locked
missed detection RRS feed

  • Question

  • Submitted Files
      =============================================
      MobileXpressTray.exe [TrojanDownloader:Win32/Bambenoy.A]

    Though I do have to say it's in good company, this is something I didn't expect from onecare.
    I found this thing in my taskmanager. It was located in my startups.
    I submitted the file to Microsoft Security Support, and the online web site http://www.virustotal.com/ 0 of 37 say nothings wrong with it.. After 2 days, Microsoft Malware Protection Center claims it's got the Trojan above.
    Searching MS, and the web, this name seems to be total fantasy, or known only to me and MMPC.
    yes one care missed it even with a direct scan, the file was compacted & encrypted. Since this thing was in my startups, and I found it in my taskmanager, [it couldn't have been on my machine long located there], is there a set of files that can test onecare for detetection ?
    Wednesday, April 22, 2009 3:04 PM

Answers

  • The problem with test files is that they only test the capability of detecting known malware. What was perfect detection yesterday may not be so perfect today.Since malware morphs so quickly there will always be missed detections. Unfortunately the malware writers will always be one step ahead of the antimalware industy.
    Jim - MVP Windows Live - Forum Moderator - Live One Care - Live Mesh
    Wednesday, April 22, 2009 3:48 PM
    Moderator
  • The double reply is a display issue that you can change in your forum preferences. When they updated it recently, the default view is to duplicate the post or posts that are tagged as "answer" right below the question.

    The signatures for detection and removal in OneCare are developed and maintained by the Microsoft Antimalware group (it may have another name). They do the research and testing for all of the security threats. Identifying and naming a specific signature threat is the first step. Being able to consistently detect and remove or block it is another. By the time the signatures are updated, the malware has often evolved. Also, the deployed detection/clean signatures may not be 100% effective in all cases when first deployed.

    I don't know how to get more information on a threat if a search engine hasn't yet found published information on it. I suspect that searches later today and in the next few days will return this forum thread as a result near the top of the list.

    No, there's no way for us to test *any* virus scanner's effectively to provide any value to us. There are companies and organizations who do this, but there methodology is often reflective of the real world and can't possibly test for unknown threats that have not been developed at the time the test was developed, so the tests are of limited use.

    -steve
    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    • Marked as answer by cbminfo Wednesday, April 22, 2009 7:15 PM
    Wednesday, April 22, 2009 7:01 PM
    Moderator

All replies

  • The problem with test files is that they only test the capability of detecting known malware. What was perfect detection yesterday may not be so perfect today.Since malware morphs so quickly there will always be missed detections. Unfortunately the malware writers will always be one step ahead of the antimalware industy.
    Jim - MVP Windows Live - Forum Moderator - Live One Care - Live Mesh
    Wednesday, April 22, 2009 3:48 PM
    Moderator
  • To add to Jim's reply, all of the security vendors tends to use their own naming conventions for the detected malware.
    -steve
    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Wednesday, April 22, 2009 3:58 PM
    Moderator
  • re: JimR1 MVP Users Medals Users Medals Users Medals Users Medals Users Medals . And Stephen Boots MVP . It doesn't seem to be a consistent problem. I've seen the double replies with Stephen on other questions I've asked. Today it's a single reply. Instead I see double replies by JimR1.
    ------------------------------
    Things I knew: virus are constantly evolving. I suspect conficker will be with us for the lifetime of the web.
                           malware writers will always be ahead of the detectors.
                           every virus software has a different name for known malware.
    Things I didn't know: That I'd be one of the 1st to get one before google even knows about it.
    -------------------------------
    Basically I was just wanting to know if there isn't some file available from a TRUSTED source that can test onecare's virus detectability ?

    I know the files, exist, don't have any on hand. All the different virus programs I've had kept erasing them. I'm not real interested in diving into where I know for fact the virus do exist just to test onecare. Obviously something made it under onecare's radar.
    ----------------------------
    I was under the impression Microsoft Security Support and onecare were one and the same as much as onecare and defender are one and the same. And I also would have figured, if they have identified, and named it, it should have been included in an update.
    ----------------------------
    Also where can I get more info on this thing ? I eventually deleted the 52kb file from startup. But being labeled a trojan downloader, I would suspect there's more laying around that I haven't found yet. And google itself is less than helpful on this one.
    The hits are next to nothing. Even the plethora of 'let me scan your machine and destroy it' posts haven't alerted to this one.
    Like I said, it's like it doesn't exist.
    Only thing's I've been trying to install lately are the fontographer demos. Whatever they're called now..
    Wednesday, April 22, 2009 6:11 PM
  • The double reply is a display issue that you can change in your forum preferences. When they updated it recently, the default view is to duplicate the post or posts that are tagged as "answer" right below the question.

    The signatures for detection and removal in OneCare are developed and maintained by the Microsoft Antimalware group (it may have another name). They do the research and testing for all of the security threats. Identifying and naming a specific signature threat is the first step. Being able to consistently detect and remove or block it is another. By the time the signatures are updated, the malware has often evolved. Also, the deployed detection/clean signatures may not be 100% effective in all cases when first deployed.

    I don't know how to get more information on a threat if a search engine hasn't yet found published information on it. I suspect that searches later today and in the next few days will return this forum thread as a result near the top of the list.

    No, there's no way for us to test *any* virus scanner's effectively to provide any value to us. There are companies and organizations who do this, but there methodology is often reflective of the real world and can't possibly test for unknown threats that have not been developed at the time the test was developed, so the tests are of limited use.

    -steve
    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    • Marked as answer by cbminfo Wednesday, April 22, 2009 7:15 PM
    Wednesday, April 22, 2009 7:01 PM
    Moderator
  • I just left Dshield, you might find me on another thread here re: a Dshield client.. see ya there.
    Wednesday, April 22, 2009 7:16 PM