VCM3: Fakes - Why to get them out of DAT files
Fakes: Why to get them out of DAT files
by VirusBuster
Most traders (all?) have fake and/or false positives virus samples in their collections.
Just to refresh concepts:
A fake virus is a file created or forged on purpose to be detected by a specified antivirus. Some well known fake virus generators were coded by Vecna or Z0MBiE. Jack Liu also created fake virus samples to be identified by KAV. Some unknown person added Windows headers to DOS viruses to fool F-Prot.
A false positive is a file that was not created on purpose by anyone but that is detected by antivirus when it's not a virus. KAV for example, scans VBA source code files as the virus. Some time ago a game coded by GriYo was being scanned as a trojan when it was not.
Other category of fake could be those virus samples modified to get them not working. Example: Adding INT 20h as first instruction of a COM sample.
We can not consider as fakes corrupted or damaged viruses done by the virus coder. Also are not fakes dropped files by a virus, as INI or BAT.
Why is not a good idea to include fakes in VS2000 or any other program DAT files?
Because if they are included when you check other collector log file, if you miss from him a virus that you have as fake, the program will not request it.
So I suggest you remove fakes from DAT files to avoid not requesting good samples you have as fakes.
If you are afraid of requesting same fakes you have from other collector because they are not in the DAT file so you miss them I suggest you discard requests by CRC32. You only have to add the CRC32s of fakes to CRC32.DAT.
