Friday, November 6, 2009

VirusTotal is smoking da krak!

If you are reading this post, you have probably heard of and most likely even used VirusTotal http://www.virustotal.com/ the online scanning website that will scan a submitted sample using a host of security vendors' scanners. Over the last few years, VirusTotal has emerged as the defacto go-to site if you want to compare the effectiveness of various products. Sounds reasonable, right ? Wrong!!


VirusTotal is about the worst place to test the effectiveness of any security scanner. There are couple of good reasons for this:

1) vendors give VirusTotal crippled versions of the scanners they use in their real product. You will always run into many cases where a file is not detected by VT but it is detected by your product. This problem tends to affect Norton more than other vendors.


Here is a VT scan for a file:




A minute later I scanned the same file with my copy or NIS2010, and voila.. a detection





2) The second problem is that virusTotal uses just one of the scanners a typical security product has nowadays. Security products have a plethora of engines, intrusion prevention engines, HIPS, NIPS, FIPS (ok I made that one up), Behavioral Engines, sandbox etc. and none of these engines are tested by VirusTotal.

So when choosing an AV product be wise, don't decide based on results from VirusTotal

1 comment:

Mike said...

You should change the title of your post on VT. The way the title reads and your post reads makes is sounds like it's VT's fault for people misinterpreting the detection statistics. IMHO they provide a good free service.