6

I have Avast Free antivirus on my Windows 7 PC and yesterday I used Bit Defender quick scan addons, which spotted a virus. In rechecking with Avast, it didn't pick it up.

In scanning my system with ESET Online Scanner it shows no virus, but when I scan it with ClamWin it does find it (but with a different name)

Why do they give different results?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
illsecure
  • 157
  • 3
  • 9

5 Answers5

5

Viruses don't identify themselves as such. In fact, they often try to disguise themselves to make it difficult to detect them. Virus scanning software uses a variety of different techniques to figure out if a program looks like a known virus, but the exact methods they use and the things they look for vary from program to program. Since these virus definitions differ, sometime a rule either won't exist or won't detect a particular edge case that another virus scanner will detect.

While some virus scanners are better than others, in general, they are simply different. Even the best virus scanner (if you could determine a best) would still miss some viruses that the worst one might pick up.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
5

The simplest answer is because each anti-virus solution is coded differently. They're different pieces of software. It's expected that there should be differences, just as you'd expect differences between MS Office, OpenOffice and Star Office.

Expanding on that, some anti-virus uses virus databases, which, in layman's terms, hold information about known viruses. These are always one step behind the bad guys in that they have to know about a virus before they can add it to the db. While most anti-virus products that use this type of technology do a good job of keeping up-to-date, it's certainly possible for one AV product to moss what others find.

Other forms of anti-virus use heuristics (they analyze the behavior of software) to try to detect malware. These can detect malware that traditional AV software can miss, and it can miss malware that the other type of anti-virus can find.

David Stratton
  • 2,646
  • 2
  • 20
  • 36
4

Antivirus compares known hashes of viruses to the hashes of your files. When the hashes match it blows the box and tells you about it. These companies operate their own databases for known malware hashes. Therefore one company may have a hash identified that another does not.

A lot of malware is now generated on the fly by the attack site. Meaning it uses a polymorphic payload encoder to manipulate the virus code (without changing how the code operates) to make a new hash that no antivirus company has yet. Essentially every victim gets a hash that the companies don't have. Now, the companies eventually see these hashes one by one and that's why one company may have the new hash while the other does not.

k to the z
  • 1,115
  • 1
  • 12
  • 25
  • that mean I can just check any program I get from a friend online by hash in virustotal, But are u sure that when any file infected with a virus the hash will change or the file could get infected and keep his hash ? – illsecure Jan 10 '13 at 11:10
  • The point is the hashes are new every day. What you check on virus total may not be identified as malicious yet. – k to the z Jan 10 '13 at 17:13
  • But the hash will change if the file get infected or it can keep his original hash after infected? – illsecure Jan 11 '13 at 08:21
  • It's on the attack site that the hash "changes". Before it's sent to your machine to infect the polymorphic encoder re-arranges the code until that file has a hash that isn't detected by an anti-virus company. – k to the z Jan 11 '13 at 18:23
  • I mean if file hash is (J3JRMND) for example and the file infected with w32 virus when I check the hash again will it be the same or not. AND is there any virus can infect the file and the file keep the original hash. – illsecure Jan 12 '13 at 12:55
  • Technically there is a remote possibility that there could be what's called a hash collision where two inputs output the same hash, but this is so rare you could call it impossible to reproduce over and over again. Any change to a file (even adding a space) will give a completely different hash. Example: http://en.wikipedia.org/wiki/SHA-1#Examples_and_pseudocode – k to the z Jan 14 '13 at 17:22
  • @K to the z, I understand that but very rare happen with me alot, more than once i look for zip file hash on virus total and it give me some file different in name,type and size. wired they can do what they can will never come close to finger-print creation of Allah. – illsecure Jan 20 '13 at 12:26
  • *"Antivirus compares known hashes of viruses to the hashes of your files."* Citation needed. Hashes have been more or less useless for full detection rate potential since the [early 1990s when polymorphic viruses entered the scene](https://en.wikipedia.org/wiki/Polymorphic_code#Malicious_code), and even before then you'd have needed to hash portions of the executable individually and compare against the database. Sounds horribly inefficient to me, especially on systems of the day which generally had very limited processing speed. – user Apr 11 '16 at 06:24
3

Basically: Signature is not yet in their databases.

Look at Virustotal. Some recent malware are detected only by a few engines. Later, engines are updated by their respective companies and the detection rate rises.

dgarcia
  • 476
  • 3
  • 6
  • that's tue from now on I'll scan my files hash on line with virustotal and toss my antivirus. and if u had some sites work like virustotal it would be great to share them with us. thanks – illsecure Jan 10 '13 at 11:14
  • @illsecure don't do this! VirusTotal is a great tool but anti-virus tools do more than just scan executables (such as use of heuristics). See http://www.prevx.com/blog/106/Why-using-VirusTotal-for-AV-testing-is-a-bad-idea.html for more information. – Andy Smith Jan 10 '13 at 12:21
  • @AndySmith, thats a great article thanks. 'this is because many new heuristic techniques that we use can't be included inside the on-demand scanner' I think i'll rethink about my AV. – illsecure Jan 10 '13 at 12:43
2

It means that the virus signature isn't in their DB yet. I recommend you look for a antivirus that has the best detection rate.

AviD
  • 72,138
  • 22
  • 136
  • 218
Mai
  • 21
  • 1