Avast! back on track?!

Discussion in 'other anti-virus software' started by avman1995, May 22, 2014.

Thread Status:
Not open for further replies.
  1. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    Test with rejzors config:
    I had some fun with that config.Tested with 54 pieces of undetected Malware.Avast hardened mode didnt let anything in apart from 3 files.2 were just corrupt and didnt do much and the 1 got in and gave me some sort of joke program but it wasnt too bad.Pretty good.

    Then I did the test with my config,Filerep and evo-gen deleted most of those.I had collected some of the samples by myself from users machines.Deepscreen got rid of the Zbot trojans.I was able to run quite a few of those and they would spawn random exe in appdata/roaming but even that would be sandboxed and analyzed and avast caught the daughter files and in turn the droppers were just harmless.I was able to get a few through avast's protection.1 of them kept crashing with error code at startup and the other 2 ran and started using the CPU.I then started getting blank white screens at startup for like 1 minute and system acted slow.I dont know what those files did because Malwarebytes didnt reveal much.Just some registry keys and 2 orphans from the malware folder that were running.

    I left the machine around for some time and avast filerep picked up some of the missed ones.

    Some of the malware I ran went through but avast was deleting the files dropped by them so It left over a bunch of registry enteries.Wasnt too pleased about those 2 nasty files being let through though.
     
  2. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,972
    Giving Avast a shot on my testing rig today. From my testing FileRep is used in ondemand detection correct? If it is I can not seem to get any samples to set off an alert. I will give credit that Avast does a very deep scan of the system for malware but so far its detection rates have not blown me away on my inactive sample testing. I saw the heuristics engine in action once but nothing from any of the cloud. Still waiting for undetected samples to be added into the database that I submitted, I am very curious with their streaming updates how long samples take to be processed.
     
  3. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    Filerep detections come into play only when you execute the samples,just like evo-gen.Detection rates change everyday so cant say.
     
  4. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,972
    Thanks for confirming that, it would be interesting to see if FileRep will ever be Incorporated into on-demand scanning. Also to answer my own question in the past 5 mins some files have started being detected that were missed earlier so it seems streaming database updates are decently fast. 6 hours ish till detection updated.
     
  5. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    There maybe more detections when files are executed,I mean filerep is very quick in terms of picking new samples up.
     
  6. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    I don't think that will ever happen for two reasons.

    Cloud servers overhead, checking millions of files from all systems for on-demand scans just isn't feasible. The other reason is that on execution means malware writers have to test samples against avast! by actually executing them. Which creates several limitations to their testing and thus creates a lot of variables that can't be covered by malware writers when they actually release the sample. Sort of effective security through obscurity that actually works to certain levels and that just aren't bypassable.
     
  7. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    Ah, nice test bro...that confirms what I saw myself few months ago with agressive mode.
     
  8. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    I am still Able to get a bunch of stuff past through default avast setup.Deepscreen is very erratic in terms of how it detects.Evo-gen and filerep are more reactive than proactive.I may still hold it off until Their NG hw-based sandbox comes on.Because when that is out dyna-gen will finally be effective.
     
    Last edited: Jun 7, 2014
  9. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    So I've installed it on my machine, set hardened mode to agressive. ;)

    "I am still Able to get a bunch of stuff past through default avast setup" I think that's a bit normal since default setup as you said is more proactive than reactive.

    I'll try to do some testing as well.
     
  10. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    I stopped doing testing on VM's.I am using a seperate real machine exclusively for testing.Alot of malware once ran in VM causes BSOD's and afterwards it actually didnt do any harm.

    Ransom malware..I just got past 1 of them yesterday.Today cloud got it.Stuff that is 1 day or 2 days old,filerep and evo-gen are bang on it but some of the nasty ones that are quite new get past and after a few hours avast picks it up with evo-gen/filerep
     
  11. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    OK yesterday I did a test with 2 malware packs.1 with 69 files and other with 50 files.

    I was quite amazed by the results as both were fresh packs.Avast on demand scanner missed like 20 from each of them.But here is the catch,I executed the files from 69 pack and avast caught a bunch of them with the sandbox/filerep/evo-gen and it came down 68/69.

    Same happened with the 50 pack,avast missed a few of them like .jar,.vbs but blocked all the rest.

    This was very impressive result from avast as I have tested before sandbox has not been much in action,lets see if this is consistent though.I had a rogue in one of the packs and avast signatures missed it but the filerep blocked it!
     
  12. Malware fighter

    Malware fighter Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    253
    would you care throwing them on others, like Kaspersky, bitdefender etc . and compare? Would be very interesting to find out the results.
     
  13. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,940
    Location:
    UK
    Please remember that this thread is about Avast! and not for malware pack results regarding other products.

    Thanks
     
  14. RealNature

    RealNature Registered Member

    Joined:
    Jun 13, 2013
    Posts:
    34
    Nice can't wait to see the results:thumb:
     
  15. malware1

    malware1 Registered Member

    Joined:
    May 26, 2014
    Posts:
    133
    All samples from this 69 pack were submitted to Avast :)
     
  16. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    Nice, thanks again for your tests.
     
  17. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    I'm doing the tests on real system, with many fresh samples including malicious mail attachments and many other stuffs...
    Getting a big amount of FileRep detections (MetaGen and normal FileRep) also Evo Gen.
    Nothing to say about hardened mode set to agressive that simply blocks all things that are not yet identified by cloud based systems.
    Continuing testing..
     
  18. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    That doesnt change anything in terms of sandbox detections I had quite considerable amount of them.They can deploy filerep and evo-gen but I think I tested the samples pretty much right after you posted the pack.

    Spywar,Are you seeing deepscreen detections? Is there any improvement in terms of evo-gen and filerep from your previous tests?
     
  19. malware1

    malware1 Registered Member

    Joined:
    May 26, 2014
    Posts:
    133
    But they received the samples much earlier than the pack was posted.
     
  20. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    But they dont add dyna rules right away to the sandbox.The rules are customly made too often.Submitting samples may cause evo-gen and filerep detections but it doesnt change/add sandbox rules quickly.And from my experience avast takes alteast 6-8 hour ish from the time of submission to add them to database.And I think when I first tested it the detection was around like 38/50 and 48/69 or something like that.It was similar to the detection rate before they added samples to their DB as posted on the MT forum.

    Besides,even spywar also seems to be experiencing same results like I did in my last test.And it wasnt purely your sample pack I added some nasties in the pack from malekal's collection.
     
  21. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    In order to get deepscreen detections first I need to get a sample sandboxed right ? But it seems that if hardened mode is activated files are not processed by sandbox ? Anyway I can confirm to have got some FileRepMetagen detections on 1 hour old samples (according to VT).
     
  22. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    True.You need to run the samples and keep hardened mode off.You said you got a huge amount of cloud and evo-gen.But it does seem like Avast has improved on reacting to truely 0-day samples like the ones you are talking about.You may want to test avast at complete defaults and hardened mode off.

    Interesting stuff from past 1 week by avast.Do tell me more.Have you able to get the system infected with something considerable?
     
  23. malware1

    malware1 Registered Member

    Joined:
    May 26, 2014
    Posts:
    133
    Malekal submits samples to Avast too.
     
  24. avman1995

    avman1995 Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    944
    Location:
    india
    True but with 7.4 GB of samples there is a HUGE amount that doesnt get added right away. :)
     
  25. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    +1 :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.