终于发现norman为什么被称为＂挂王＂的原因了

显示全部楼层 · 发表于 2007-7-14 07:37:58

这两天用norman去样本去逛逛，发现norman爱“挂”的原因了，在样本区我相信很多人直接拿到压缩文件就上多引擎扫描网站去扫描，这是错误的做法，我来举两个例子
         例一：在样本区找的原贴地址如下：http://bbs.kafan.cn/viewthread.php?tid=107881&extra=page%3D1&page=1
         里面的样本下下来后上jotti去scan了一下得到如下结果

Scanner	Name der Malware
A-Squared	X
AntiVir	SPR/YFlood.A.2
ArcaVir	X
Avast	X
AVG Antivirus	X
BitDefender	X
ClamAV	X
Dr.Web	X
F-Prot Antivirus	X
F-Secure Anti-Virus	X
Fortinet	X
Kaspersky Anti-Virus	X
NOD32	X
Norman Virus Control	X
Panda Antivirus	X
Rising Antivirus	X
Sophos Antivirus	X
VirusBuster	X
VBA32	Flooder.VB.1 (paranoid heuristics)

然后我用norman的右键扫描来直接扫描压缩包后得到如下结果
===================================================================================================
NVCOD On Demand Scanner 5.80.02
NSE revision 5.91.02
nvcbin.def revision 5.90.00 of 2007/07/13 18:54:26 (807131 variants)
nvcmacro.def revision 5.90.00 of 2007/06/29 06:32:19 (20341 variants)
Total number of variants: 827472
Command line: "@C:\Users\Jason\AppData\Local\Temp\~ODCAB3.tmp"
===================================================================================================
   Time  Filename                                                    Virus name
---------------------------------------------------------------------------------------------------
- Scanning files matching: D:\virus\wl.zip
   140 ms D:\virus\wl.zip : wl.exe                                  Security Risk Suspicious_F.gen ()
   15 ms D:\virus\wl.zip
   16 ms D:\virus\wl.zip:Zone.Identifier
===================================================================================================
The scanning started: 2007/07/14 07:22:01
            ended: 2007/07/14 07:22:01
Logged on as       : Jason
on hostname       : JASON-PC
Scanning results:
Total number of files found..............................:    3
Number of files scanned..................................:    3
Number of files/directories skipped due to exclude list..:    0
Number of files that could not be opened.................:    0
Number of archive files unpacked.........................:    1
Number of archive files not unpacked.....................:    0
Number of infections.....................................:    1
Copyright (c) 1993-2005 Norman ASA.

看来jotti上报的与事实是不吻合的
我解压后把病毒文件拿到jotti去scan了一下得到如下结果

Scanner	Malware name
A-Squared	HackTool.Win32.Delf.bw
AntiVir	X
ArcaVir	X
Avast	X
AVG Antivirus	HackTool.AID
BitDefender	X
ClamAV	X
Dr.Web	X
F-Prot Antivirus	X
F-Secure Anti-Virus	X
Fortinet	X
Kaspersky Anti-Virus	X
NOD32	X
Norman Virus Control	X
Panda Antivirus	X
Rising Antivirus	Hack.Delf.fv
Sophos Antivirus	X
VirusBuster	X
VBA32	X

例2在样本区找的原贴地址如下：http://bbs.kafan.cn/viewthread.php?tid=107807&extra=page%3D1
里面的样本下下来后上jotti去scan了一下得到如下结果

Scanner	Malware name
A-Squared	Trojan-Spy.Win32.Ardamax.i
AntiVir	SPR/Ardamax.K.Gen
ArcaVir	X
Avast	X
AVG Antivirus	PSW.Generic4.VMJ
BitDefender	Trojan.Ardamax.O
ClamAV	Trojan.Spy.Ardamax-25
Dr.Web	X
F-Prot Antivirus	X
F-Secure Anti-Virus	Trojan-Spy.Win32.Ardamax.e
Fortinet	X
Kaspersky Anti-Virus	Trojan-Spy.Win32.Ardamax.e
NOD32	X
Norman Virus Control	X
Panda Antivirus	X
Rising Antivirus	X
Sophos Antivirus	X
VirusBuster	X
VBA32	Trojan-Spy.Win32.Ardamax.i

然后我用norman的右键扫描来直接扫描压缩包后得到如下结果
===================================================================================================
NVCOD On Demand Scanner 5.80.02
NSE revision 5.91.02
nvcbin.def revision 5.90.00 of 2007/07/13 18:54:26 (807131 variants)
nvcmacro.def revision 5.90.00 of 2007/06/29 06:32:19 (20341 variants)
Total number of variants: 827472
Command line: "@C:\Users\Jason\AppData\Local\Temp\~OD4B5E.tmp"
===================================================================================================
   Time  Filename                                                    Virus name
---------------------------------------------------------------------------------------------------
- Scanning files matching: D:\病毒上报\my.zip
   172 ms D:\病毒上报\my.zip : my.exe                               Security Risk Suspicious_F.gen ()
      0 ms D:\病毒上报\my.zip
   31 ms D:\病毒上报\my.zip:Zone.Identifier
===================================================================================================
The scanning started: 2007/07/14 07:30:09
            ended: 2007/07/14 07:30:09
Logged on as       : Jason
on hostname       : JASON-PC
Scanning results:
Total number of files found..............................:    3
Number of files scanned..................................:    3
Number of files/directories skipped due to exclude list..:    0
Number of files that could not be opened.................:    0
Number of archive files unpacked.........................:    1
Number of archive files not unpacked.....................:    0
Number of infections.....................................:    1
Copyright (c) 1993-2005 Norman ASA.
看来jotti上报的与事实是不吻合的
我解压后把病毒文件拿到jotti去scan了一下得到如下结果

