App Review Another Avast Behavior Blocker vs Ransomware Test

[cruelsister]

A Crueler test of the Avast Behavior Blocker vs Ransomware.

 

[_CyberGhosT_]

Caught it on YT on your channel CS, Thanks
Another peek into what it means to put a positive spin that encourages sales, or
"tell the truth", I wont ruin it and tell you what path Avast took

 

[bribon77]

He's not taking anything. Thank you, cruel sister.

 

[Captain Awesome]

Avast Behavior Blocker looks bit slow to ransomwares.
Thanks for the test.@cruelsister

 

[SKOGSDOTTER]

Thank you for the test @cruelsister.

 

[FrFc1908]

thanks for this test cruelsister! I guess it sucks to be an avast free user and you wtch this outccome will the placebo effect last if you are willing to cough up dough for them

 

[Rengar]

You can test Norton's Sonar. I think its better thans avast's bb.

 

[Windows_Security]

@cruelsister

The whitelist feature of Avast (hardened mode) is (currently) related to the FILE (execution) SHIELD (because you execute a file), so don't bother to enable hardened mode when the execution filter of the file shield is disabled. The placement of this feature in the GUI as general option is misleading, but it might have ringed a bell that your samples passed the whitelist feature.

On second thoughts: your test showed that the behavior blocker scored a 100% detection. It might well be that by disabling the file (execution) shield, Avast will not stop further execution of that sample (or executables spawned by that binary).

Regards Kees

 

[Anker_by]

Thank you to show us , Very informative the video.

 

[Andy Ful]

@cruelsister

The whitelist feature of Avast (hardened mode) is (currently) related to the FILE (execution) SHIELD (because you execute a file), so don't bother to enable hardened mode when the execution filter of the file shield is disabled. The placement of this feature in the GUI as general option is misleading, but it might have ringed a bell that your samples passed the whitelist feature.

On second thoughts: your test showed that the behavior blocker scored a 100% detection. It might well be that by disabling the file (execution) shield, Avast will not stop further execution of that sample (or executables spawned by that binary).

Regards Kees

That is a good point. The test proves that probably Avast Behavior Shield does not work correctly without File Shield. Proving something more requires not disabling the File Shield, but using the old signatures instead. Anyway, Behavior Shield failed to detect Petya Green ransomware, I think.

 

[cruelsister]

I was just trying to recreate the test of the Avast BB that was posted last week and which gave a false impression (the hardened Mode was active because I would have been criticized for not using it).

Although I actually think that Avast has made great strides in the past 9 months and is currently quite a good product (sad that it recently refuses to play nice with CF!), my primary concern is that Avast users are not misled by not well designed tests. Any of the ransomware that bypassed the Avast BB in this test can be easily morphed to a true zero day, and running into one of these even with File Shield active will result in Unnumbered Tears.

 

[Alikhan]

The behaviour shield is linked with the File Shield in some aspects. I can't go into much detail but I'll give an example. Most of the time zero day malware is already classified in the cloud (old malware is also classified in the cloud). Now here comes the important bit, malware is executed and IDP (behaviour shield) checks the cloud and gets a result that the file is classified as malicious but IDP does this check "asynchronously". This means that the behaviour shield would not block the malware immediately since the File Shield which does the check "synchronously" would have already removed the threat before IDP got involved. File Shield does this query synchronously, e.g. it will block the malware process creation immediately while the query result gets back from the cloud. This is why sometimes some files get encrypted by ransomware before IDP reacts. This happens alot with Petya based sample if File Shield is disabled.

I'm not saying that the behaviour shield is a silver bullet since nothing is 100% but it would be nice to see a video with the File Shield enabled.

The file shield is also linked to whitelisting to hardened mode. Hardened mode also only targets exe files.

 

[Andy Ful]

The behaviour shield is linked with the File Shield in some aspects. I can't go into much detail but I'll give an example. Most of the time zero day malware is already classified in the cloud (old malware is also classified in the cloud). Now here comes the important bit, malware is executed and IDP (behaviour shield) checks the cloud and gets a result that the file is classified as malicious but IDP does this check "asynchronously". This means that the behaviour shield would not block the malware immediately since the File Shield which does the check "synchronously" would have already removed the threat before IDP got involved. File Shield does this query synchronously, e.g. it will block the malware process creation immediately while the query result gets back from the cloud. This is why sometimes some files get encrypted by ransomware before IDP reacts. This happens alot with Petya based sample if File Shield is disabled.

