Quote Originally Posted by VirusBuster View Post
Minibis could be seen as not for the masses because it was designed to analyze thousands of malwares but the same it can analyze 25k samples it can analyze 1.
Correct!

Quote Originally Posted by VirusBuster View Post
Do malware-researchers really need to analyze thousands of malware samples? I donīt think so. They usually analyze malware samples one by one and manually, using decompilers like IDA or debuggers like OllyDbg.
It depends on what's needed. Usually a researcher initially doesn't look into the code - that's what Ida, Olly, etc. are for. First you just want to know in a quick way with what you're dealing with. Then, if it's necessary or relevant you might take a look at the code.
Btw., IDA is no decompiler, though hexrays are selling an decompiler-plugin for their Disassembler/Debugger IDA Pro. So, don't merge this up.

Quote Originally Posted by VirusBuster View Post
Do advancer users have 25k malware samples? Donīt think so, but even if they do... do they need to analyze them? Again, I donīt think so. I donīt see a reason for that.
I wouldn't want to tell the advanced user that is really interested in my tool what to do.

Quote Originally Posted by VirusBuster View Post
Being realistic mass malware analysis tools are intended for antivirus companies that need to filter between the big amount of files they receive to discard between harmless and potentially dangerous files. Checking all they get one by one would be impossible nowadays.
That's just ONE scenario where mass analysis can make sense. There are way more than this. How do you think are Malware trends identified. How do you think statistical data is produced for list i.e. the top-ten of Windows autostart-possibilities used by malware-authors. How do you think it's possible to find out eventually other malware that seem to be created by the same developer, or the same frameworks/tools. And so on - there are really a lot.

Quote Originally Posted by VirusBuster View Post
If an antivirus-company must do mass malware analysis, on what option will they rely? Probably in their own solution or on a professional solution like Norman Sandbox Analyzer.
That really depends on too much influences.

Quote Originally Posted by VirusBuster View Post
So I think a good question is: Is there a "market" for public malware analyzers? It exists but itīs very very little.
There is a market - that's it's big I never mentioned.

Quote Originally Posted by VirusBuster View Post
Then who will be using public malware analyzers? Mainly advanced users, not malware researchers because they donīt need that neither antivirus companies because they will use or their own solution or a professional one.
Mainly CERTs - that's why I made it public. It's a common approach in the CERT community to share instrumentation.

Quote Originally Posted by VirusBuster View Post
So in my opinion the scope of the publicly available malware analysis tools (mass analyzer or not) are the advanced users.
No, see above.

Quote Originally Posted by VirusBuster View Post
I will not comment about CERTs because I donīt really know if they process big amounts of samples or they mainly work with honeypots.
I'm from a national and government CERT, I guess I know what our branch is doing. ;-)
And to answer your question: They do, one more the other less, that depends on many things.

Quote Originally Posted by VirusBuster View Post
How do most of the advanced users prefer to make malware analysis? Probably using online malware analyzers like Anubis, ThreatExpert, JoeBox, etc. Why? I think because they are afraid of possible infections so they are safe using online tools.
That's correct for the normal advanced users. But for CERTs and AV-vendors from time to time, too, there are periodicly scenarios where nothing is allowed to become public - so, no Anubis and so.

Quote Originally Posted by VirusBuster View Post
From the advanced users that donīt mind hosting a malware analyzer, what do they prefer: a Linux or a Windows based malware analyzer tool? Windows, of course, because they want to check if a program is trustable to later install it in their system. Having to make the analysis under Linux to analyze a Windows application is not practical for them.
I don't really care a lot regarding this, as they are not my main-constituency. I just decided to let also the public (not CERT or researcher) guy participate in my work.

Quote Originally Posted by VirusBuster View Post
For all the above reasons is why I think malware analysis tools must be hosted under Windows. The few persons (letīs be realistic, probably just the 1 or 2% of computer users use them) that will use that kind of tools work with Windows.
You're still merging up two different things. Instruments for fast analysis of lots of samples; and indepth code-analysis (mainly) on Windows PE files (executables).

Cheers,
Chrisu.