Advice Request Aren't Avira's processes protected?

[Pearl96]

No no need to tweak. It isnt a real virus and possible a test for endpoint?

And yes there is a behavior blocker in Avira pro its just not listed antwhere but asking the support it is in Pro and not in free version

You can head to (www.amtso.org) for more information

 

[Pearl96]

I agree, service is critical, not the GUI. Avira is BTW great product. Good detection rate + low system usage. May I ask you about how much RAM does your Avira consume to compare it to mine ?

 

[Wave]

Avira do have self-protection, please try re-installing the product and try again.

Use Process Explorer or Process Hacker , and check if you can terminate the service (if any).
Terminating the GUI doesn't matter if the service is still running.

The GUI process does matter because if it's not allowed to run then the user cannot modify any settings to enable protection if it's disabled, or respond to any potential alerts.

Process Explorer won't be able to terminate any Avira processes due to it being user-mode only, however Process Hacker will only succeed if and only if it relies on it's kernel-mode driver to bypass access checks (kprocesshacker.sys - which Avast actually blacklisted now haha).

Did you run Windows Task Manager with Admin privileges?

Elevation isn't a factor since Avira use a kernel-mode driver to use ObRegisterCallbacks which is system-wide (even for the kernel code execution), the only way to bypass it when it's working is from within kernel-mode using kernel-mode only functions such as ObOpenObjectByPointer.

----
To OP: submit a help ticket to Avira support in the case of a bug, but beforehand please reinstall the product and re-check if the process protection works - make sure it's enabled within the Avira settings though.

 

[Pearl96]

Avira do have self-protection, please try re-installing the product and try again.


The GUI process does matter because if it's not allowed to run then the user cannot modify any settings to enable protection if it's disabled, or respond to any potential alerts.

Process Explorer won't be able to terminate any Avira processes due to it being user-mode only, however Process Hacker will only succeed if and only if it relies on it's kernel-mode driver to bypass access checks (kprocesshacker.sys - which Avast actually blacklisted now haha).


Elevation isn't a factor since Avira use a kernel-mode driver to use ObRegisterCallbacks which is system-wide (even for the kernel code execution), the only way to bypass it when it's working is from within kernel-mode using kernel-mode only functions such as ObOpenObjectByPointer.

----
To OP: submit a help ticket to Avira support in the case of a bug, but beforehand please reinstall the product and re-check if the process protection works - make sure it's enabled within the Avira settings though.

I am sure I am having an issue! As I remember Avira alerts you and pops up a notification if a virus is detected but I don't get any of these just a sound but not a notification! Have they changed such a thing in 2017 edition?

 

[Wave]

Have they changed such a thing in 2017 edition?

Doubt it.

Try downloading the Eicar Test (perfectly harmless test file that most vendors make a generic signature for so people can test if the protection is working properly): Download ° EICAR - European Expert Group for IT-Security - see what happens, Avira should detect it I believe.

Please try reinstalling the product and then check if the self-protection functionality is working properly. If it isn't after re-installing then contact Avira.

 

[Pearl96]

Doubt it.

Try downloading the Eicar Test (perfectly harmless test file that most vendors make a generic signature for so people can test if the protection is working properly): Download ° EICAR - European Expert Group for IT-Security - see what happens, Avira should detect it I believe.

Please try reinstalling the product and then check if the self-protection functionality is working properly. If it isn't after re-installing then contact Avira.

I have downloaded EICAR test file and Avira successfully detected it but did not give any notifications just a sound

 

[Wave]

I have downloaded EICAR test file and Avira successfully detected it but did not give any notifications just a sound

Yes.. So uninstall -> restart -> install -> restart -> now check if everything works.

 

[Pearl96]

Yes.. So uninstall -> restart -> install -> restart -> now check if everything works.

Now I am 100% sure that there is an issue with avira. I added the file cloudcar.exe manually to Avira's quarantine and it is detected in the quarantine but not when download the file or even scan it! See the screenshots for more details

 

[Pearl96]

I don't understand! I've just ran Avira as an adminstrator and it detected the file when I opened the download folder!

 

[Wave]

@Pearl96 Okay, so reinstall the product and check if the problems resolve - remember to restart after un-installation and also after the installation. Then check if the problems are resolved.

 

[Xsjx]

I don't understand! I've just ran Avira as an adminstrator and it detected the file when I opened the download folder!