I'm not saying that the behaviour shield is a silver bullet since nothing is 100% but it would be nice to see a video with the File Shield enabled.

The file shield is also linked to whitelisting to hardened mode. Hardened mode also only targets exe files.

So, even with the old local signatures and active File Shield, the test will be invalid, because in the cloud the signatures are new.

 

[Andy Ful]

I was just trying to recreate the test of the Avast BB that was posted last week and which gave a false impression (the hardened Mode was active because I would have been criticized for not using it).

Although I actually think that Avast has made great strides in the past 9 months and is currently quite a good product (sad that it recently refuses to play nice with CF!), my primary concern is that Avast users are not misled by not well designed tests. Any of the ransomware that bypassed the Avast BB in this test can be easily morphed to a true zero day, and running into one of these even with File Shield active will result in Unnumbered Tears.

If I have correctly understood Alikhan, the test is invalid by design, because of the way the Behavior Field interacts with the cloud. It would be correct only for the true 0-day malware (not detected by the cloud). One thing is interesting in the test. The users should know that disabling File Shield automatically disables hardened mode. This is a bug, that the user can tick the hardened mode, and it does not work.
Edit1.
It would be interesting to test Avast Behavior Shield with disabled Internet connection.
Edit2.
... and enabled File Shield + old signatures.

 

[plat1098]

Can you even test a behavior blocker in "isolation"? Selectively disabling one component or another even though they're enabled out of the box and judiciously choosing your malware can be construed as more self-serving, right? Naturally, this is hindsight following that Malware Geek production. Thanks for this more unbiased presentation.

 

[Alikhan]

If I have correctly understood Alikhan, the test is invalid by design, because of the way the Behavior Field interacts with the cloud. It would be correct only for the true 0-day malware (not detected by the cloud). One thing is interesting in the test. The users should know that disabling File Shield automatically disables hardened mode. This is a bug, that the user can tick the hardened mode, and it does not work.
Edit.
It would be interesting to test Avast Behavior Field with disabled Internet connection.

The test would be better if the sample bypassed both the File Shield and Behaviour Shield with cloud enabled. Without the cloud, the behavior shield would not do as well (I would say awful) due to the fact old detections are moved to the cloud plus no file shield to check synchronously. The behavior shield does do analysis but is often slow to react that's why when the files are analyzed by the behaviour shield, they are moved to the cloud so the file shield can block them. Personally, I'm not a fan of hardened mode and it makes CyberCapture useless.

 

[Andy Ful]

The test would be better if the sample bypassed both the File Shield and Behaviour Shield with cloud enabled. Without the cloud, the behavior shield would not do as well (I would say awful) due to the fact old detections are moved to the cloud plus no file shield to check synchronously. The behavior shield does do analysis but is often slow to react that's why when the files are analyzed by the behaviour shield, they are moved to the cloud so the file shield can block them. Personally, I'm not a fan of hardened mode and it makes CyberCapture useless.

I meant: It would be interesting to test Avast Behavior Shield with disabled Internet connection and enabled File Shield (forgot about the bold fragment).
Edit
Plus old signatures.

 

[boredog]

A Crueler test of the Avast Behavior Blocker vs Ransomware.

Here is two screen shots of what IE and Edge are doing with my computer these days.

 

[Andy Ful]

Here is two screen shots of what IE and Edge are doing with my computer these days.

I have Windows 10 Pro + Edge. No problems with this video (I tried both Edge and IE). So it is not Edge / IE problem on default settings.

 

[Azure]

I was just trying to recreate the test of the Avast BB that was posted last week and which gave a false impression (the hardened Mode was active because I would have been criticized for not using it).

So, this means that in that other test file shield was indeed disabled? If that's the case and Avast BB still worked. Then that means that Avast behavior blocker doesn't need the File Shield.

Could someone link the other test?