why does avira always do so bad in other tests

Discussion in 'other anti-virus software' started by zfactor, Nov 3, 2007.

Thread Status:
Not open for further replies.
  1. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,642
    Location:
    Sneffels volcano
    Yes zfactor, this has been discussed on previous threads before.
     
  2. ChrisBUK

    ChrisBUK Registered Member

    Joined:
    Nov 15, 2007
    Posts:
    86
    Hmm, that is dissapointing... I just downloaded that infected file and scanned it using AntiVir, it didn't detect anything...
    AVG Anti-Spyware and A-Squared both detected it as a trojan and promptly deleted it though.
     
  3. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    It's supposed to be detected by now. I sent a copy of the one you downloaded to Stefan and he wrote back and said it would be detected as DR/Delphi.Gen and he said he to update the generic detector for it.He also said the file was not damaged so I don't know why when gav1577 sent it to Avira, by different methods, Avira kept saying it was damaged and they could see no nasty because of that.

    I couldn't get the file to execute on my virtual machine. Avira said that was probably because it was virtual machine aware. Last night though, I was thinking it may have partly executed because Firefox came to a gradual halt where loading had been slower and slower and then just stopped. I switched to IE and it was ok and then the same thing happened to it and then Explorer shutdown. I have never had problems like that on the virtual machine before this. It's probably just a coincidence but I also had the host computer lock itself at the same time and I had carefully undone file sharing between the guest and host before I tried to execute the keygen file on the guest machine. I haven't restarted that guest machine yet and when I do, I may just choose another snapshot as if even part of that trojan is loose on the machine I don't want to go further with it. I was trying to confirm or disconfirm what gav1577 was reporting because Avira seemed to not be paying attention, but maybe they know more than they want to say (like it makes no sense that nicolae told gav1577 that Avira already detects the trojan but then I send the trojan to Stefan and he writes back that he has to update the generic detector for it to be detected)...I don't know but I feel uncomfortable about it and after my horrible experience with Kaspersky, I won't tolerate anything less than complete transparency in an AV vendor. However, I also realize that there are things a vendor may want to be vague about for good reasons.

    I posted more about my concerns regarding gav1577's file, and Avira not being able to protect itself, in the thread I started on Rising Antivirus False Positive. You might want to read that thread. It has several replies from Avira both in regard to Rising and gav1577's nasty. The quote below is from my last post in that thread. There has been no reply yet.

    "I still have one concern though. If gav1577 is correct about the keygen.exe file will the new detection of it as DR/Delphi.Gen mean that Avira will detect it before it starts to execute? Nicolae said in gav1577's thread ("Antivir being disabled by spyware") that Avira already detects it and gav1577 replied, yes, it does, but too late because Avira doesn't detect it until unpacked and executed and by that point the damage is done and on reboot the computer has all Avira registry files and program files missing. gav1577's concern was that Avira is not able to protect itself in the face of a nasty like this partly because of not being able to detect until it is unpacked and executed and partly because Avira's self protection is not that good. So, I'd like to see you, or some other Avira employee, address this in more detail. Maybe I didn't understand everything in gav1577's thread, but I thought I did and it worries me. Has anyone tried, with the copy of keyfinder.exe that I sent to Stefan, to reproduce gav1577's findings (not using a virtual machine of course)?"

    http://forum.avira.com/thread.php?threadid=29840
     
  4. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,102
    Location:
    on my zx10-r
    this doesnt sound good for avira??
     
  5. Thug21

    Thug21 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    141
    Location:
    Illinois
    Hopefully Avira will provide answers to these issues shortly. They seem do seem to have a very good record of listening to feedback and working to improve so lets see how this ends up.
     
    Last edited: Nov 15, 2007
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    nicolae just said that Avira Classic doesn't detect it because it is spyware. That pretty much kills use of Avira Classic if it won't detect a TROJAN that kills it because it doesn't detect spyware.
     
  7. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,286
    Location:
    Las Vegas
    I assume the Premium Edition AV and the Premium Security Suite will detect it because there is an anti-spyware function with them?
     
