Virus-SubTotal?
|
In a recent blog McAfee's Avert Labs denigrated the value of VirusTotal and similar sites. They sort-of have a point. They claim that some script-based malware is encoded and obscured until rendered in (for example) Internet Explorer. (It is at this point that McAfee's ScriptScan product kicks in and make sure nothing untoward is going on.) There probably is a practical value to scanning at this stage when the obfuscation has been lifted, but in theory they should be able to figure at least some of this out in advance. I also now have to wonder about the possibility of a "heuristic" VirusTotal that would actually run submitted malware in dynamically-generated VMs. Perhaps something like that is possible with some security products and a heck of a lot more hardware than VirusTotal uses right now. |
Comments (1)
Each technology have a correct way of being used. VirusTotal is not the site for sending javascript-obfuscated exploits to see if they're detected by AVs. As you mention, it makes more sense to use it for what that exploit ends downloading to that site.
Posted by Julio Canto | May 10, 2007 2:52 AM