AV Vendors suck

[hogfly]

from thelatest ISC diary...

Many readers might be familiar with Virustotal (http://www.virustotal.com ). This service provides its users the ability to submit a file and have several anti-virus engines scan it. Unfortunately, several major anti-virus vendors decided this was not a good use of their product (probably because it exposes which vendors are lagging on getting updates out) and have badgered Virustotal to remove their engines. Apparently too many customers would come back to AV vendors using Virustotal results to harass them about lagging signatures.



I'm sorry. Who the hell do these vendors think they are? This guy is providing one of the best services I have seen in a long time. Quick submittal and scan time, and you get to see who is catching what viruses. I guess the vendors couldn't handle someone pointing out that they suck.
As of this morning the site is still up..but we'll see what happens.

[Tiger Shark]

Yeah.. I saw this earlier and was going to post about it after i got back from breakfast... You beat me to it.....

I agree... They suck.... If they were any good they'd want thier engines there to prove they are up to speed.

[nihil]

Hey Guys,

Time to name em and shame em?

If you are not prepared to go "in the pit" then we KNOW YOUR PRODUCT IS CRAP

Game on?

[hogfly]

I've been slamming Symantec at work. I'm less than excited to continue using their products. Especially considering their definitions are the slowest in the pack. ugh.

[new_u]

I have to agree with hogfly. I've moved away from Symantec's products in favor of Panda's AV suite. Symantec was too slow to respond to outbreaks and too costly.

[groovicus]

I guess I really don't care if AV companies are getting their panties in a wad. For me, it is an invaluable service for some of those pieces of malware that you just can't get rid of. It's nice to have the ability to upload it somewhere and at least be able to get an idea of what a file is.

If the AV vendors want to improve their PR, then they would work with websites like this to improve their definition database. How hard would that be?

[gn0min0mic0n]

I noticed a significant slowdown in Symantec products since 2002...for the longest time I'd only use 2001 Systemworks or Internet Security, until I found AVG 6 and Kerio (version 2, not 4!).

Funny, I just noticed that our AVG virus definition (from the emails) at work have a date from August....

[Tedob1]

thanks vorlin...when i copied the url into samspade i left in a "." before it....duh!

[Vorlin]

If you're talking about www.virustotal.com, here's what my dig pulled up:
PS - I'm in Tampa and yes, my machine's name is booty, he he he...

booty - /home/kellert > dig www.virustotal.com

; <<>> DiG 9.2.1 <<>> www.virustotal.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6464
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.virustotal.com. IN A

;; ANSWER SECTION:
www.virustotal.com. 755 IN A 62.15.230.164

;; AUTHORITY SECTION:
virustotal.com. 755 IN NS ns2.argo.es.
virustotal.com. 755 IN NS adsl2.argo.es.
virustotal.com. 755 IN NS ns-split.argo.es.
virustotal.com. 755 IN NS ns1.argo.es.

;; ADDITIONAL SECTION:
ns1.argo.es. 1863 IN A 62.37.230.2
ns2.argo.es. 1863 IN A 62.37.230.12
adsl2.argo.es. 1863 IN A 213.97.198.23
ns-split.argo.es. 27063 IN A 62.37.230.221

;; Query time: 41 msec
;; SERVER: 65.32.1.65#53(65.32.1.65)
;; WHEN: Mon Nov 15 03:09:12 2004
;; MSG SIZE rcvd: 202

Then, here's the traceroute, dying on hop 16 somewhere outside/nearby/in Madrid, Spain, but it looks to be a spanish site anyways:

booty - /home/kellert > traceroute www.virustotal.com
traceroute to www.virustotal.com (62.15.230.164), 30 hops max, 38 byte packets
1 rrcs-24-73-166-233.se.biz.rr.com (24.73.166.233) 3.038 ms 2.531 ms 2.534 ms
2 10.125.80.1 (10.125.80.1) 8.792 ms 10.088 ms 10.045 ms
3 atm5-0-641.tampflerl-rtr1.tampabay.rr.com (24.92.6.150) 11.956 ms 19.527 ms 12.097 ms
4 srp8-0.tampflerl-rtr3.tampabay.rr.com (65.32.8.227) 12.066 ms 11.290 ms 12.085 ms
5 pop1-tby-P0-1.atdn.net (66.185.136.169) 13.596 ms 11.308 ms 16.370 ms
6 bb1-tby-P0-0.atdn.net (66.185.136.160) 11.640 ms 19.751 ms 17.290 ms
7 bb2-atm-P7-0.atdn.net (66.185.152.245) 29.360 ms 29.459 ms 32.926 ms
8 pop1-atm-P4-1.atdn.net (66.185.150.3) 29.208 ms 37.443 ms 32.399 ms
9 if-8-0.har1.Atlanta3.teleglobe.net (64.86.9.1) 29.336 ms 29.333 ms 29.451 ms
10 if-0-1.core1.Atlanta3.Teleglobe.net (64.86.8.5) 35.571 ms 30.016 ms 33.643 ms
11 if-1-2.core2.Newark.teleglobe.net (64.86.138.149) 145.190 ms 144.725 ms 144.966 ms
12 if-8-0.core2.London2.Teleglobe.net (66.110.8.142) 151.340 ms 152.783 ms 153.521 ms
13 195.219.13.6 (195.219.13.6) 159.579 ms 161.151 ms 159.521 ms
14 if-6-0.core1.Madrid.Teleglobe.net (195.219.149.78) 151.808 ms 152.845 ms 152.577 ms
15 ix-1-0.core1.Madrid.Teleglobe.net (195.219.101.2) 157.646 ms 164.747 ms 157.086 ms

<died after this hop>

Just some random info...

EDIT: oh yeah, just from what www.register.com thinks, here's the dynamic pic of the whois they had. Anyone know if I just broke a law by putting said pic on my server for the duration of this post? If so, I'll remove it, yoiks!

www.register.com whois of www.virustotal.com

[AxessTerminated]

Panda AV is God. I use the ActiveScan all the time. I do have Panda AV Platinum as well, but rarely get around to using it seeing as how ActiveScan is free, easy, and updated constantly.


A_T