- Jan 4, 2016
- 1,022
Good evening, how can we define the kind of signatures used by VirusTotal? I know they are the ones used when doing a command-line scan with the product, but is there a specific name?
Which kind of signatures does VirusTotal use?
- Thread starter TheMalwareMaster
- Start date
They usually evolve around checksum hash signatures and static heuristics (which includes generic detection). Apparently some vendors work with behavior analysis of some sort, and I do know that some vendors have integrated file reputation scanning also.
- Jan 4, 2016
- 1,022
Behaviour analysis really? I have never seen that on VirusTotal. Just some artificial intelligence
- Jun 3, 2014
- 1,136
Artificial intelligence works based on behavioral analysis. It checks the characteristics and behavior of the file and based on algorithms and deep learning, it classified the "danger level" of the file from 0.0 to 1.0. It is just a word marketing likes to use a lot.
Avast might have even included DeepScreen (they changed name, not sure what it is called now off the top of my head) in VT scanning, I am not 100% entirely sure on this one. Just a guess
- Feb 13, 2017
- 1,486
Yes, sometimes, analyzing a file on VirusTotal we can see some heuristic detection, but this absolutely doesn't imply that all of the heuristic and behavioral technology of a particular antivirus product was included in the on demand scanner because, of course, some technologies can not be included in an on demand scanner.
VirusTotal results do not provide a real and objective assessment of an antivirus product and, moreover, VT can just give a statistically interpreted evaluation of a suspicious file.
If we want to have an objective and interpretable report, we have to analyse this file to online malware analysis services interpreting the obtained results.
- Jan 4, 2016
- 1,022
Can we say that VirusTotal uses only those components of products which make static analysis, whithout amy dynamic one?
- Feb 13, 2017
- 1,486
If the malware is not executed, it is not possible to consider a full dynamic analysis.
- Jan 4, 2016
- 1,022
Yeah, that's a good way of defining VirusTotal technology, as static analysis
Except the sample may be executed for code emulatipn/quick behavioral identification on the backend of the server which we cannot see, like how deepscreen used to work.
Unless we contact VT or the vendors and ask we wont know for sure.
Unless we contact VT or the vendors and ask we wont know for sure.
- Jan 4, 2016
- 1,022
It is now called CyberCapture, but I don't believe it's now included in VirusTotal
- Feb 13, 2017
- 1,486
I agree, also because a full dynamic analysis of a sample for 5X antivirus would require a few hours
- Feb 13, 2017
- 1,486
From Virustotal FAQ:
"VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product."
"VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product."
Yes however if they run it they can combine an advanced memory scanner and dump the PE to disk and then rescan for packed samples.I agree, also because a full dynamic analysis of a sample for 5X antivirus would require a few hours
Similar threads
- Santiago Benavides García
- Opera
