Michal Trs

6 September 2010

Spring cleaning in our virus database

We would reach 3 millions of detections in our virus database (VPS) this week, but ... this huge number means that when you put all the detections together, there is no difference between sophistical algorithmic detection and "temporary" machine generated detection.

When a new undetected malware sample comes to our viruslab, we have a certain handling procedure. There is some preliminary automatic analysis and grouping with other malware samples we already have. If the group contains few samples, no human analysis is needed. The detection is machine generated and released in the next virus database update. Grouping malware together works in a relatively small time window. Bigger groups are handled by human analyst.

Initially, each group began as small, as just one sample. As this grows, we deploy polymorphic detections which cover hundreds to thousands of previously machine generated detections.

Now it is time to clean up and reduce the number of unnecessary detections. The main reason for this is to decrease the size of our virus database updates sent to users around the globe. This will reduce the amount of transferred data, subsequently reducing the amount of needed energy and helping, of course, our forests. :-)

Threat Research, Security News