avast heuristic detection: win32:wronginf-C[Susp] catching malware a lot lately!?

Discussion in 'other anti-virus software' started by true indian, Jun 15, 2013.

Thread Status:
Not open for further replies.
  1. true indian

    true indian Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    755
    Location:
    india
    Is this just me or the heuristic detection of wronginf in avast has been picking up lot of samples with this detection since I switched to CIS,I have been testin avast in VM and over last month this seems to coincidental I am coming across a lot wrongInf detection.

    This time it picked up on fakeAV:~VT results removed per forum Policy~
     
    Last edited by a moderator: Jun 15, 2013
  2. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    Yes, also seeing it a lot on VT. ;)
     
  3. true indian

    true indian Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    755
    Location:
    india
    Well,atleast now I know I am not alone,thanks spywar ;)
     
  4. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    Are they false positives or is Avast detecting more real threats?

    If more real threats, is this Evo-Gen getting better?
     
  5. Antimalware18

    Antimalware18 Registered Member

    Joined:
    Dec 12, 2008
    Posts:
    417
    Keep getting better and better:thumb:
     
  6. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    No they are threats but it may also generate FPs.
     
  7. true indian

    true indian Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    755
    Location:
    india
    +1 I confirm evo-gen improved a lot over last few months :D
     
  8. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Thanks guys. Good to hear that you have noticed.

    There have been some very good improvements, especially on the backend/cloud side, rolled out recently (and more are coming in the Summer).

    Also, we have now fully optimized the streaming update mechanism so that it's pushing out updates really every 4-6 minutes or so (including new Evo-Gen's).

    Thanks
    Vlk
     
  9. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Any news about Dyna-Gen signatures?
     
  10. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    Many thanks, will try it out very soon, and btw I'm still submitting some fresh undetected samples to you :D .
    I noticed a lot of new Dyna: signs over the last VPS updates, that sounds great. But I don't think that Dyna Gen is already working, probably some tests going on before launching it.
     
  11. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    No, Dyna-Gen is still not out. But it's coming as well.

    Needless to say, some of the new stuff we're now rolling out (and planning to further roll out this Summer) is probably going to rock even more than Dyna-Gen. We will see.... stay tuned!:)
     
  12. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    WHat is difference in Evo-Gen and Dyna-Gen - would you briefly explain each please?
     
    Last edited: Jun 16, 2013
  13. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
  14. true indian

    true indian Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    755
    Location:
    india
    One word: superb!!

    This is tremendous improvement already :D

    Eager for more :)
     
  15. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
  16. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    The "Dyna:" signatures are used by the AutoSandbox during analysis of suspicious file to determine if it is malware or not. While those "Dyna:" signatures are released by human analysts (see on VDF history page) soon the process will be done automatically thanks to automated "Dyna:" generators.
     
  17. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    Thanks. Now I understand the basics of Dyna-Gen. What about Evo-Gen? Is Evo-Gen the process to develop these signatures then Dyna-Gen the procedure to distribute the signatures? Or are Dyna-Gen and Evo-Gen totally different processes?
     
  18. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    To not give you any wrong informations, it would be safer if Vlk could tell us the reply to your Q but I'm quite sure that what I did say above about Dyna Gen is true.
     
  19. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Evo-Gen and Dyna-Gen definitions are similar in the following ways:

    • Both are generated automatically (on our GPU-powered server farms)
    • Both use some advanced / proprietary 'machine learning' secret sauce ("big data" algorithms, namely in the area of 'predictive analytics')
    • Both have very good characteristics in terms of false positive rates and in the area of fighting of FPs in general
    • Both are relevant only for executable binary files (i.e. no PDFs, no Javascript etc.)
    • Both can be sent out via our streaming updates technology, i.e. all Avast users receive them in the order of minutes after they are created

    The principal difference between the two, though, is that :

    • Evo-Gen is based on a static snapshot of the analyzed file. That is, we take a specially crafted "digest" of each file, and do all further processing / analyses solely on it. The file in question doesn't have to be executed for us to collect the digest.
    • Dyna-Gen is based on an execution trace. For this, we use the Avast Autosandboxing technology. That is, if we see any suspicious file, we let it run for a while in the sandbox (where it cannot do any harm) and during that, we generate a verbose 'execution trace' (this tech is going to be vastly extended/improved in the next Avast version, by the way). All the further processing / analyses are then done solely on this trace.

    In other words, Evo-Gen is great for files that can be somehow clustered by what they look from outside. Dyna-Gen is great for clustering based on actual behavior of the file when executed.

    Cheers
    Vlk
     
    Last edited: Jun 17, 2013
  20. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Vlk, i only have one concern about Auto Sandbox though. How does the trace work for stuff that requires partial user input.

    Example:

    Most malware runs the payload as soon as you click the EXE.
    But what about the files where user has to click a button (lets say "Install") after EXE clicking?

    Can Auto Sandbox process that on its own or does user have to click that button while app is running in Auto Sandbox? Time in it is very limited and i often don't even bother to manipulate the app further than executing it...
     
  21. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    We could not expect any better explanations, thanks :thumb:
     
  22. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    552
    Agreed. Thanks for the info.
     
  23. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    Thank you very much. So both are new detection traces on new threats with Evo-Gen being closer to static-signature based detection, and Dyna-Gen being closer to behavior detection.

    A question please, would malware attached to or inside PDF files etc. be detected, or would stuff like that get through? Do other layers of Avast catch those?
     
  24. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    PDF's usually use exploits to execute payload, which is usually binary data and will as such be detected at some point by onr module for sure.
     
  25. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    very good work Avast, some very exciting things coming. Not that it matters but, I am very impressed. VLK good work to you and all at Avast.:thumb:
     
Loading...
Thread Status:
Not open for further replies.