03.02.2012,

Author:  Eddy Willems

The good and the bad about AV multi scanner services

Online AV multi scanners are used quite often these days. However, not every user is aware of these sites and what their possibilities and limits are. Using the public online multi scanner services can be useful, but the analysis results don't allow straightforward conclusions.

It is common for malware samples to remain undetectable for hours or even days. G Data has got comprehensive and fast detection rates for malware through our cloud technology. But still, some users might want to know more about a particular suspicious file or even analyze it themselves.
One of the easiest ways to accumulate a minimum of the desired information is provided by using online AV multi scanners. There is an interesting concept behind that: when you found a suspicious file on your pc, you can easily upload it to the service and have an immediate result as the file itself will be scanned with various up to date virus scan engines. This principle has been around for years now and gives you some immediate insight into a suspicious file. And there are indeed several of these scan service sites around. The most popular possibly is VirusTotal but you have several other ones like JottiNoVirusThanksMetascan or Virscan, to name only some of them.

How does it work?
Let’s have a look at one of the most popular services, VirusTotal. You can submit your sample on a website but you could also use an email submission feature – whatever suits your needs. Online, you can even use some hash value searching, meaning that you can search their existing database of scanned files based on a sha1, sha256 or md5 hash. This feature is handy if you don’t have an actual file but know the hash value of it.


Screenshot of a file analysis result, scanned with VirusTotal


After the regular upload, the file is scanned with the different products and their engines and the results will be available for everyone, together with links to various third party tools and websites. One very interesting feature is the link to the ThreatExpert sandbox analysis (if one already exists) as it shows what the file is actually doing.
Another great feature: all files uploaded are sent to every security software vendor participating, after the scan and analysis. Of course, this whole forwarding process takes some time and it does not imply that you cannot directly send your suspicious files to your personal AV software vendor any more. Actually, you are invited to send the files in, as this could reduce detection time! But using the free online scanner services can give you some pre-analysis results, at least.

What do the multi scanner analysis results mean?
A possible analysis result could be that you have sent in a sample which every single scanner used detects as malware. That’s the best result!
In case some products or engines are not detecting the sample as malware, the file was not rated malicious by using the signatures provided in that particular engine or product. This does not mean that the malware is not at all detected by the AV product!
These days, comprehensive AV products consist of many more anti-malware techniques than only a signature scanner. Obviously, behavior detection, heuristic methods, intrusion prevention, sandbox mechanisms, cloud technologies and other technologies, like e.g. our own G Data BankGuard technology against banking trojans, are not included in the overall result or av online multi scanners. 
Conclusion: If a malicious file is not detected as malicious in such a multi online scanner, you cannot automatically conclude, out of this analysis, that some new malware is actually not detected or stopped by your AV product. Online multi scanners do not consider all the other protection technologies!

The good: some don’t understand the system

The strange thing is, that some script kiddies or wannabee malware writers are still using the popular public online scanning services to test their newly created malware creations and to check whether they are detected or not. During a popular European hacking conference last year, even a professor from the UK showed the public that this method was very interesting to create new malware with.
But, as these tested files are actually sent to all security vendors and real computer protection is not only depending on signatures, it is almost unbelievable for us that this still occurs. 

 

The bad: underground websites and going offline
Underground members understood that uploading their malware files to such a public scanner is not the best idea for their means and they have therefore set up their own services and sites where they can upload their own new malware to. These sites are obviously not forwarding the files to the security software vendors. 
The problem: If a John Doe stumbles upon such an underground scanner website, he cannot rely upon the results presented, because the websites and services are controlled by the bad guys. It is often quite difficult to distinguish public, safe websites from the underground ones – therefore, one should be informed and, for example, stick to the sites mentioned above.


Screenshot of Kim Multiscanner optionsSometimes, malware writers are using offline multi scanner software like “Kim Multiscanner” or “antivirusmulti” to try their new malware stuff as well. “Kim Multiscanner” has continuously been improved since its first appearance in 2006. The application is built around pirated versions of the included anti-virus products. While scanning, the tester can even choose whether to include the heuristic scan technologies in addition to the signature scanning. This way, the tester might find out if the malware tested can bypass the different scanning techniques at some level. 


 

 

 

The conclusion
Behavior detection, heuristic methods, intrusion prevention, sandbox mechanisms, cloud technologies and other technologies, like our own G Data BankGuard technology, will stop a lot of new malware proactively or just right after its appearance on the Internet. Comprehensive AV products do not rely on virus signatures only. But online multi scanners do – and this is a huge difference you should know about while using the public services. The online multi scanner analyses can give you an initial idea of the file checked, but not more. You need to know how to interpret and read the results properly.

Search