The Good , the Bad and the Unknown Online Scanners

Published: 2011-02-07
Last Updated: 2011-02-07 03:41:48 UTC
by Pedro Bueno (Version: 1)
1 comment(s)
The Good , the Bad and the Unknown Online Scanners
Online Virus Scanners are quite common services, usually offered by individual Anti-Virus vendors, and most major AV's offers it. 
But sometimes, you may want to check if other AV's are seeing anything malicious on a file, and for this reason the Online Multi-AV Scanners exists.
Over the past few years we saw really good examples of these services, such as Hispasec's VirusToal and many others, that while should not be 
used as an AV comparative test, will give a good idea if a file is malicious or not.
The good Multi-AV Online Scanners provide good level of information to the community, such as allowing for search based on the file Hash, and 
some level of feedback to the security companies. 
However, the malware writers also found out about it and are now looking for such services that are not willing to contribute to the security
What follows below is a compiled list that I've been observing and researching from some time.
I classified them as RED, YELLOW and GREEN.
RED means is/was actively being used by malware writers/cyber criminals to create/verify malware
YELLOW means that I consider it suspicious but could not find enough info to classify as RED.
GREEN means general purpose AV Scanner websites that contribute/share results with AV industry. - GREEN - GREEN - GREEN - GREEN - GREEN - YELLOW - YELLOW - YELLOW - YELLOW - RED - RED - RED - RED - RED - RED
Another technique used by the malware writers is the use of standalone multi scanners, where KIMS seems to be the most popular one.
So, from now on, before you scan your file, I would recommend those marked as Green.
If you have good info about the ones marked as Yellow, please share with me and I will update this diary as needed.
Handler on Duty: Pedro Bueno ( pbueno // isc. sans. org)
Keywords: av malware scanner virus
1 comment(s)


Unfortunately bad guys are always using NoVirusThanks service to test their creations, for one reason: they still offer the option "Do not distribute the sample"...

Diary Archives