Avast CyberCapture: How its work?

Status
Not open for further replies.

Captain Awesome

Level 24
Thread author
Verified
Top Poster
Well-known
May 7, 2016
1,307
One of the new ways we are increasing protection is with a cool new proprietary technology called CyberCapture. CyberCapture dramatically raises the bar when it comes to protection against zero-second attacks.

upload_2016-6-23_21-13-31.png

Let me explain how it works, and take a look at the infographic below which shows the path of an unknown file.

upload_2016-6-23_21-14-55.png

The threat landscape has significantly evolved in recent years and malware has become a lucrative business for cybercriminals. Threats are becoming more sophisticated and the life span of malware has drastically changed with the heavy use of server polymorphisms and targeted attacks. Server polymorphism is where one malware sample targets a single user before the code morphs into a new sample and attacks the next user, enabling zero-second attacks that are very difficult to prevent using traditional protection methods. Since samples constantly morph, their life spans are radically shortened, allowing cybercriminals to focus on big and quick campaigns to hit the maximum number of victims within the shortest time frame possible. CyberCapture detects morphed, yet-unknown files in real time and thus protects you from zero-second attacks.

In a nutshell, CyberCapture is a cloud-based smart file scanner. Rather than relying on the latest definition updates, CyberCapture isolates suspicious files in a safe environment and automatically establishes a two-way communication channel with the Avast Threat Labs for immediate analysis. This allows us to clear away all the false code, misdirection, and other stuff malware creators use to mask malware’s true intentions. By peeling away layers of obfuscated code in the cleanroom environment of our cloud, CyberCapture is able to fully dissect the file and observe the binary level commands inside the malware and fully understand the instructions hidden there.

CyberCapture evolved from our DeepScreen technology, which used to analyze unknown files locally, in a virtualized “sandbox” environment. DeepScreen had two major problems, though. First, it relied on the NG virtualization component, which wasn’t compatible with all systems (it required certain settings to be enabled in the system BIOS etc.). And second, it allowed the suspicious file to run in the sandbox for only a very short time (typically 10-15 seconds), dramatically reducing the precision of the decision-making algorithm. By moving the technology to the Cloud, and taking all the time needed to properly analyze the file, we are now adding an additional layer of protection that will be extremely difficult for attackers to beat.

While developing CyberCapture, we put a great deal of effort into shortening the time between malware discovery and the deployment of a detection. We moved the technology to the cloud, so that we can leverage all of our heavy weapons to analyze samples in a controlled environment. Additionally, running our powerful detection engines on our backend means the cybercriminals have to touch our cloud to test our products abilities, which not only makes their lives harder, but also lets us see them.

Typically, the automated analysis will need up to two hours to make a reliable decision about the file. In certain cases, it will not be possible for our engines to make that decision, which is where our experienced analysts will step in to manually analyze the file. During that time, the file is still contained in the “capture” and hence cannot cause any harm. Once the analysis is complete, the user is notified about the result and the file is either quarantined or released from the capture and allowed to run.

CyberCapture is a new system and will take a bit of time to become fully tuned and productive. Because of the nature of its operations, CyberCapture continually gathers intelligence on new viruses. This means it will organically improve as it is used and, therefore, it will continue to iterate increased performance.
 
D

Deleted member 2913

It takes 2 hours. So I guess not possible to see effectiveness of CC in youtube tests, etc..., right?
Yeah we can see CC blocked files for inspection but verdict needs time & testers will not wait for 2 hours I guess.

But hope CC is not an another fancy term from Avast house like some previously & hope its really effective & works & along the way the time needed is improved & much less & acceptable scenario for the users.
Coz I guess CC blocks the file for inspection but there is an option to allow the file too, right?
 
  • Like
Reactions: XhenEd and DardiM
G

Guest28

looks like avast really wants to improve here they actually listend this time around! They have the file information after all these years to make this one strong tool.
 
  • Like
Reactions: DardiM and XhenEd

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Looks like just a normal cloud based analysis, I think the main thing is to see the time taken between the file being uploaded and detection given the the user. If it takes way too long I suspect most users would just deactivate this feature because it would lock the exe preventing it from running on the system until the OK is given by avast.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
ESET, Kaspersky, Avira and even Avast acts the same thing, different names but links on the similar concepts.

It is interesting however immediate analysis is so impossible that in the sense, as usuall it is monitored by humans and not robots to avoid false results.

Good additional component as long the user must convince on the description bases of alerts.
 
D

Deleted member 2913

I think so. I think ESET's Live Grid and Kaspersky's Kaspersky Security Network work similar to this, but of course, there are major differences among them.
I think KSN is connected cloud i.e anything run on the system is checked with KSN.

Dont know if ELG too works the above mentioned way? I dont think so.

And seems ELG is somewhat dependent on Web module i.e if you disable Web module then ELG protection locally is somewhat limited.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I think KSN is connected cloud i.e anything run on the system is checked with KSN.

Dont know if ELG too works the above mentioned way? I dont think so.

And seems ELG is somewhat dependent on Web module i.e if you disable Web module then ELG protection locally is somewhat limited.
Like I said, how they perform unknown file analysis on the cloud is different. But still, they're all performing cloud analysis of unknown files. Thus, they are similar, but different with how they perform the analysis. :)

ESET's Live Grid Cloud Analysis:
ESET Technology Overview said:
CLOUD MALWARE PROTECTION
SYSTEM
The ESET Cloud Malware Protection System is one of several technologies based on ESET’s cloud-based system, ESET LiveGrid. Unknown, potentially malicious applications and other possible threats are monitored and submitted to the ESET cloud via the ESET LiveGrid Feedback System. The samples collected are subjected to automatic sandboxing and behavioral analysis, which results in the creation of automated signatures if malicious characteristics are confirmed ESET clients learn about these automated detections via the ESET LiveGrid Reputation System without the need to wait for the next signature database update. The mechanism’s turnaround time is typically under 20 minutes, which allows for effective detection of emerging threats even before regular signatures are delivered to users’ computers.
 
Last edited:
G

Guest28

Cybercapture for now will only stop unknown files from executing after download from web. I guess from what i see on the forums they will eventually roll out for everything once the cloud servers get on par with everything as for Hardenmode i hope once cybercapture becomes more advance they can get rid of hardenmode and only use one Technology efficiently and accurately. Id like for them to do somthing similar to norton.
 

DJ Panda

Level 30
Verified
Top Poster
Well-known
Aug 30, 2015
1,928
@ryan or they scan keep cyber capture a separate option and people can choose which one they still want to use. Avast hardened mode seems to do pretty well. :)
 
  • Like
Reactions: XhenEd
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top