In keeping with our previous article on poor coverage from commercial AV vendors, we performed another comparison of AV systems against our IRCBot-639 Trojan, with interesting results.
Our previous test took place mid-week, when every security company and AV vendor is staffed with their first-line daytime employees.
For this test, we took the opportunity to test the reaction of AV systems for an unknown virus, which was not spreading in the wild, over the space of a weekend. Given the virus was not spreading in the wild, we observe the spread of samples from vendor to vendor, and see who does (and doesn’t) cooperate with whom.
And they’re off!
The race starts when we publish our new virus (2.zip) to the submissions site at Clam.
No one recognises the file as a distinct virus; only the heuristic scanners (NOD/Norman/Panda) suspect it.
And we’re into the first bend
Within a few hours the signature is published to Clam (at 19:02 BST), Virustotal updates it’s signatures and recognises the file within half an hour. It’s interesting to note that ClamAV shares it’s samples with Kaspersky (I wonder if the opposite is true…).
And they’re into a straight, it’s neck and neck
Even with two vendors having published signatures, which have been available for several hours (ClamAV’s signatures and samples are freely downloadable and shared amongst vendors), we still have poor coverage. Maybe the night shift are watching the World Cup? Could we see a change in the morning?
We’re round the second bend, awaiting any challengers
A whole 12 hours later, and we still see no change.
And we have two new contenders!
A day later, we see third and fourth place taken by Antivir and Ewido. We can’t say we know who told who, but as they both use Kaspersky’s naming schema, we could assume these vendors are given samples by Kaspersky (and possibly others) and assimilate their names as a result.
It’s the final straight, not long to go now
Fifth place is taken by ‘TheHacker’, 32 hours after the race began on Sunday morning.
And the rest of the pack comes hurtling round the last bend
Monday morning, 60 hours into the race, Fortinet and VBA32 start their procession to the finish line.
It’s the chequered flag and game over
72 hours from release, on Monday morning, we’re left with 15 players who failed to even get off the starting line.
The moral of the story…data shared openly and efficiently benefits everyone’s security. Assuming there’s someone around to receive it…