- Apr 17, 2021
- 453
Historically, Avira's APC (Protection Cloud) has only supported the analysis and detection of PE (Portable Executable) samples. This limited Avira's capability in addressing threats from script-based malware. However, recently, I've noticed a new detection name, "HEUR/APC.YAV" when testing Avira against a JS script malware (VirusTotal). Based on its naming convention, this cloud-based detection from APC is likely designed for script-based threats, as "YAV" might be Avira's categorization for script-based malware.
To further test this, I slightly modified the original sample, changing some variable names, and executed it again. It was still detected.
Here is the detection log from Avira:
From the logs, we can infer:
To further explore APC's protection against script malware, I chose five script viruses from MB: two were VBS scripts, and three were JS. Avira failed to detect all when scanned.
Details of each sample:
Test Sample 1(https://www.virustotal.com/gui/f ... 3b001b5d82d9fa0a529)
In summary, with support for scripts, APC has significantly improved Avira's detection rate against script-based threats. However, there's still room for improvement, such as a missing integration with Sentry. Additionally, I'm curious to see if F-Secure, which utilizes the Avira engine, will benefit from this recent upgrade in APC.
To further test this, I slightly modified the original sample, changing some variable names, and executed it again. It was still detected.
Here is the detection log from Avira:
[2023-08-13 08:46:21.816] [info] [BaseScan] [thread id: 8876] The file '\\?\C:\Users\Desktop\1.js' was unknown in the Protection Cloud. SHA256: '4d6b54a14476efc43b3c1a54f9eab507172827b32bbbf92353618*****' Flags: '{Upload needed}' Status: successful ----- Unknown script malware will be sent to APC for analysis.
[2023-08-13 08:46:21.817] [info] [Core] [thread id: 8876] [ProtectionCloud] [apcsdk] file: 1 of 1 unique hashes left to check
[2023-08-13 08:46:22.037] [info] [Core] [thread id: 5952] [ProtectionCloud] Starting upload of file'C:\Users\\Desktop\1.js'
[2023-08-13 08:46:22.971] [info] [Core] [thread id: 5952] [ProtectionCloud] Upload of file 'C:\Users\\Desktop\1.js' was successful
[2023-08-13 08:46:27.990] [info] [Core] [thread id: 8876] [ProtectionCloud] [apcsdk] file: 1 of 1 unique hashes left to check
[2023-08-13 08:46:28.205] [info] [BaseScan] [thread id: 8876] The file '\\?\C:\Users\\Desktop\1.js' has been uploaded to the Protection Cloud and analyzed. SHA256: '4d6b54a14476efc43b3c1a54f9eab507172827b****' Flags: '{Detected}{Upload done}' Status: successful ---- It took APC 7 sec to analyze the sample and return the detection.
[2023-08-13 08:46:28.205] [info] [BaseScan] [thread id: 8876] The file '\\?\C:\Users\\Desktop\1.js' was scanned with the Protection Cloud. SHA256: '4d6b54a14476efc43b3c1a54f9eab507172827b32bbbf9235*****' Flags: '{Detected}{Upload done}' Status: successful
[2023-08-13 08:46:28.205] [info] [BaseScan] [thread id: 8876] Detection by Protection Cloud: '{HEUR/APC.YAV} File: '\\?\C:\Users\\Desktop\1.js' SHA256:'4d6b54a14476efc43b3c1a54f9eab50717*****' ---- Detection name was also displayed.
[2023-08-13 08:46:21.817] [info] [Core] [thread id: 8876] [ProtectionCloud] [apcsdk] file: 1 of 1 unique hashes left to check
[2023-08-13 08:46:22.037] [info] [Core] [thread id: 5952] [ProtectionCloud] Starting upload of file'C:\Users\\Desktop\1.js'
[2023-08-13 08:46:22.971] [info] [Core] [thread id: 5952] [ProtectionCloud] Upload of file 'C:\Users\\Desktop\1.js' was successful
[2023-08-13 08:46:27.990] [info] [Core] [thread id: 8876] [ProtectionCloud] [apcsdk] file: 1 of 1 unique hashes left to check
[2023-08-13 08:46:28.205] [info] [BaseScan] [thread id: 8876] The file '\\?\C:\Users\\Desktop\1.js' has been uploaded to the Protection Cloud and analyzed. SHA256: '4d6b54a14476efc43b3c1a54f9eab507172827b****' Flags: '{Detected}{Upload done}' Status: successful ---- It took APC 7 sec to analyze the sample and return the detection.
[2023-08-13 08:46:28.205] [info] [BaseScan] [thread id: 8876] The file '\\?\C:\Users\\Desktop\1.js' was scanned with the Protection Cloud. SHA256: '4d6b54a14476efc43b3c1a54f9eab507172827b32bbbf9235*****' Flags: '{Detected}{Upload done}' Status: successful
[2023-08-13 08:46:28.205] [info] [BaseScan] [thread id: 8876] Detection by Protection Cloud: '{HEUR/APC.YAV} File: '\\?\C:\Users\\Desktop\1.js' SHA256:'4d6b54a14476efc43b3c1a54f9eab50717*****' ---- Detection name was also displayed.
From the logs, we can infer:
- A manual right-click scan of suspicious scripts doesn't trigger the APC query.
- Avira now not only queries the APC with file hashes, but it also uploads unknown files to the cloud for further analysis.
- Analysis is rapid, taking only 7-8 seconds, suggesting no dynamic analysis takes place.
- Unlike PE files, Avira allows script-based samples to run first, then uploads and analyzes them. If deemed malicious, the original file is removed, followed by a high-sensitivity quick scan for remediation.
- Unfortunately, there are no related records in the Sentry logs at this time.
To further explore APC's protection against script malware, I chose five script viruses from MB: two were VBS scripts, and three were JS. Avira failed to detect all when scanned.
Details of each sample:
Test Sample 1(https://www.virustotal.com/gui/f ... 3b001b5d82d9fa0a529)
- Type: JS script downloader
- Initial Results: Successfully intercepted. It was detected as TR/Dldr.Script.daa1c4 by the APC.
- Follow-up Test: After making minor modifications to the sample and executing it, an APC upload was triggered, but the threat wasn't detected. Eventually, network protection blocked a malicious website during its runtime.
- Type: JS script downloader
- Results: The threat was successfully intercepted, and the local engine detected it as HTML/ExpKit.Gen2. No APC detection was triggered.
- Type: JS script downloader
- Initial Results: Successfully intercepted without an upload trigger; APC detected it as JS/YAV.Minerva.7cd592.
- Follow-up Test: After making simple alterations to the sample and executing it, an APC upload was triggered. The subsequent detection was JS/YAV.Minerva.07d701.
- Type: VBS script downloader
- Results: APC scanning missed the threat, and there were no alert pop-ups. Based on the VT analysis, Avira was able to block the Command and Control server (C2), suggesting the script might not have run successfully on my VM.
- Type: VBS script, specifically the Houdini Trojan
- Initial Results: Upon execution, an error occurred causing the script to terminate. APC was triggered, but no threat was detected.
- Follow-up Test: After modifying the sample slightly and running it again, an APC upload was triggered. Roughly 7 seconds later, it was detected as HTML/Agent.e8dc9c, which seems quite strange.
In summary, with support for scripts, APC has significantly improved Avira's detection rate against script-based threats. However, there's still room for improvement, such as a missing integration with Sentry. Additionally, I'm curious to see if F-Secure, which utilizes the Avira engine, will benefit from this recent upgrade in APC.