Dont reinstall it.... if the gui is disabled no warnings are given...

 

[Wave]

Dont reinstall it.... if the gui is disabled no warnings are given...

He said the self protection isn't working, therefore unless his system is infected with malware which is causing Avira not to work correctly, reinstalling the product is his best bet next to requesting support.

If his system is already infected, it doesn't matter if he uninstalls it, since it didn't detect anything and it's been beaten already, so it wouldn't cause any additional harm.

If he reinstalls it and the issue persists then he can contact Avira, they can perform diagnostic info and if the system is really infected which is causing the problem then OP can request assistance on this forum if he'd like.

However if he reinstalls it and the issue persists and he believes his system is infected, best use another machine since malware can steal your information such as login credentials (e.g. banking).

 

[Pearl96]

He said the self protection isn't working, therefore unless his system is infected with malware which is causing Avira not to work correctly, reinstalling the product is his best bet next to requesting support.

If his system is already infected, it doesn't matter if he uninstalls it, since it didn't detect anything and it's been beaten already, so it wouldn't cause any additional harm.

If he reinstalls it and the issue persists then he can contact Avira, they can perform diagnostic info and if the system is really infected which is causing the problem then OP can request assistance on this forum if he'd like.

However if he reinstalls it and the issue persists and he believes his system is infected, best use another machine since malware can steal your information such as login credentials (e.g. banking).

Hello! First of all my system isn't infected and it's a fresh install of windows 10. I have reinstalled Avira and it seems the issue has been resolved! I am not able to terminate Avira's processes but the GUI. When I click end process nothing happens to all avira's processes but the GUI one! I have one more question. Avira's cloud only work when the suspecious file is initiated? I mean isn't the scanner cloud-powered?
Thank you very much and I really appreciate your help from A to Z

 

[Pearl96]

Dont reinstall it.... if the gui is disabled no warnings are given...

I see! Everything now is working flawlessly my sincere thanks to all of you. Day after day I feel like I am much happier that I am a member of this great forum

 

[Wave]

When I click end process nothing happens to all avira's processes but the GUI one!

That isn't how it used to be when I reported a vulnerability to them (which actually evolved around the GUI), I think they removed protection from the GUI so my vulnerability would no longer matter hahaha funny...

 

[Pearl96]

Avira's journey in my laptop has ended here I did not like it at all. Also its usage was increasing by time

 

[RXZ6Q]

Avira's journey in my laptop has ended here I did not like it at all. Also its usage was increasing by time

Thanks for sharing your situation. What are going to switch to? I feel like Windows Defender is PRETTY GOOD in terms of protection + usage. I would say in detection it's like -10-20% worse than top AVs, but that's still pretty good.

 

[spaceoctopus]

Avira is a very good and powerful product. In that case, there should be an issue, a bug or something like that. In General >Security you will find Product Protection, and every boxes should be ticked. If every boxes are ticked and the issue is the same, better contact their support.

 

[Parsh]

I have one more question. Avira's cloud only work when the suspecious file is initiated? I mean isn't the scanner cloud-powered?

So yes, any suspects detected due to reasons like suspicious behavior/ action sequence/ unrecognizable files... will be sent to cloud for confirmation.
However, all Avira cloud does is verify against their threat DB (possibly somewhat advanced than their offline protection, they say that this way attackers cannot analyse how their mechanism works) to identify file's safety flag.
I'm not sure how exactly it differs from other clouds out there. Panda uses classification method, applies analysis and flags the bad files, similar to HMP and the likes.

Spoiler: Here's some bonus stats/info

But that shouldn't be the case with eicar test files. It's detection is a defacto for most AVs.

 

[Pearl96]

View attachment 142473
So yes, any suspects detected due to reasons like suspicious behavior/ action sequence/ unrecognizable files... will be sent to cloud for confirmation.
However, all Avira cloud does is verify against their threat DB (possibly somewhat advanced than their offline protection, they say that this way attackers cannot analyse how their mechanism works) to identify file's safety flag.
I'm not sure how exactly it differs from other clouds out there. Panda uses classification method, applies analysis and flags the bad files, similar to HMP and the likes.

Spoiler: Here's some bonus stats/info

View attachment 142476

But that shouldn't be the case with eicar test files. It's detection is a defacto for most AVs.

Thank you for the clarification (Y)