Submitting a sample to Virustotal (usually) means that it will trickle
down to the various AV vendors for detection
Depending on your organizations needs, you
might have to struggle with
not only internal clients but also the
dreaded external clients.
External clients are tricky as in most cases you are
not able to control them at all or you most likely don’t know which kind of AV
protection they have (if they have any that is)
Enters Virustotal, which enables you to
spread knowledge and hopefully detection to “all” AV vendors at least that is
the idea.
I was told that samples sent to VT would not
propagate to the vendors if less then two vendors
detected the sample, this was a couple of years ago mind you.
So armed with the knowledge that you need
some kind of "basic detection" to be able to get the attention of the AV
vendors (I will leave out Flame which everyone jumped on ;)).
The solutions for this, has been to utilize the
in-house AV vendors to “kick start” the detection.
Most companies big and small have at least
one subscription/contract with an AV vendor, many have several different vendors
(client/server, mail, proxy etc). These are companies that are present (most
likely) on Virustotal. But VT is not the place to start if you need
detection fast!
If you need detection in a timely fashion,
you should use the SLA you pay for from your
AV vendor(s).
This is how I usually do:
You begin with having “your” AV vendor(s)
create detection for your sample and then you push it to Virustotal for the rest
to pick up.
I also usually make direct submits to different
AV vendors, using the different methods they offer on their websites as they
seems to have different priorities for the different channels the receive
samples from and VT seems not always to be prioritized..
So to be successful in you detection
campaign, start off with the
services you pay for then continue with the
free to get better coverage.
I double checked my VT fact just a couple of
days ago and the current
situation is that you need at least one
vendor to detect the sample for it to “spread”, but there are differences between
vendors and vendors.
Lesser know ones would not trigger the bigger players to react (this is my own interpretation of what I was told) and even then it's finally up to the
Lesser know ones would not trigger the bigger players to react (this is my own interpretation of what I was told) and even then it's finally up to the
receiving AV company to decide if they would
like to react on the sample or not.
If you have another recipe for success,
please let me know. I’m always interested in how others are doing their “AV
submit optimizing”
/Micke