Dangermouse 5 Posted December 7, 2016 Share Posted December 7, 2016 Why are threats that have already been included in old signature files being added to new signature files ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted December 8, 2016 Administrators Share Posted December 8, 2016 I'm sorry but I don't understand your question. Basically a signature is added just once. I can't imagine re-adding millions of signatures each time; in such case you'd need to download > 30 MB with each update. Link to comment Share on other sites More sharing options...
Dangermouse 5 Posted December 8, 2016 Author Share Posted December 8, 2016 (edited) OK, here is an example hxxp://www.virusradar.com/en/update/info/14565 contains a signature for Win32/Autoit.IV but clicking on the link from the list of update 14565 shows Category worm Detection created May 16, 2013 Signature database version 9534 Win32/Autoit.IV [Threat Name] Detection created 2013-05-16 World activity peak 2016-03-05 (0.07 %) Clicking on the link for update 9534 shows the same threat, and the same variant In fact, this threat is also listed in another recent signature file hxxp://www.virusradar.com/en/update/info/14559 Edited December 8, 2016 by Dangermouse Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted December 8, 2016 Administrators Share Posted December 8, 2016 Detection for variants of the Autoit.IV worm were added on the following days:16.5.2013 30.6.2013 30.7.2013 19.9.2013 5.10.2013 17.10.2013 18.10.2013 5.11.2013 25.11.2013 9.12.2013 13.1.2014 30.1.2014 26.2.2014 5.3.2014 6.3.2014 12.3.2014 20.3.2014 26.3.2014 3.4.2014 9.4.2014 26.5.2014 3.6.2014 11.6.2014 23.6.2014 24.6.2014 15.7.2014 29.7.2014 4.8.2014 29.8.2014 8.9.2014 9.9.2014 16.9.2014 30.9.2014 16.10.2014 22.10.2014 30.10.2014 6.11.2014 14.11.2014 24.11.2014 24.12.2014 7.1.2015 14.1.2015 25.2.2015 3.3.2015 6.3.2015 24.3.2015 30.3.2015 7.4.2015 24.4.2015 25.4.2015 28.4.2015 7.5.2015 8.5.2015 11.5.2015 12.5.2015 13.5.2015 19.5.2015 20.5.2015 21.5.2015 22.5.2015 23.5.2015 25.5.2015 29.5.2015 1.6.2015 2.6.2015 4.6.2015 5.6.2015 8.6.2015 10.6.2015 11.6.2015 12.6.2015 15.6.2015 17.6.2015 18.6.2015 22.6.2015 23.6.2015 24.6.2015 26.6.2015 29.6.2015 30.6.2015 2.7.2015 7.7.2015 13.7.2015 17.7.2015 27.8.2015 7.9.2015 8.9.2015 9.9.2015 6.10.2015 26.10.2015 2.11.2015 4.11.2015 9.11.2015 10.11.2015 12.11.2015 14.12.2015 15.12.2015 11.1.2016 18.1.2016 15.2.2016 24.2.2016 3.3.2016 17.3.2016 18.3.2016 21.3.2016 22.4.2016 9.5.2016 12.5.2016 14.5.2016 8.6.2016 16.6.2016 8.7.2016 23.8.2016 11.10.2016 21.10.2016 24.10.2016 22.11.2016 28.11.2016 6.12.2016 7.12.2016 Link to comment Share on other sites More sharing options...
Dangermouse 5 Posted December 8, 2016 Author Share Posted December 8, 2016 Thanks for the wall of text. Do I infer from it that the descriptions in the signature files don't necessarily detail all of the variants, even though the example I gave is listed as a specific variant ? i.e., some of the 'variants' listed in the signature file descriptions are generic umbrella terms for minor variations ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted December 8, 2016 Administrators Share Posted December 8, 2016 That's correct. For instance, if there are more components of a malware or if there are very little differences between variants they may be detected under the very same name. Link to comment Share on other sites More sharing options...
Recommended Posts