    Last edited: Nov 16, 2007
  8. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Coincidentally, I was just about to install the Avira free AV on my Son's new computer. Except for surfing the web and possibly clicking on a girly site, the computer won't see a lot of action at least while my Son is a computer newbie. After reading this long drawn out thread, I am confused as to whether I should install the Avira AV or not. Will someone tell me if Avira is OK for average use?:D
     
  9. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,286
    Location:
    Las Vegas
    The Free Classic Edition does not protect against spyware according to Avira. I would think he needs more protection.

    http://www.avira.com/en/products/personal.html
     
  10. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    In theory it should but I think Avira is thoroughly confused right now. Nicolae just posted and asked ChrisBUK to send a copy of the trojan to Avira. That is unnecessary because I sent a copy to Stefan on Nov 13 and Stefan wrote back saying it was "a type of Delphi dropper" and should be "detected as DR/Delphi.Gen". He thanked me for the sample.

    So, why isn't Avira detecting it by now and why does Avira need another copy of the same trojan? If Avira is detecting it then it has been classified as spyware instead of as a nasty trojan because I just opened my virtual machine and updated Avira classic and it still doesn't detect the file I sent Stefan. :(

    I asked Avira if anyone there had tried to reproduce gav1577's experience using the file I sent them and not using a virtual machine like I was doing. I have had NO response from Avira to my query. If I worked there, first thing I would done upon getting a live sample of something a customer insisted kills Avira would have been to try and reproduce that. I think Avira does not really understand this whole thing.

    edit: I just submitted the file again to Jotti and Virus Total and Avira still is not detecting it. I don't thing either of them use the Classic version of Avira for scanning.
     
    Last edited: Nov 16, 2007
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I would get Avira PE or use the classic and install Sandboxie. Actually just install Sandboxie and Avast. Totally free.
     
  12. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,286
    Location:
    Las Vegas
    From some of my posts on the Avira forum, I think there is a language problem to some degree, and I think they have a kind of "if you don't like it tough" attitude at times. I pointed out (as did you) that the Avira firewall did not stealth all ports (based on Gibson test) and it did not then and does not now. After some fierce rebuttals by their people, they wrote a rule to allow the ports to be stealthed. The Avira firewall thus only stealths the ports if you employ the rule. It may not be a major issue to some- but it is for me. It is still not fixed. And, it does not surprise me that they have done nothing with your sample. Either they don't fully comprehend your issue, or they do and are evading it. Either way, it ain't fixed.
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Oh, I have gotten in quite a few cussing matches with a few there. Not anymore. Like Peter, if I ever go back to a AV, it will be Eset or KAV 8.;)
     
  14. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,642
    Location:
    Sneffels volcano
    This is the report from their analysis website:
     
  15. Leo2005

    Leo2005 Registered Member

    Joined:
    May 31, 2007
    Posts:
    179
    Location:
    Braunschweig (Germany)
    cause you send it to Stefan who is responsible for the heursitik or generic detection. But the engine is not updated every day so it will take time (about a week) till it gets detected.
    by uploading it here: http://analysis.avira.com/samples/index.php
    it will be added to the vdf in a few hours.
    the heuristik adress is only supposed for heuristik warnings. I know he is answering all the mails and explains or answers the questions but he is not the viruslab.
    Same for Nico in the forum. He is a supporter and not the viruslab.
    so upload the files to the adresse i linked above and it will be added in a few hours.
     
  16. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,102
    Location:
    on my zx10-r
    honestly if kis didnt have the chkdsk errors and didnt use the tags id be using it now.. i like avira i really do but as i first posted i hear this type of thing A LOT on the -www... in a lot of different forums. makes me wonder how they do so well in av comp tests..
     
  17. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Thanks for the suggestion, but as I mentioned my Son is a newbie to computers and something like sandboxie would not be an option. I'm showing him how to use e-mail right now.:D I'll install a good low maintainance AS or two along with the Avira. I already installed SpywareBlaster which just sits there. Later I'll show him how to check for updates.:p
     
  18. ChrisBUK

    ChrisBUK Registered Member

    Joined:
    Nov 15, 2007
    Posts:
    86
    Hi.

    I upgraded AntiVir Classic to the Premium free 90day trial and rescanned the file and it too didn't detect it. So it wasn't just Classic, it was both.
    Anyway, it looks like they have finally recieved a non-damaged file and it will be added to the definition's soon, so I look foward to rescanning the file in a few days. :)

    twl845, AntiVir does offer great protection, I think hopefully this is just a hickup. I think it is wise to install one or two anti-spyware programs.
    I HIGHLY recommend A-Squared free version (this detected the infected file) and AVG Anti Spy-ware (this also detected it). Both are light on resources and work very well.

