Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Good , the Bad and the Unknown Online Scanners

Published: 2011-02-07
Last Updated: 2011-02-07 03:41:48 UTC
by Pedro Bueno (Version: 1)
1 comment(s)
 
The Good , the Bad and the Unknown Online Scanners
 
 
Online Virus Scanners are quite common services, usually offered by individual Anti-Virus vendors, and most major AV's offers it. 
But sometimes, you may want to check if other AV's are seeing anything malicious on a file, and for this reason the Online Multi-AV Scanners exists.
Over the past few years we saw really good examples of these services, such as Hispasec's VirusToal and many others, that while should not be 
used as an AV comparative test, will give a good idea if a file is malicious or not.
 
The good Multi-AV Online Scanners provide good level of information to the community, such as allowing for search based on the file Hash, and 
some level of feedback to the security companies. 
 
However, the malware writers also found out about it and are now looking for such services that are not willing to contribute to the security
community.
 
What follows below is a compiled list that I've been observing and researching from some time.
 
I classified them as RED, YELLOW and GREEN.
 
RED means is/was actively being used by malware writers/cyber criminals to create/verify malware
YELLOW means that I consider it suspicious but could not find enough info to classify as RED.
GREEN means general purpose AV Scanner websites that contribute/share results with AV industry.
 
virustotal.com - GREEN
filterbit.com - GREEN
virscan.org - GREEN
scanner.novirusthanks.org - GREEN
virusscan.jotti.org - GREEN
 
scanner.virus.org - YELLOW
viruschief.com - YELLOW
virus-trap.org - YELLOW
killv.com - YELLOW
 
virtest.com - RED
avcheck.ru - RED
avcheck.biz - RED
scan4you.net - RED
avhide.com - RED
nicescan.net - RED
 
Another technique used by the malware writers is the use of standalone multi scanners, where KIMS seems to be the most popular one.
 
So, from now on, before you scan your file, I would recommend those marked as Green.
 
If you have good info about the ones marked as Yellow, please share with me and I will update this diary as needed.
 
--------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno // isc. sans. org)
Twitter: twitter.com/besecure
www.mysectools.com
 
Keywords: av malware scanner virus
1 comment(s)
Diary Archives