integear 2008-9-20 00:41
ESET不認同拿VT結果來比較防毒好壞
很晚了,在下不多翻譯:
[quote]VirusTotal is not a Comparative Analysis Tool!
Most of us have been in Estonia for the past few days for a couple of conferences. You may hear more about that later, when Normal Service is resumed. One thing I wanted to remark on now, though (partly because it relates directly to some presentations I’ve been doing) is a spike in the use of VirusTotal as a tool for comparing detection performance. This is a topic we (and the guys at VirusTotal/Hispasec themselves, who are a really good bunch) are rather sensitive about.
I’ll probably come back to this in the near future, but the gist of the problem is this. VirusTotal is a tool many people find very useful as a shortcut to checking a possibly malicious file, [b]but it isn’t a detection test[/b]. Most importantly, it submits the files you submit to a battery of command-line scanners. This gives you a good chance of identifying a known malicious program, but the fact that a scanner doesn’t identify a file as malware does not mean it isn’t malicious, obviously. [b]However, if a file is identified as malicious by one group of scanners but not another, it doesn’t necessarily mean that the second group is less competent at detection[/b], either. Scanners that use sophisticated behaviour analysis, active heuristics and so on are disadvantaged by this misuse as a comparative test tool, since there is no behaviour to analyse. Generally, command-line scanners simply look at the code passively, rather than running it in a safe environment to see what it does in practice, so products that are heavily dependent on signature detection may seem to do better than products with advanced heuristics. In the real world, however, where on-access scanning is the first line of defence for most people, the advantage tends to swing the other way.
You might want to check out what Hispasec/VirusTotal have to say themselves at [url]http://blog.hispasec.com/virustotal/22.[/url] Alas, I’m sure I’ll be back to this topic sooner rather than later, and in appreciably more detail.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
轉載自:[url]http://www.eset.com/threat-center/blog/?p=150[/url][/quote]
ary1231 2008-9-20 09:05
VT結果可供參考
那不代表防毒的好壞
可能ESET成績太差
惱羞成怒......:fr}
integear 2008-9-20 11:33
[quote]原帖由 [i]ary1231[/i] 於 2008-9-20 09:05 發表 [url=http://www.avpclub.ddns.info/discuz/redirect.php?goto=findpost&pid=110655&ptid=13603][img]http://www.avpclub.ddns.info/discuz/images/common/back.gif[/img][/url]
VT結果可供參考
那不代表防毒的好壞
可能ESET成績太差
惱羞成怒......:fr} [/quote]
比ESET差的廠商還很多呢,主要是因為威脅種類跟流行時間不同,比較價值不高:fdqyt: .
如果像是之前的測殼測試,那當然就有比較價值:) .
天氣預報 2008-9-20 12:34
VirusTotal是不是一個比較分析工具!
我們大多數人已在愛沙尼亞過去幾天裡的一對夫婦的會議。您可能會聽到更多有關這之後,當正常服務復會。有一件事我想現在的話,但(部分,因為它直接關係到一些介紹我一直在這樣做)是一個扣球的使用VirusTotal作為一種工具來比較,檢測性能。這是一個主題,我們(和球員在VirusTotal / Hispasec自己,誰是一個非常好的一堆)是相當敏感的。
也許我要回來這在不久的將來,而是精神的問題是這樣的。 VirusTotal是一個工具,許多人找到非常有用的捷徑檢查可能的惡意文件,但它並不是檢測試驗。最重要的是,提交的文件資料提交給電池命令行掃描器。這給你一個很好的機會找出一個已知的惡意程序,但這樣一個事實,即掃描儀無法識別的文件作為惡意軟件並不意味著它沒有惡意,很明顯。但是,如果一個文件被確定為惡意的一組掃描儀,但不是另一個,這並不一定意味著第二組是在不到主管偵查,要么。掃描儀,使用先進的行為分析,積極啟發式等等都是不利的這種濫用作為一個比較測試工具,因為沒有行為進行分析。一般情況下,命令行掃描器地看代碼被動的,而不是運行在一個安全的環境,看看它在實踐中,這樣的產品,嚴重依賴於簽名檢測似乎有更好的產品與先進的啟發式檢測。在現實世界中,然而,在按訪問掃描技術是第一道防線對大多數人來說,優勢往往擺動的其他方式。
您可能要檢查什麼Hispasec / VirusTotal不得不說自己在[url]http://blog.hispasec.com/virustotal/22[/url] 。唉,我相信我會回來這一主題早通比晚通好,並在略微更多細節。
大衛哈利廣管局CISSP FBCS CITP
總的惡意軟件情報
andy 2008-9-20 14:01
command-line scanners simply look at the code passively, rather than running it in a safe environment to see what it does in practice, so products that are heavily dependent on signature detection may seem to do better than products with advanced heuristics.
那On-Demand 呢? AVC又如何?:o
Don 2008-9-20 16:29
[quote]原帖由 [i]ary1231[/i] 於 2008-9-20 09:05 發表 [url=http://www.avpclub.ddns.info/discuz/redirect.php?goto=findpost&pid=110655&ptid=13603][img]http://www.avpclub.ddns.info/discuz/images/common/back.gif[/img][/url]
VT結果可供參考
那不代表防毒的好壞
可能ESET成績太差
惱羞成怒......:fr} [/quote]
不知道你为什么会这么想,eset收到的未检测到的威胁有很大部分是误报,损坏的,代码不完整的文件,其实virustotal最多只能做参考,如果拿这个评比杀软好坏的话,真的很愚蠢,virustotal并不能分析你传送的样本是否是真的是威胁,还有如果真的是威胁的话,是否是损坏的或者代码不完整的?
[[i] 本帖最後由 Don 於 2008-9-20 16:30 編輯 [/i]]
megakotaro 2008-9-20 16:34
有些防毒廠商會將損壞檔案放入病毒庫,可能是為了增加偵測率的究極手段
不過,這絕對不是好方法,就像樓上說的
黑衣~魂 2008-9-20 18:54
VT只是給一般人用來參考多引擎的掃描結果而已
但是現在卻很多人拿來亂扯,東扯西扯,其實VT自己也很無辜吧....
對於不會樣本分析的人他們當然參考VT的多引擎,如果會樣本分析又何必參考VT掃描結果呢....
工具推出來了,就看自己怎樣使用工具還有態度,不講VT,防毒軟體也是
VT也有他用處所在,就看大家怎樣看待使用
[[i] 本帖最後由 黑衣~魂 於 2008-9-20 18:55 編輯 [/i]]