8 ответов в этой теме

[malware1]

Hi,

 

When I have a big amount of files to be submitted, then I usually download latest version of Dr.Web CureIt and scan samples using it. I noticed that many samples undetected by CureIt are detected by Dr.Web engine at VirusTotal. Why does that happen? I receive many information about processed tickets, they sometimes said that the files are already detected and a record exists in the database. No, I don't mean tickets processed after few days (then that's normal that some file are possibly detected, the researchers could already get them from another source, not from my submission, so it was added), I mean the tickets that are processed by ticket auto resolver almost instantly, usually after few minutes. I check the suspicious files using VirusTotal, and yes, they're detected. But why CureIt doesn't detect them? Does it use another version of the engine?

Сообщение было изменено malware1: 02 Март 2014 - 17:11

[Dmitry_rus]

Does it use another version of the engine?

No, it doesn't. Try to scan again with new updated bases - CureIt updates regularly, several times a day.

[malware1]

I tried, the files still aren't detected.

[SergM]

CureIt is not updated as often as the main antivirus

[IlyaS]

Btw, malware1 do you use sigcheck to test samples on virustotal?

Spoiler

Sigcheck v2.01 - File version and signature viewer
Copyright (C) 2004-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
  -u      If VirusTotal check is enabled, show files that are unknown
          by VirusTotal or have non-zero detection, otherwise show only
          unsigned files.
  -v[rn]  Query VirusTotal (www.virustotal.com) for malware based on file hash.
          Add 'r' to open reports for files with non-zero detection. Files
          reported as not previously scanned will be uploaded to VirusTotal
          unless the 'n' option is specified. Note scan results may not be
          available for five or more minutes.
  -vt     Before using VirusTotal features, you must accept
          VirusTotal terms of service.

[pig]

I check the suspicious files using VirusTotal, and yes, they're detected.

Can you report a link to VirusTotal scan result?
Also, please check suspicious files here: http://vms.drweb.com/online/?lng=en
and report link to scan result.

[malware1]

Btw, malware1 do you use sigcheck to test samples on virustotal?

Spoiler

Sigcheck v2.01 - File version and signature viewer
Copyright (C) 2004-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
  -u      If VirusTotal check is enabled, show files that are unknown
          by VirusTotal or have non-zero detection, otherwise show only
          unsigned files.
  -v[rn]  Query VirusTotal (www.virustotal.com) for malware based on file hash.
          Add 'r' to open reports for files with non-zero detection. Files
          reported as not previously scanned will be uploaded to VirusTotal
          unless the 'n' option is specified. Note scan results may not be
          available for five or more minutes.
  -vt     Before using VirusTotal features, you must accept
          VirusTotal terms of service.

 

No, I don't.

 

 

 

I check the suspicious files using VirusTotal, and yes, they're detected.

Can you report a link to VirusTotal scan result?
Also, please check suspicious files here: http://vms.drweb.com/online/?lng=en
and report link to scan result.

 

Sorry, I didn't keep the VT links. But here's another file, undetected by CureIt, but detected according to VT: https://www.virustotal.com/en/file/66a5fe9c82ea872a555927f0f1c7d6fa2469311bab84d9f4aa5442c31f552508/analysis/ I sent it using FTP, the ticket wasn't processed yet, but probably will be checked soon.

It's detected by http://vms.drweb.com/online/?lng=en

[pig]

Please show CureIt scan log for this file. Delete existing log file before.

[malware1]

Here you go: http://wklej.to/yfnCk/text