Scanner	Malware name
A-Squared	X
AntiVir	TR/Spy.Delf.EQ.2
ArcaVir	X
Avast	Win32:Delf-BUH
AVG Antivirus	PSW.Delf.2.U
BitDefender	BehavesLike:Win32.ExplorerHijack
ClamAV	Trojan.Small-69
Dr.Web	Trojan.Flower
F-Prot Antivirus	unknown virus
F-Secure Anti-Virus	Trojan-Spy.Win32.Delf.eq
Fortinet	W32/Delf.EQ!tr
Kaspersky Anti-Virus	Trojan-Spy.Win32.Delf.eq
NOD32	probably unknown NewHeur_PE
Norman Virus Control	Suspicious_F.gen
Panda Antivirus	Generic
Rising Antivirus	X
Sophos Antivirus	Mal/Basine-A
VirusBuster	Packed/FSG
VBA32	X

例三在样本区找的原贴地址如下：http://bbs.kafan.cn/viewthread.php?tid=107119&extra=page%3D2&page=1
里面的样本下下来后上jotti去scan了一下得到如下结果

Scanner	Name der Malware
A-Squared	Trojan-PSW.Win32.Magania.gs
AntiVir	TR/Keylog.24576
ArcaVir	X
Avast	Win32:Trojan-gen. {Other}
AVG Antivirus	Perflogger.AP
BitDefender	Generic.Perfloger.B172C380
ClamAV	Trojan.Perflog
Dr.Web	Trojan.Peflog.156
F-Prot Antivirus	X
F-Secure Anti-Virus	not-a-virus:Monitor.Win32.Perflogger.ca (6, 2, 604)
Fortinet	X
Kaspersky Anti-Virus	not-a-virus:Monitor.Win32.Perflogger.ca
NOD32	Win32/Spy.PerfKey
Norman Virus Control	W32/Banker.YZI
Panda Antivirus	X
Rising Antivirus	Trojan.Perflog.fc
Sophos Antivirus	X
VirusBuster	Trojan.DL.ILoveHonk.A
VBA32	Trojan.Peflog.156

然后我用norman的右键扫描来直接扫描压缩包后得到如下结果
===================================================================================================
NVCOD On Demand Scanner 5.80.02
NSE revision 5.91.02
nvcbin.def revision 5.90.00 of 2007/07/13 18:54:26 (807131 variants)
nvcmacro.def revision 5.90.00 of 2007/06/29 06:32:19 (20341 variants)
Total number of variants: 827472
Command line: "@C:\Users\Jason\AppData\Local\Temp\~OD96D1.tmp"
===================================================================================================
   Time  Filename                                                    Virus name
---------------------------------------------------------------------------------------------------
- Scanning files matching: D:\病毒上报\Setup.rar
      0 ms D:\病毒上报\Setup.rar
      0 ms D:\病毒上报\Setup.rar:Zone.Identifier
===================================================================================================
The scanning started: 2007/07/14 08:31:36
            ended: 2007/07/14 08:31:36
Logged on as       : Jason
on hostname       : JASON-PC
Scanning results:
Total number of files found..............................:    2
Number of files scanned..................................:    2
Number of files/directories skipped due to exclude list..:    0
Number of files that could not be opened.................:    0
Number of archive files unpacked.........................:    0
Number of archive files not unpacked.....................:    0
Number of infections.....................................:    0
Copyright (c) 1993-2005 Norman ASA.
看来这次jottiMS错了
but
我解压后
========================================================
Norman Message [2007/07/14 08:31:55]
--------------------------------------------------------
Application: NVC Cats Claw
Node address: 192.168.0.5
--------------------------------------------------------
ALARM:
Virus infected:
Virus name: 'W32/Malware.AARA'
Login information: User 'Jason' on host 'JASON-PC'.
File infected: d:/病毒上报/setup.exe
Virus repaired:
Virus name: 'W32/Malware.AARA'
这说明norman扫rae格式的压缩包是不会报的　而在jotti上扫描压缩包却会报
而解压后不管是扫描还是监控都会报的
但我发现jotti上报的名字和Norman报的名字不一样
　　　　　例四　在样本区找的原贴地址如下：http://bbs.kafan.cn/viewthread.php?tid=107562&extra=page%3D2
　　　　　里面的样本下下来后上jotti去scan了一下得到如下结果
　　　　　

