Slashdot Mirror

← Back to Domains

Domain: virustotal.com

Stories and comments across the archive that link to virustotal.com.

Comments · 5,903

  1. Re:McAfee's Virus Information Librar by PktLoss · · Score: 1 · on A Searchable Virus Database?

    I think you get all the bonus points for trying out the search engine before giving it the gold star :)

    Yeah, a VM probably would have been a good way to go, but honestly I really thought the A/V programs would catch it once it started trying to do naughty things.

    Next time (and i've got a lot of non-pc-savy friends so there will be a next time) I'm going to:
    Save the file to disk
    Upload it to Virus Total (http://www.virustotal.com/flash/index_en.html) and see if it has any clue
    If not, move the file over to an expendable (or at least non mission critical) machine (laptop, old pos, etc) and run it with a recent back up of the registry & a few other critical files so at the very least I can run a diff.
    Run the virus with my a/v packages running, and hope for the best :)

  2. We've had two new ones in the past year by Meostro · · Score: 3, Informative · on A Searchable Virus Database?

    At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! and Process Explorer to find out what was going on, plus a few of the PS Tools to get rid of it and Bart's PE to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.

    Generally, when we get a suspicious file, it goes to VirusTotal first. If any of the 20-or-so listed AV vendors have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality based on its mutex, which was one version number incremented from the info available online.

    If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.

    One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee, ClamAV, CA and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.

  3. We've had two new ones in the past year by Meostro · · Score: 3, Informative · on A Searchable Virus Database?

    At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! and Process Explorer to find out what was going on, plus a few of the PS Tools to get rid of it and Bart's PE to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.

    Generally, when we get a suspicious file, it goes to VirusTotal first. If any of the 20-or-so listed AV vendors have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality based on its mutex, which was one version number incremented from the info available online.

    If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.

    One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee, ClamAV, CA and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.