9 Replies Latest reply on Sep 25, 2010 3:39 AM by Mal09

    Poor response time by Avert Labs on new malware samples

      Hi all,

       

      since about the beginning of this year, we have complaints about the poor response time of Avert Labs on new malware samples that we submit. It is very rare that we get a response within a few days. We check new suspicious samples with www.virustotal.com before we submit them in the customer support portal ( https://mysupport.mcafee.com/Eservice/SubmitMalwareSample.aspx ). Those samples submitted usually are not detected by Artemis.

       

      I would be interested what you guys experience with Avert Labs reponse times. Do you get a quick response within a (couple of) day(s)?

      How do you deal with this problem? ("Artemis very high" doesn't seem to be the solution).

       

      Regards

      F. Nold

       

      -----------------------------------

      epo 4.5, VSE 8.7P3, SAE 3P2

        • 1. Re: Poor response time by Avert Labs on new malware samples

          We've been submitting quite a few lately and typically response time is within a day.  I submitted samples yesteraday around noon and within 10 hours had an Extra.dat to detect them.

           

          Scott

          • 2. Re: Poor response time by Avert Labs on new malware samples
            PhilR

            But how long does it take for those extra.dat detections to be rolled into the daily DAT files?

             

             

            Message was edited by: PhilR on 05/08/10 05:42:40 CDT
            • 3. Re: Poor response time by Avert Labs on new malware samples
              eobiont

              We had malware yesterday that was coming in as lsass.exe in the user profile.  I sumbitted to virustotal.com and the virus was detected by > 80% of AV vendors - but not McAfee,

               

              I submitted a sample to McAfee and it still doesn't detect it today in either Artemis or the actual DAT.

              • 4. Re: Poor response time by Avert Labs on new malware samples

                Usually we submit new samples or false positives via the web interface mysupport.mcafee.com.

                We complaint about the slow response time at McAfee and got the adivse to call the support hotline directly after submitting a new case and ask the support agent to escalate the new case asap. It looks like there is a problem that new malware sample submitted via Support portal are not directly forwarded to the AvertLabs. Strange, but might be this helps.

                 


                @HerronScott: I have no idea how long it takes for those extra.dat detections to be rolled into the daily DAT files. That has been another problem for us, but there is a Extra.dat merge tool available which helps to merge those dats (We always pasted those datfiles together, even if it was not supported by McAfee. Most of the time this did the job ;-)

                regards

                • 5. Re: Poor response time by Avert Labs on new malware samples

                  @F. Nold: Good to see that we are not the only ones who suffer from this issue. Today I sent in a new malware sample (a variant of Zbot/Bredo), and I am still waiting for any kind of feedback. We are checking new samples too with virustotal.com, and concerning the forementioned sample McAfee did not catch it, even not with activated Artemis. This happened several times the last weeks.

                   

                  Much more worse is the fact that the sample was detected by ClamAV, an open source virus scanner!

                   

                  I would highly appreciate a quicker response from McAfee, because I don´t want to spend my time to upload the samples several times to virustotal.com just to check whether it is detected now by VSE.

                   

                  Cheers,

                  Markus

                  • 6. Re: Poor response time by Avert Labs on new malware samples

                    That's odd.

                     

                    One time I did sent a sample up and the next day they sent me an extra.dat to detect and remove the infections. However, during the night before I got the extra.dat, a new Artemis signature was released and ended up cleaning all the machines anyways. If anything, I find them a bit slower to for the ability to detect malware than other vendors but generally still pretty good.

                     

                     

                    Frostbitte

                    • 7. Re: Poor response time by Avert Labs on new malware samples

                      My experience has been mixed.  I have received some extra.dat's in response to samples I have submitted and some things i submitted were inconclusive.  Generally within a day or two I have had a response one way or the other.

                       

                      Just an FYI.  I have had better success by submitting the actual problem executable instead of related .dlls or ini files that may be in the same directory.  I still have to do some manual cleanup myself as in removing an entry from HKLM\Software\Microsoft\Windows\Current Version\Run to prevent the automatic execution of files on start up.

                      • 8. Re: Poor response time by Avert Labs on new malware samples
                        gboucher

                        I just stumble on this discussion and I find it very interesting! On our side we are still waiting for an email, an extra.dat,etc. for something like 23 SR "Work in progress". The oldest one is from 5/18/2010 11:10:31 PM! Ehhh is this the new way to do business for McAfee? I work for a public school and often speak with IT tech from many other schools and more and more of them decide to change vendor! Please McAfee! Do something, anything, to convince me to stay with you. Because our contract is coming to an end soon. And I'm very tired of having to submit all of my collection of virus on VirusTotal to see if you can now catch them!

                        • 9. Re: Poor response time by Avert Labs on new malware samples

                          I find McAfee Labs to be hit'n'miss with samples.

                           

                          I've submitted false positives, and some samples (Platinum support account, so supposedly I get priority) and have had extra.dats in a few hours. I've also submitted samples that I never get a response to, and samples that take ages for a response. I've even been told that malware isn't malware even though I know it is, and this is backed up by other AV companies detecting the file.

                           

                          I realise what McAfee Labs face in their daily work, but I suspect that there are many inexperienced Malware Analysts being employed (and no, I'm not talking about the *stars* I used to deal with 2 years + ago), and the increase of samples being seen has caused a lot of issues with the whole process.

                           

                          Webimmune was great when it was first implemented, but doesn't seem to be relevant these days (and I get told *Not* to submit samples there as a corporate customer). It also never had a feature for submitting suspected false positives, nor has it been updated for Artemis detections. The same seems to happen with emailed samples - why can't the email submission system handle artemis detections and escalate appropriately?