    It will be very interesting when the virus definition's have this trojan added, to see if AntiVir manages to stop the trojan before it actually kills AntiVir - maybe somebody is willing to try this on a test machine or something? :p
     
  19. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,286
    Location:
    Las Vegas
    An overlooked program is WinPatrol Plus which will keep the vast majority of malware from ever getting on your hard drive to begin with. Since nothing works 100% of the time (and I use the Avira Suite), WinPatrol Plus will not let these malware programs execute unless you give them permission. I think it works much better than all of the anti-spyware programs, and I have used and tested them all.
     
  20. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I have not had good luck with the online uploading. I will not use that again. I get stupid answers back like we already detect this when I sent an FP and labeled as such. I will not use that submission or from quarantine. Both are less than adequate. I know Stefan is responsible only for the heuristic warnings. I send to him though because (1) he has a much better understanding of English than the virus lab people and (2) he answers questions. But number 1 is the main reason I will not waste my time any more with sending to virus lab.

    Besides, in the case of this trojan, gav1577 had already sent it several times via the link you gave and email and each time the reply was that the file was damaged. So, I did not want to use the online link only to hear back that the file was damaged and why send to the lab via email to be told the file was damaged? I knew my copy was live, as gav1577 knew his was, so it seemed to me best to send to Stefan. With Stefan, I could explain the background of this whole incident and give him links to the threads at Avira forum and here and I knew he would understand because he is very proficient in English. (I wish that I could speak German and I greatly admire those who speak more than one language proficiently).
     
  21. SteveS335

    SteveS335 Registered Member

    Joined:
    Jan 16, 2007
    Posts:
    43
    Mele,

    Macstorm has successfully sent the sample in undamaged. Did you miss his post?

    Let's see what transpires from that.

    BTW it would be interesting to see which method he used to submit it.

    Steve
     
  22. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii

    Yes, I read that. But I sent it on Tuesday to Stefan undamaged. If this can be detected only by a engine upgrade which is what Stefan said then it doesn't matter how it was sent. I made a mistake in not thinking about how long it might take for an engine upgrade. i should not have been impatient for it to be detected quickly since it involves an engine upgrade. I apologize for that.

    This is sort of moot anyhow. Avira now has at least two copies of the nasty undamaged. So, we just have to wait for an engine upgrade. Maybe I should have tried online submission but gav1577 had trouble with that and I have felt frustrated in the past when sending FP's that way as Avira would just write "yes, we already detect this". Then there is no way to further communicate with the lab. Your email goes to a black hole if you reply.
     
  23. Thug21

    Thug21 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    141
    Location:
    Illinois
    Mele, did you try to send the sample to virus@avira.com?
    That method is listed on http://analysis.avira.com/samples/index.php but you have to scroll down a bit. I think it should be easier to spot.

    As for the regular "submission form," it really does need a sort of comment area and a way reply to the findings (as you said).
     
    Last edited: Nov 16, 2007
  24. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    No, I had forgotten about that address until yesterday, I think it was, when someone mentioned it at Avira forum. I think I used that once for FP's and was scolded. So, I forgot about it because I usually send FP's like the Rising AV one. I sent it to Stefan too because I know from experience that if I had sent it to the lab via the upload page they would have emailed me back and said "yes, we detect it" and I could not reply. They ignore FP in the designation. Of course, Avira likes to detect a whole bunch of stuff that NO other AV detects and Avira refuses to not detect a lot of it and the reasons, which I gotten from Stefan and the forum (because there is way to talk to the lab), I don't understand. Avira seems to want to moralize and I don't think that is really the place of an antivirus vendor.

    Why do FP's have to be uploaded ONLY? Why can't they be sent by email or from quarantine? Avira has some odd rules about submissions and the ONLY submission, I think, that gets a response is the web one and then you can't reply. I think submissions should be via quarantine or by email with reply to both and forget the web page unless you can reply. When this unsatisfactory situation is brought up in their forums they ignore the posts and lock the threads.
     
  25. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    You crack me up Mele (no insult intended, honest) with the issues you've had with Avira, a lesser person would have dumped them long ago. I wonder what it is about AntiVir that you like so much. I think Avira is a pain in the butt, but I keep on coming back to it too!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.