Hi. Quick question ... I have been reading the ESET ver 9 thread because I use that software on another machine of mine. There is some discussion of the detection of the AMTSO cloudcar.exe file in that thread. I notice that my Avira Antivirus Pro with default settings does not detect the cloudcar file at http://www.amtso.org/feature-settings-check-cloud-lookups/. Is this something that should be detected? I do get detections on the other links at AMTSO such as eicar, etc.
yep, it gets detected by APC if you try to execute it. it's a test file and won't harm anything. you should see a detection akin to: The file 'E:\Downloads\cloudcar.exe' contained a virus or unwanted program 'TR/CloudCAR-Testfile (Cloud)' [trojan] additionally, my report looked like this: Begin scan in 'E:\Downloads\cloudcar.exe' AUC login request succeed. Successful Cloud SDK initialization and license check. The file 'E:\Downloads\cloudcar.exe' was scanned with the Protection Cloud. SHA256 = 3559378C933CDD434AF2083F7535460843D2462033DE74EC7C70DBE5F70124F5 AUC reports URL: http://amtso.security-features-check.com/cloudcar.exe as 'Malware'. E:\Downloads\cloudcar.exe (SHA-256: 3559378c933cdd434af2083f7535460843d2462033de74ec7c70dbe5f70124f5) [DETECTION] Is the TR/CloudCAR-Testfile (Cloud) Trojan Beginning disinfection: E:\Downloads\cloudcar.exe (SHA-256: 3559378c933cdd434af2083f7535460843d2462033de74ec7c70dbe5f70124f5) [DETECTION] Is the TR/CloudCAR-Testfile (Cloud) Trojan [NOTE] The file was moved to the quarantine directory under the name '52f6885e.qua'!
That's boilerplate stuff from AMTSO - I'd only consider it a failure if there's zero detection, and obviously the cloud lookup is functioning or it wouldn't convict the file as malicious. Avira rarely ever queries APC on access. You can verify it by looking at the event logs, as it appears Avira will log each time it sends a hash to APC The only component of their "tests" that I've seen every product I've tried actually pass is detection of EICAR. Most fail on Phishing.
Avira always queries APC on access (suspicious Executable / unrecognized file). also: Avira Whitepaper | Avira Protection Cloud (APC) http://www.avira.com/files/for-business/Whitepaper_ProtectionCloud_EN.pdf
That doesn't define what the product classifies as "suspicious", and also doesn't explicitly say that they scan or fingerprint every file on access. If they did, I'd assume it would have convicted the file when it was written to disk, and not only when I executed it.
I've read it before, but I'll quote directly from it since this seems to not be going anywhere: "In mere split seconds after the unknown (not suspicious, simply unrecognized) file is accessed, a “fingerprint” of this unidentified file is instantly uploaded to the Avira Protection Cloud. Once received, the file’s fingerprint is compared to the millions and millions of safe and unsafe file definitions already stored in the Avira Protection Cloud. If the file corresponds to a previously recognized file that is known to be safe, the process is approved, the user accesses the file and life goes on as normal." According to their own wording, it only explicitly calls out new and unrecognized files. The endpoint likely employs an algorithm to determine whether a file is new or unrecognized (part of which seems to be based on the origin of the file, if the product logs are to be believed) and upon doing something with a new or unrecognized file, it queries APC to whether it's been encountered and returns a result (Yes, it's fine; Yes, it's bad; No, I haven't seen it before, please send it). @Cmhelper are you able to shed any light on this? I'm genuinely curious about it
Imagine what would happen when every fingerprint of every loaded file has to be send to the APC in realtime... impossible. And if there is no internet access? Therefore the decission of the realtime protection goes through several instances. It checks whether there is a detection already available from local sources. If not, the process decides upon many (behaviour) rules whether the fingerprint of a file needs to be send to APC for a decission. Does this answer your question?
Yup, that's how it seemed to me based on it only reaching out to APC when I executed the test file vs providing immediate cloud detection when it was written to disk or accessed without execution. Thanks for the confirmation!
Avira Scout: On Early Access http://blog.avira.com/avira-scout-early-access-2/ Introducing the new Avira Scout browser [Early Access Phase] https://www.avira.com/en/avira-scout/ Edit: Welcome to the Avira Scout Early Access http://blog.avira.com/avira-scout-early-access/
It says something like (translated from italian): "impossible to install the extension because it does not match the extension expected by Firefox". The same on two different machines. I tried to install it from here -www.avira.com/it/avira-browser-safety-
Avira Browser Safety "could not be verified for use in Firefox and has been disabled." https://support.mozilla.org/en/questions/1100068 --- https://support.mozilla.org/en/questions/1099298
So I talked with Stefan about that and it seems that Mozilla need some time to verify our certificate. This should be solved asap.
30 years of Avira! https://twitter.com/Avira/status/691646303919587328 http://www.avira.com/en/about-avira
It was good several years ago. That freaking launcher made of the good old Avira something that I wouldn't touch with a stick.
I totally agree with you. I was against the ask crapware, and I'm against the useless launcher too. I'm using the Avira Pro, there is no launcher in Pro ..... but not for long, afaik they are planning to implement the launcher in paid versions too.....
It'll be their own death. That Launcher nonsense i so stupid I'm not going to ever touch AVIRA for as long as they are using that junk. Even if it has 100% detection, it's so annoying I can't stand it.
