by you (and other real people, your friends, colleagues, etc.) on real comps and web links? Not some obscure "virus collections" of unknown origin?
The "send virus" page says: Please, include only one file per submission. Also it says In the comments field you can enter any additional information about a suspicious file. The more details you provide, the sooner we’ll be able to process your submission. Virustotal links are ideal for this field.
Did you (and do you) follow these rules ?
And how many of them havent got added? How have you checked it? Maybe, there wasnt reply from virlab (it's bad, I agree), but the sample got added.

"some of us" - who are they? They are very welcome here.
As I said, Drweb virlab functioning can and must be improved. But please, be more accurate with digits.

all AV's, need to improve their adware/spyware detection, sure.. its not poor, but its average and should be improved. This is not just a Drweb problem, ALL Anti-Virus companys just dont have the type of detection for these threats as a stand-a-lone spyware company.

Just the contrary, "universal" AV's and Drweb among them pay great attention to adware/spyware detection now. The time for stand-a-lone spyware companies has gone, they are no more effective than good "classic" AV's. I hope we will not talk about such nonsense as "detecting" cookies and other garbage.

yes, i mean my own experience.

id say about 1 or 2 out of 10 get added for me in the past but the correct submission channels.

in all honesty, i get more luck by contacting the staff and getting my samples added.

but of course, for the majority of the drweb customers, they cannot do this.

i test all my samples on my own machines, usually in a controlled environment so i can visually see if they are real un-detected samples.

[userr]

yes, i mean my own experience.
id say about 1 or 2 out of 10 get added for me in the past but the correct submission channels.
i test all my samples on my own machines, usually in a controlled environment so i can visually see if they are real un-detected samples.

So, it were all real in-the-wild malware, found by you (and other real people). It have been sent one file per submission, not 10-100 Mb bunches of some files of unknown origin. And every sample has been tested on your machines, and you've seen its real malicious behavior? May be. But I think, we have slight exaggeration here, havent we ? http://forum.drweb.com/public/style_emoticons/default/smile.png
Ticket numbers and Virustotal links are very convincing.
BUT
I totally agree with you on the main point - Drweb virlab functioning can and must be improved. I know how it feels when you send your "lovely" malware and it goes to nowhere.

[C.S.J]

yes, i mean my own experience.
id say about 1 or 2 out of 10 get added for me in the past but the correct submission channels.
i test all my samples on my own machines, usually in a controlled environment so i can visually see if they are real un-detected samples.

So, it were all real in-the-wild malware, found by you (and other real people). It have been sent one file per submission, not 10-100 Mb bunches of some files of unknown origin. And every sample has been tested on your machines, and you've seen its real malicious behavior? May be. But I think, we have slight exaggeration here, havent we ? http://forum.drweb.com/public/style_emoticons/default/smile.png
Ticket numbers and Virustotal links are very convincing.
BUT
I totally agree with you on the main point - Drweb virlab functioning can and must be improved. I know how it feels when you send your "lovely" malware and it goes to nowhere.

lol userr, you obviously dont know me,

1. I never use VirusTotal
2. I 'Always' send 1 file per email
3. all samples submitted are either checked by myself in terms of what i can actually see myself, and using some automated tools that i have aswell, and/or sent as suspicious when i have my doubts.

as for in-the-wild viruses, they may not be on the list of in-the-wild viruses, but as far as im aware..... if im seeing it, its in-the-wild to me.

I dont send in as many as i have done in the past, for reasons that i have a really busy life lately, but even when i did, the 'majority' of the samples would not even be checked (as far as im aware)

if the automatic ticket resolver was improved, more samples could be processed.

I really dont like (and dont appreciate) me taking time out of my life to help, when it gets overlooked and forgotten about.

sure, makes me sound selfish or maybe even arrogant, but this is why i dont work in the anti-virus industry http://forum.drweb.com/public/style_emoticons/default/smile.png

i see this as incompetence personally, something that would never happen in my own line of work

Drweb need to improve on all fronts, we shall see if they can,

so far.... i see crossroads.

but, i still hope Drweb will listen.

to me, the things i mention seem common sense to me, so i find it a little hard to understand why they dont listen, or maybe they do and dont agree.

... i just dont know.

[risl]

It is just too much "work" to download many viruses -> upload them one by one -> see if they get processed or not -> then compain about/list ticket numbers if not.

It would be a lot easier and much more effective if the active "forum people" would get a private FTP to upload these files directly. Perhaps some hash-checker there to prevent us from uploading duplicate samples.

How about creating a "special" group of active Dr.Web supporters and let them enjoy getting their samples processed quickly.

[C.S.J]

It is just too much "work" to download many viruses -> upload them one by one -> see if they get processed or not -> then compain about/list ticket numbers if not.

It would be a lot easier and much more effective if the active "forum people" would get a private FTP to upload these files directly. Perhaps some hash-checker there to prevent us from uploading duplicate samples.

How about creating a "special" group of active Dr.Web supporters and let them enjoy getting their samples processed quickly.

i dont think this would happen for just drweb customers, but priority should still be made for customers samples.

but maybe they could open an ftp for everyone, where once the file is submitted, its hidden from public view so no viruses can be downloaded at request from the server.

it would be an easier way to submit massive amounts of samples, and im sure not only drweb customers would submit them.

if its easy to submit, as an ftp submit should be, im sure people of all antivirus's would be glad to submit them.

you never know, they might do it.




but they would need to improve their auto ticket resolver, i think improving this would help everything alot.

Faster and less resources, & would make life much easier for the drweb staff, using less resources and funds, and also help the customers with the added detection it would bring.

personally, i think Dr.Web just need a good old fashioned kick up the backside.

[HHH]

It would be a lot easier and much more effective if the active "forum people" would get a private FTP to upload these files directly. Perhaps some hash-checker there to prevent us from uploading duplicate samples.

There is no sense in such FTP while DW cannot add even files sent via http/e-mail.

You will be able to upload 1000 malwares per-time but almost non of them will be added http://forum.drweb.com/public/style_emoticons/default/sad.png

[C.S.J]

It would be a lot easier and much more effective if the active "forum people" would get a private FTP to upload these files directly. Perhaps some hash-checker there to prevent us from uploading duplicate samples.

There is no sense in such FTP while DW cannot add even files sent via http/e-mail.

You will be able to upload 1000 malwares per-time but almost non of them will be added http://forum.drweb.com/public/style_emoticons/default/sad.png

yep very true, however......

if they improved their auto ticket resolver, a great bunch of them could be detected.