AV-Comparatives Malware Protection Test March 2022

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
Unless something's changed since I last used it, 7-Zip absolutely removes MOTW upon extraction. The only two archivers I know that don't are Bandizip and Windows' built-in unzip utility (does it even have an official name?).

Edit: Just tested and 7-Zip does still remove MOTW.
 
Last edited:

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
453
Unless something's changed since I last used it, 7-Zip absolutely removes MOTW upon extraction. The only two archivers I know that don't are Bandizip and Windows' built-in unzip utility (does it even have an official name?).

Edit: Just tested and 7-Zip does still remove MOTW.
Thanks for testing. Just curious: since 7-zip removes MOTW, why CyberCapture can still be triggered and block some threats?
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
Thanks for testing. Just curious: since 7-zip removes MOTW, why CyberCapture can still be triggered and block some threats?
Couldn't tell you. Are you sure it's triggering CyberCapture and not Deep Screen (or whatever Avast calls it nowadays)? The blue alert in @Andy Ful's previous post is Deep Screen while the red alert is CyberCapture. They work different; as far as I'm aware Deep Screen analyses the file locally on your system, while CyberCapture sends the file to Avast for analysis.

Edit: I was wrong about the blue alert being Deep Screen. See @Anthony Qian's post below.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
Thanks for testing. Just curious: since 7-zip removes MOTW, why CyberCapture can still be triggered and block some threats?

The CyberCapture sandbox was not triggered:

1650359464158.png


CyberCapture can recognize that the file was downloaded from the Internet when the file has got MOTW. One can force CyberCapture to use the sandbox for any EXE file by adding the MOTW. This is done for example by Hard_Configurator or RunBySmartscreen.

In theory, the malware can be undetected by the CyberCapture sandbox, but this happens very rarely (for malware with strong anti-sandbox features). But, you wrote in one of your posts that you saw many such samples - this seemed strange to me. Now we know that these samples did not have MOTW, so they were not analyzed in the CyberCapture sandbox.(y)
 
Last edited:

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
453
Couldn't tell you. Are you sure it's triggering CyberCapture and not Deep Screen (or whatever Avast calls it nowadays)? The blue alert in @Andy Ful's previous post is Deep Screen while the red alert is CyberCapture. They work different; as far as I'm aware Deep Screen analyses the file locally on your system, while CyberCapture sends the file to Avast for analysis.
According to a senior user on Avast's forum, Deep Screen has been removed and integrated into CyberCapture. (how to activate deep screen avast)

The CyberCapture sandbox was not triggered:

View attachment 265993

CyberCapture can recognize that the file was downloaded from the Internet when the file has got MOTW. One can force CyberCapture to use the sandbox for any EXE file by adding the MOTW. This is done for example by Hard_Configurator or RunBySmartscreen.

In theory, the malware can be undetected by the CyberCapture sandbox, but this happens very rarely (for malware with strong anti-sandbox features). But, you wrote in one of your posts that you saw many such samples - this seemed strange to me. Now we know that these samples did not have MOTW, so they were not analyzed in the CyberCapture sandbox.(y)
The fact that CyberCapture missed a lot of samples was noticed by a lot of Avast testers on a Chinese malware testing forum, not just by me. 🤔

In the case of the MBR killer sample, I'm pretty sure Avast's cloud-based automatic analysis system can't properly detect this kind of threat, because I've submitted similar samples to Avast before and had to wait hours for them to add a detection. If Avast's cloud-based automatic analysis system can classify a threat, a detection will be added within minutes, as we all know.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
...
In the case of the MBR killer sample, I'm pretty sure Avast's cloud-based automatic analysis system can't properly detect this kind of threat, ...
There is no perfect sandbox, so it is possible. Anyway, you can check it by yourself by uploading the sample to OneDrive (online) and downloading the sample from OneDrive to the disk. The sample will get MOTW.
You can also use the Windows built-in unpacker to unpack the Zip file downloaded directly from the Internet (the MOTW will be transferred to the unpacked executable).(y)

The fact that CyberCapture missed a lot of samples was noticed by a lot of Avast testers on a Chinese malware testing forum, not just by me. 🤔
...

The reason for that was probably using samples without MOTW. If you are a member of this forum, you can ask them about it.
 

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
453
There is no perfect sandbox, so it is possible. Anyway, you can check it by yourself by uploading the sample to OneDrive (online) and downloading the sample from OneDrive to the disk. The sample will get MOTW.
You can also use the Windows built-in unpacker to unpack the Zip file downloaded directly from the Internet (the MOTW will be transferred to the unpacked executable).(y)
I think I’ll use Bandzip instead of 7-zip. :)
 

likeastar20

Level 9
Verified
Mar 24, 2016
419
The CyberCapture sandbox was not triggered:

View attachment 265993

CyberCapture can recognize that the file was downloaded from the Internet when the file has got MOTW. One can force CyberCapture to use the sandbox for any EXE file by adding the MOTW. This is done for example by Hard_Configurator or RunBySmartscreen.

In theory, the malware can be undetected by the CyberCapture sandbox, but this happens very rarely (for malware with strong anti-sandbox features). But, you wrote in one of your posts that you saw many such samples - this seemed strange to me. Now we know that these samples did not have MOTW, so they were not analyzed in the CyberCapture sandbox.(y)
And if an .exe does not have a MOTW, you can trick Avast by using RunBySmartscreen?
 
  • Like
Reactions: Andy Ful

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
What other users have observed about CyberCapture is true, it is not resistant to evasion and many times reports malware as safe only for behavioural blocking to remove it after. This means that they are able to properly classify the malicious behaviour but they haven’t been able to get to it.

CyberCapture is a small supplement in the whole Avast ecosystem (last line of defence) and is neither as essential nor it is well developed as business solutions that have been perfecting emulation for more than a decade. Eset LiveGuard is not any better. It has been confirmed by Marcos (Eset forum admin) that LiveGuard doesn’t simulate user activity for example. That was discussed on one of my statuses.

@Andy Ful not all vendors need the MOTW, some like Norton, Trend Micro, Check Point and McAfee use sensors to detect downloading behaviour/downloaded files. These do not depend on MOTW at all and will perform their scan flow regardless whether it is presented. Avast has decided to minimise the number of files emulated due to the substantial cost.

@Anthony Qian CyberCapture is not local at all. DeepScreen is local and attempts to perform local emulation whilst the behaviour is processed through online classifiers. CyberCapture attempts to place the malware in a more controlled environment. The logic upon the initial design was that human analysis will be performed when the automated one fails. Maybe this still is the case but human analysis will take some time.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
@Andy Ful not all vendors need the MOTW, some like Norton, Trend Micro, Check Point and McAfee use sensors to detect downloading behaviour/downloaded files. These do not depend on MOTW at all and will perform their scan flow regardless whether it is presented. Avast has decided to minimise the number of files emulated due to the substantial cost.

I would say that most AV vendors do not rely much on MOTW. :)
Microsoft Defender is an exception, but some features (like ASR rules) do not need MOTW at all.
Smart App Control does not need MOTW to protect PE files - it is required for non-PE files like scripts, disk images, etc.
Avast uses MOTW only in CyberCapture, but Hardened Mode does not rely on MOTW.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top