avast heuristic detection: win32:wronginf-C[Susp] catching malware a lot lately!?

will Dyna-Gen and Evo-Gen also be utilized in the free AV or just the paid. Thank you

 

Evo-Gen signatures are already in Free and I think Dyna will follow the same path.

 

These are all part of the backend classifiers. Of course, data provided by them are available for free and paid users .
Just tested avast! against some undetected fresh samples (about 70) and it actually let only 2 samples going to memory without any reaction (either autosandbox without detection, or autosandbox with detection, or Evo Gen, or FileRepMalware, I'm expecting much more autosandbox detections with Dyna Gen tho).

 

By the way,I assume spywar you are clicking continue execution instead of close because that's the way I test it and even with that avast performance is great anyway

@ vlk

by next version you mean in v9 or in next program update?

 

He probably means v9.

 

Really depends, but typically yes. That is,
- if the shellcode inside the malicious PDF just downloaded the payload as a separate file, then yes
- if the payload were directly part of the shellcode, then no, but this is quite rare (mainly because it's pretty hard for the attackers to create such a shellcode).

The malware detection capabilities have always been the same across all our products. That is, yes, it's in both free and paid versions.

That's only 97.14% detection rate - not that great in my books. We need to get to a consistent 100%... and that's what we're trying to do.

I meant v9... but, that may actually be closer than you think. 'Nuff said for now.


Cheers
Vlk

 

Interesting..
Btw, VLK, can you answer this question?
https://www.wilderssecurity.com/showpost.php?p=2241913&postcount=20

 

Thanks. How rare are threats like this, does anyone know? Do any AVs protect against these? Would avast behavior blocker not pick it up during execution of payload?

 

Avast generally protects against those as well - all I was saying is that neither Evo-Gen nor Dyna-Gen helps with that (at least not today).

In general, we (and many other vendors) try to detect and block exploits generically. I.e. instead of detecting specific payloads, we strive to block anything and everything that tries to exploit the actual vulnerability.

You can check out Avast's capabilities in this respect on this page:
http://www.avast.com/en-us/exploit-protection.php

And of course, besides these, there are thousands and thousands of detections created for specific payloads (in some cases, fully generic blocking of a vulnerability is either not technically feasible, or just plain practical).

Currently not, but it's one of the things that are being done for the future releases. In fact, the autosandbox module is now undergoing a major upgrade and will soon feature something called "dynamic binary translation" (http://en.wikipedia.org/wiki/Binary_translation) - a functionality that will allow us to do much deeper analyses (things like low-level introspection on instruction level) which will likely allow us to see (and detect) much more than we do. And besides that, as sort of a side effect, this will also allow us to do some magic on the Win API level (such as the one you were asking about).

This all is still somewhat experimental (in fact, a project running for a couple of years already) but we're getting there.

Hope this helps,
Vlk

 

Thanks Vlk for your time here!!

And also many thanks for all hard work you guys are putting in,though I am not using avast on my own laptop right now because I wanted a change but I continue to recommend it and use it on other PC's at home and I have a feeling I will be coming back to avast soon

Have A Great Day!

 

I would very much recomend this

 

Yesterday's avast AV update contains this item:
DynaSql:Hexname-A

Looks like it has started....

 

What is it, a SQL key for a cloud database?

 

@ spywar In your recent packs avast is doing awesome...Since evo-gen now works in real time on access I allowed avast to stay on while extraction and in the end in those 12,13 and 50 packs only 2 or 3 were left behind..I have submitted the undetected ones and also looking at malwares.pl forum I am seeing evo-gen A.K.A what their forums users call "cloud" is doing very well somewhere I saw avast detection was only round about 40% somewhere for their pack and when evo-gen came it picked the remaining and detection hiked to about 85 to 88% and guess what it beat the paid and other AV's because the pack itself was low detection others were in 50's,40's and 60's and avast was in 80's and touching 90's because of evo-gen No doubt avast performed so well in latest AV-C...Full kudos to evo-gen and avast team

@ siketa,nine9s I have seen those sigs before it looks like they are sql injection rules for sandbox nothing much but beside that sig they have added something called VITCAP which I think is something new to me Ummm...Well,yes it may be it has started because there was a extra un-seen amount of dyna in next update normally there are just 1 or 2 but next one had like 3 or 5

 

Again new test...spywar posted 20 samples pack on MT.Avast turned on with PUP on too..extracted evo-gen many this time and only 3 or 4 samples left over because of evo-gen,this has been happening since almost 5 or 6 days and its even typical for big packs apart from the 213 pack which has some disputive samples,I have tested all the small packs spywar posted since yesterday together and landed with same result

Not to mention spywar's samples are always fresh..

P.S. the last file that was canceled in the image is archive of undetected samples for avast

 

More DynaSql entries have been added. Apparently they are kicking up the SQL part now. Can't wait for Dyna-Gen. Combined with Evo-Gen and streaming updates every 5 minutes, it will kick some serious butt.

 

It sure will and not to forget..Vlk said that something even more rocking than dyna gen is coming this summer...I am guessing that will be during mid/end of this month and start of august.

 

I wonder what that might be. I mean, we have all seen what Auto Sandbox does with behavior analysis, so feeding it just like Evo-Gen would be a very big thing (currently they have to make Dyna detections by hand). So i really wonder what that amazing thing will be...

 

I dont have a clue either...I am sure whatever it is it will surely make a difference in avast performance when it comes to prevention of malware missed by generic VPS.

 

A BUMP up.

Noticed some got added 26.7.2013 - 130726-1 :

www.avast.com/virus-update-history

There were dyna sigs and along with a never before seen sig called: EVO_FILES

Wonder if this is something vlk talked about?