WatchGuard Wire
Improve Your Security IQ
Stage your own 27-way antivirus shootout with VirusTotal
Have any doubts about the effectiveness of the antivirus solution you settled
on? VirusTotal can give you a free
snapshot of how your solution stacks up against others.
VirusTotal.com is a free service that will accept your submitted file and
scan it with 27 different
antivirus engines, all of them updated with the
latest official signatures from their respective developers. You can email
the suspicious file to them, and receive back a result like the following
(thanks to Jim Morgan of Datalude for
sharing this sample):
========= results ============ ========= =========
Complete scanning result of "Update-KB1750- x86.zip", received in
VirusTotal at 11.22.2006, 09:52:27 (CET).
Antivirus | Version | Update | Result
AntiVir | 7.2.0.44 | 11.22.2006 | TR/Drop.Stration. G
Authentium | 4.93.8 | 11.22.2006 | Possibly a new variant of
W32/Tricky-Malware- based!Maximus
Avast | 4.7.892.0 | 11.20.2006 | no virus found
AVG | 386 | 11.20.2006 | no virus found
BitDefender | 7.2 | 11.22.2006 | DeepScan:Generic. Stration. 93DDD392
CAT-QuickHeal | 8.00 | 11.21.2006 | no virus found
ClamAV | devel-20060426 | 11.22.2006 | Worm.Stration. PS
DrWeb | 4.33 | 11.22.2006 | Win32.HLLM.Limar
eSafe | 7.0.14.0 | 11.20.2006 | suspicious Trojan/Worm
eTrust-InoculateIT | 23.73.63 | 11.22.2006 | Win32/Stration! ZIP!Worm
eTrust-Vet | 30.3.3205 | 11.21.2006 | Win32/Stration! ZIP!generic
Ewido | 4.0 | 11.21.2006 | no virus found
Fortinet | 2.82.0.0 | 11.22.2006 | no virus found
F-Prot | 3.16f | 11.22.2006 | Possibly a new variant of
W32/Tricky-Malware- based!Maximus
F-Prot4 | 4.2.1.29 | 11.22.2006 | W32/Tricky-Malware- based!Maximus
Ikarus | 0.2.65.0 | 11.22.2006 | Email-Worm.Win32. Warezov.gen
Kaspersky | 4.0.2.24 | 11.22.2006 | Email-Worm.Win32. Warezov.gj
McAfee | 4901 | 11.21.2006 | no virus found
Microsoft | 1.1804 | 11.22.2006 | no virus found
NOD32v2 | 1876 | 11.21.2006 | probably unknown NewHeur_PE virus
Norman | 5.80.02 | 11.21.2006 | no virus found
Panda | 9.0.0.4 | 11.21.2006 | no virus found
Prevx1 | V2 | 11.22.2006 | Trojan.Update- KB
Sophos | 4.11.0 | 11.16.2006 | W32/Stratio- Zip
TheHacker | 6.0.3.122 | 11.21.2006 | no virus found
UNA | 1.83 | 11.21.2006 | no virus found
VBA32 | 3.11.1 | 11.21.2006 | no virus found
VirusBuster | 4.3.15:9 | 11.22.2006 | Trojan.Opnis. Gen.28
The diversity of responses is an eye-opener. Nearly half the engines analyzed
the file (an actual virus received in Morgan's email spam) and declared it
virus-free. The engines that successfully spotted the virus identified it
by six different names, while others labeled it generically.
This little demo reinforces what we already knew: implementing layers
of defenses against antivirus and spyware is a Good Idea. And you just know
in your knower that if you sent the same file a day later, the results would
differ.
If you have a suspicious
file that might or might not be malicious, a free trip to VirusTotal is
probably worthwhile. And if, over several trips, you discover that your brand
of antivirus consistently fails to spot problems that other software finds,
it's better to find out this way than by getting infected. -- D.
Scott Pinzon, CISSP, NSA-IAM
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
