avast heuristic detection: win32:wronginf-C[Susp] catching malware a lot lately!?

Is this just me or the heuristic detection of wronginf in avast has been picking up lot of samples with this detection since I switched to CIS,I have been testin avast in VM and over last month this seems to coincidental I am coming across a lot wrongInf detection.

This time it picked up on fakeAV:~VT results removed per forum Policy~

 

Yes, also seeing it a lot on VT.

 

Well,atleast now I know I am not alone,thanks spywar

 

Are they false positives or is Avast detecting more real threats?

If more real threats, is this Evo-Gen getting better?

 

Keep getting better and better

 

No they are threats but it may also generate FPs.

 

+1 I confirm evo-gen improved a lot over last few months

 

Thanks guys. Good to hear that you have noticed.

There have been some very good improvements, especially on the backend/cloud side, rolled out recently (and more are coming in the Summer).

Also, we have now fully optimized the streaming update mechanism so that it's pushing out updates really every 4-6 minutes or so (including new Evo-Gen's).

Thanks
Vlk

 

Any news about Dyna-Gen signatures?

 

Many thanks, will try it out very soon, and btw I'm still submitting some fresh undetected samples to you .
I noticed a lot of new Dyna: signs over the last VPS updates, that sounds great. But I don't think that Dyna Gen is already working, probably some tests going on before launching it.

 

No, Dyna-Gen is still not out. But it's coming as well.

Needless to say, some of the new stuff we're now rolling out (and planning to further roll out this Summer) is probably going to rock even more than Dyna-Gen. We will see.... stay tuned!

 

WHat is difference in Evo-Gen and Dyna-Gen - would you briefly explain each please?

 

It's a bit long to explain.

Dyna Gen : http://forum.avast.com/index.php?topic=115421.msg897964#msg897964

Evo Gen : https://blog.avast.com/2012/12/03/new-toy-research-lab/

 

One word: superb!!

This is tremendous improvement already

Eager for more

 

Thanks. I have read both before. I understand the overall procedure. What I do not understand is the difference between the two - they seem the same thing to me.

 

The "Dyna:" signatures are used by the AutoSandbox during analysis of suspicious file to determine if it is malware or not. While those "Dyna:" signatures are released by human analysts (see on VDF history page) soon the process will be done automatically thanks to automated "Dyna:" generators.

 

Thanks. Now I understand the basics of Dyna-Gen. What about Evo-Gen? Is Evo-Gen the process to develop these signatures then Dyna-Gen the procedure to distribute the signatures? Or are Dyna-Gen and Evo-Gen totally different processes?

 

To not give you any wrong informations, it would be safer if Vlk could tell us the reply to your Q but I'm quite sure that what I did say above about Dyna Gen is true.

 

Evo-Gen and Dyna-Gen definitions are similar in the following ways:

• Both are generated automatically (on our GPU-powered server farms)
  
• Both use some advanced / proprietary 'machine learning' secret sauce ("big data" algorithms, namely in the area of 'predictive analytics')
  
• Both have very good characteristics in terms of false positive rates and in the area of fighting of FPs in general
  
• Both are relevant only for executable binary files (i.e. no PDFs, no Javascript etc.)
  
• Both can be sent out via our streaming updates technology, i.e. all Avast users receive them in the order of minutes after they are created

The principal difference between the two, though, is that :

• Evo-Gen is based on a static snapshot of the analyzed file. That is, we take a specially crafted "digest" of each file, and do all further processing / analyses solely on it. The file in question doesn't have to be executed for us to collect the digest.
  
• Dyna-Gen is based on an execution trace. For this, we use the Avast Autosandboxing technology. That is, if we see any suspicious file, we let it run for a while in the sandbox (where it cannot do any harm) and during that, we generate a verbose 'execution trace' (this tech is going to be vastly extended/improved in the next Avast version, by the way). All the further processing / analyses are then done solely on this trace.

In other words, Evo-Gen is great for files that can be somehow clustered by what they look from outside. Dyna-Gen is great for clustering based on actual behavior of the file when executed.

Cheers
Vlk

 

Vlk, i only have one concern about Auto Sandbox though. How does the trace work for stuff that requires partial user input.

Example:

Most malware runs the payload as soon as you click the EXE.
But what about the files where user has to click a button (lets say "Install") after EXE clicking?

Can Auto Sandbox process that on its own or does user have to click that button while app is running in Auto Sandbox? Time in it is very limited and i often don't even bother to manipulate the app further than executing it...

 

We could not expect any better explanations, thanks

 

Agreed. Thanks for the info.

 

Thank you very much. So both are new detection traces on new threats with Evo-Gen being closer to static-signature based detection, and Dyna-Gen being closer to behavior detection.

A question please, would malware attached to or inside PDF files etc. be detected, or would stuff like that get through? Do other layers of Avast catch those?

 

PDF's usually use exploits to execute payload, which is usually binary data and will as such be detected at some point by onr module for sure.

 

very good work Avast, some very exciting things coming. Not that it matters but, I am very impressed. VLK good work to you and all at Avast.