Is this a new virus, or are virus scanners just slow to catch it?

Feb.08, 2009 in General, Security

After two different people sent me suspicious links via MSN, I decided to fire up a virtual machine and visit one of them. The link led to a file, which I uploaded to virustotal.com. The results? Only 11 of the 39 virus scanners tested recognized the file!

For the full results, see this PDF. At first I thought the virus must simply be too new; but the file has already been submitted to Virustotal yesterday; about 18 hours before I received the first copy. So apparently it takes very long before a new virus is recognized by most scanners, leaving me doubting the effectiveness of this software.

What makes matters even worse is that both people that tried to send me the virus were running a scanner with Instant Messaging protection; I had always assumed that modern virus scanners would check for suspicious behavior via Instant Messaging, such as repeatedly sending the same or similar-looking URL’s to your entire contact list.

So what conclusions can we draw from this?

Just running a virus scanner will not protect you from every possible threat (no news there)
Even running multiple scanners isn’t 100% safe
In this case, the scanner even made things worse; I called both people to ask why they had opened the file, and both had assumed their virus scanner would warn them if the file was dangerous. Had they not been running AV software, both would probably have deleted the file without opening it, or never have accepted it in the first place

I’ll resubmit the file in a couple of days, and I wonder how the results will look then!

Update 9-2: As tr0stvik noted, at the time I wrote this Virustotal failed to list the versions and update times of the tested scanners I was suffering from a lack of caffeine and forgot to click the “reanalyse file now” button, so there are no update times and version numbers for the scanners in the first scan result. I resubmitted the file again today; the results are here. Currently, 17 out of 39 scanners detect the virus.

Update 11-2: The detection rate has gone up to 64% (25 out of 39 scanners); which I still find shockingly low.

Tags: virus, virus scanner

« Patch Tuesday: does Microsoft need a new severity rating?

Kaspersky database exposed »

Comments (3)

3 Comments on “Is this a new virus, or are virus scanners just slow to catch it?”

tr0stvik
February 9th, 2009 at 8:31 am
Hmm, in the result pdf, why isn’t there any date and scanner versions showing? Something wrong with Virus-total when you uploaded the file, or something wrong with your browser?
jcanto
February 12th, 2009 at 6:49 am
“Update 9-2: As tr0stvik noted, at the time I wrote this Virustotal failed to list the versions and update times of the tested scanners. I resubmitted the file again today; the results are here. Currently, 17 out of 39 scanners detect the virus.”

Try to research before you say something. In certain cases (when the file has been previosly scanned by the email interface), that info is not shown.
martin
February 12th, 2009 at 4:24 pm
@jcanto: Sorry, completely missed that! I updated the post, thanks for the reply and for providing this great service!

Welcome!

Use the links below to navigate this site.
If you have any suggestions for improving this site, feel free to let me know at mar...@securityandthe.net, or leave a comment on the site.

Recent posts
Categories
- Apple (24)
- General (51)
- Howto's (3)
- Humor (4)
- News (103)
- Security (99)
- Short newslinks (67)
- Spammers (8)
Archives
- October 2009 (1)
- September 2009 (4)
- August 2009 (4)
- July 2009 (4)
- June 2009 (12)
- May 2009 (8)
- April 2009 (14)
- March 2009 (7)
- February 2009 (17)
- January 2009 (9)
- December 2008 (18)
- November 2008 (24)
Blogroll

Security and the Net

News and opinions about security, the internet and more