Scanner	Name der Malware
A-Squared	Trojan.Win32.Agent.ho
AntiVir	TR/Drop.Agent.abw
ArcaVir	Trojan.Agent.Ho
Avast	Win32:Trojan-gen. {Delphi}
AVG Antivirus	X
BitDefender	Trojan.Dropper.Agent.ABW
ClamAV	X
Dr.Web	Trojan.Favadd
F-Prot Antivirus	security risk or a "backdoor" program
F-Secure Anti-Virus	Trojan-Dropper.Win32.Agent.abw
Fortinet	W32/Agent.ABW!tr
Kaspersky Anti-Virus	Trojan-Dropper.Win32.Agent.abw
NOD32	Win32/TrojanDropper.Agent.ABW
Norman Virus Control	Agent.YDJ
Panda Antivirus	Trj/Downloader.MDW
Rising Antivirus	X
Sophos Antivirus	Troj/Agent-EXJ
VirusBuster	X
VBA32	Trojan-Dropper.Win32.Agent.abw

然后我用norman的右键扫描来直接扫描压缩包后得到如下结果
===================================================================================================
NVCOD On Demand Scanner 5.80.02
NSE revision 5.91.02
nvcbin.def revision 5.90.00 of 2007/07/13 18:54:26 (807131 variants)
nvcmacro.def revision 5.90.00 of 2007/06/29 06:32:19 (20341 variants)
Total number of variants: 827472
Command line: "@C:\Users\Jason\AppData\Local\Temp\~OD9E28.tmp"
===================================================================================================
   Time  Filename                                                    Virus name
---------------------------------------------------------------------------------------------------
- Scanning files matching: D:\病毒上报\Ignore.rar
      0 ms D:\病毒上报\Ignore.rar
   16 ms D:\病毒上报\Ignore.rar:Zone.Identifier
===================================================================================================
The scanning started: 2007/07/14 08:46:50
            ended: 2007/07/14 08:46:50
Logged on as       : Jason
on hostname       : JASON-PC
Scanning results:
Total number of files found..............................:    2
Number of files scanned..................................:    2
Number of files/directories skipped due to exclude list..:    0
Number of files that could not be opened.................:    0
Number of archive files unpacked.........................:    0
Number of archive files not unpacked.....................:    0
Number of infections.....................................:    0
Copyright (c) 1993-2005 Norman ASA.
关闭监控　解压后进行扫描
扫描出了３个
看来又是Norman不扫描rar格式的压缩包的原因
总结：如果直接拿压缩包上多引擎网站扫描Norman有些是不会直接报的
而在PC里 zip格式的压缩包用norman直接扫描是会报的而rar压缩包用norman直接扫描是不会报的而解压后不管是扫描还是监控都会报的
如果解压后用病毒文件上多引擎扫描那么结果绝大部分会和用压缩包上多引擎网站扫描的结果是不一样的
有时拿病毒文件上多引擎网站扫描也不会报的而用norman扫描病毒文件是会报的
因此有些人说norman是挂王这是毫无根据的

欢迎大家对此进行评论如有错误我会及时更改
最后付四个样本

[ 本帖最后由 woai_jolin 于 2007-7-14 08:57 编辑 ]

显示全部楼层 · 发表于 2007-7-14 09:29:16

因為norman 不支持 rar 掃瞄

你得發email 去叫 norman 加 rar 掃瞄吧

显示全部楼层 · 发表于 2007-7-14 09:33:49

norman有点不适合中国人的使用习惯

显示全部楼层 · 发表于 2007-7-14 09:36:06

没用过norman
但中国用RAR的还是不少的

显示全部楼层 · 发表于 2007-7-14 09:43:00

norman现在有80多w的病毒库

显示全部楼层 · 发表于 2007-7-14 09:48:28

原来是这样,哈...就算是ZIP模式扫描也不见得强多少....

显示全部楼层 · 发表于 2007-7-14 09:50:31

原帖由 tracydk 于 2007-7-14 09:48 发表
原来是这样,哈...就算是ZIP模式扫描也不见得强多少....

那就不一定咯
今天去绅博的可疑档案区
norman报了n个
下了rar格式的解压用norman scan你就知道norman有好强咯

显示全部楼层 · 发表于 2007-7-14 09:56:59

原帖由 woai_jolin 于 2007-7-14 09:50 发表

那就不一定咯
今天去绅博的可疑档案区
norman报了n个
下了rar格式的解压用norman scan你就知道norman有好强咯

偶看重的是要么查毒率如:红伞要么防毒能力强如:微点
还有就是对上报的处理态度...AVAST之流就算了....

NORMAN不知道有什么特点没???
偶还有BETA的KEY,....说的偶想装来用下

显示全部楼层 · 发表于 2007-7-14 09:59:26

还有就是NOMRAN的真实水平很多人不知道的...因为太多人没用过...偶就喜欢中国人用的少的杀软,不过要有一定的实力,如AVG就算了.....

显示全部楼层 · 发表于 2007-7-14 10:01:31

有人说norman是资源大户
这是错误的说法
说实话norman的资源占用超小
还有norman拥有无与伦比的sandbox以及80多w的病毒库

[版主公告] 终于发现norman为什么被称为＂挂王＂的原因了

本帖子中包含更多资源

评分

回复 #8 tracydk 的帖子