After two different people sent me suspicious links via MSN, I decided to fire up a virtual machine and visit one of them. The link led to a file, which I uploaded to virustotal.com. The results? Only 11 of the 39 virus scanners tested recognized the file!

virustotal_small

For the full results, see this PDF. At first I thought the virus must simply be too new; but the file has already been submitted to Virustotal yesterday; about 18 hours before I received the first copy. So apparently it takes very long before a new virus is recognized by most scanners, leaving me doubting the effectiveness of this software.

What makes matters even worse is that both people that tried to send me the virus were running a scanner with Instant Messaging protection; I had always assumed that modern virus scanners would check for suspicious behavior via Instant Messaging, such as repeatedly sending the same or similar-looking URL’s to your entire contact list.

So what conclusions can we draw from this?

  • Just running a virus scanner will not protect you from every possible threat ¬†(no news there)
  • Even running multiple scanners isn’t 100% safe
  • In this case, the scanner even made things worse; I called both people to ask why they had opened the file, and both had assumed their virus scanner would warn them if the file was dangerous. Had they not been running AV software, both would probably have deleted the file without opening it, or never have accepted it in the first place

I’ll resubmit the file in a couple of days, and I wonder how the results will look then!

Update 9-2: As tr0stvik noted, at the time I wrote this Virustotal failed to list the versions and update times of the tested scanners I was suffering from a lack of¬†caffeine and forgot to click the “reanalyse file now” button, so there are no update times and version numbers for the scanners in the first scan result. I resubmitted the file again today; the results are here. Currently, 17 out of 39 scanners detect the virus.

Update 11-2: The detection rate has gone up to 64% (25 out of 39 scanners); which I still find shockingly low.