App Review Avast Free 3rd Beta Test(MalwareDoctor)

[MDTechVideos]

As always comments and feedback are welcomed.

 

[spywar]

Something I don't understand ....
1. At 10:10 you start running samples undetected by avast.
2. Some of them really looks safe but it does not matter now ...
3. You say "Not hearing anything from avast!" Why ? Are these samples bad or safe ? If they were safe it's normal to not hear anything from a AV program ...
I know it takes time to test I also test avast v8 but only with malware samples (very fresh) and I just wanted to let you know that too many safe samples are inside the Virus sign samples.

spywar.

 

[Plexx]

Something I don't understand ....
1. At 10:10 you start running samples undetected by avast.
2. You say "Not hearing anything from avast!" Why ? Are these samples bad or safe ? If they were safe it's normal to not hear anything from a AV program ...

What he means:
1st sample ran goes straight into memory but no alert was displayed. avast!
From my understanding, something would have alerted but then again if memory serves me right, default settings for most shields are set to automatic decisions which has always been my problem with avast (auto sandbox and behavior shield).

Anyhow, the very first file is a rather suspicious. Comodo flags it as Unknown.

If it was a safe file of such type, the analyses would be different.

What troubles me the most here is not so much how it performed but how it detected MBAM as a rootkit...

If only avast! had the option to submit instead of ignore or delete (drop down box).

Other than that, I really hope the free version will not have the extra spaces filled in by modules not available in the free version.

I understand a clean UI but listing options that do not exist in the free version but push you to buy is not something I endorse.

Thanks for the test MD.

@MD: Could you upload (if you still have the samples) the very first sample you run to VT? I am curious to see the report.

 

[MDTechVideos]

Something I don't understand ....
1. At 10:10 you start running samples undetected by avast.
2. Some of them really looks safe but it does not matter now ...
3. You say "Not hearing anything from avast!" Why ? Are these samples bad or safe ? If they were safe it's normal to not hear anything from a AV program ...
I know it takes time to test I also test avast v8 but only with malware samples (very fresh) and I just wanted to let you know that too many safe samples are inside the Virus sign samples.

spywar.

What do you mean "it does not matter now"? It took Avast a few additional moments to jump on the execution of that particular piece of malware.

It is assumed all of the executables in the pack of malware are malicious, but in that pack can be expected many Potentially Unwanted Programs(PUP's) and Adware-bundled toolbar's, which is most of what slipped by Avast. As to the reason why I was using virussign samples: it was the most convenient place for me to find them considering the latest samples from MT were about 2 weeks old.

The single most important thing that needs to be acknowledged is that I tested a BETA product. This was more of a demonstration of how the product will react/perform/look than an actual test to determine the protection offered by an antivirus/antimalware solution. So while the malware used is still important, it is not as significant when testing a beta.

@Bioz: I am looking for it. When I find it I will send it over the pm.

 

[spywar]

Sorry but there is some better places to find fresh malware samples and also you did not enable PUP detections (which is normal it's not by default so no problem) so be sure that avast! actually detects more samples from this pack.
And if autosandbox dynamic analysis cannot find the file to be a malware it's normal : It's a PUP it does not behave like malware that's it.
Thanks for testing anyway.

 

[spywar]

Something I don't understand ....
1. At 10:10 you start running samples undetected by avast.
2. You say "Not hearing anything from avast!" Why ? Are these samples bad or safe ? If they were safe it's normal to not hear anything from a AV program ...

What he means:
1st sample ran goes straight into memory but no alert was displayed. avast!
From my understanding, something would have alerted but then again if memory serves me right, default settings for most shields are set to automatic decisions which has always been my problem with avast (auto sandbox and behavior shield).

Anyhow, the very first file is a rather suspicious. Comodo flags it as Unknown.

If it was a safe file of such type, the analyses would be different.

What troubles me the most here is not so much how it performed but how it detected MBAM as a rootkit...

If only avast! had the option to submit instead of ignore or delete (drop down box).

Other than that, I really hope the free version will not have the extra spaces filled in by modules not available in the free version.

I understand a clean UI but listing options that do not exist in the free version but push you to buy is not something I endorse.

Thanks for the test MD.

@MD: Could you upload (if you still have the samples) the very first sample you run to VT? I am curious to see the report.

"Comodo flags it as unknown", if you rely on Comodo's whitelist to see what's suspicious and what's not there is a problem man MANY MANY MANY files are unknown to Comodo even safe they whitelist a small fraction of files not digitally signed (forum user's submission) so you cannot say that.

 

[MDTechVideos]

Sorry but there is some better places to find fresh malware samples and also you did not enable PUP detections (which is normal it's not by default so no problem) so be sure that avast! actually detects more samples from this pack.
And if autosandbox dynamic analysis cannot find the file to be a malware it's normal : It's a PUP it does not behave like malware that's it.
Thanks for testing anyway.

PUP's can behave like malware. PUP's usually download without the users consent, a common trait in malware. More often than not PUP's are bundled with Adware, dialers and other forms of malicious software that can and will do harm to a computer. Also please enlighten me where you find zero-day samples that are free to use.

 

[Plexx]

"Comodo flags it as unknown", if you rely on Comodo's whitelist to see what's suspicious and what's not there is a problem man MANY MANY MANY files are unknown to Comodo even safe they whitelist a small fraction of files not digitally signed (forum user's submission) so you cannot say that.

Ok I will quote myself again:

Anyhow, the very first file is a rather suspicious. Comodo flags it as Unknown.

At no stage I am saying Comodo is the go to reference guide nor the file is safe or not. Suspicious is the keyword here.
However let's all bear in mind that the only comparison in a way on this particular test was avast and Comodo.

That is why I asked for the sample to have it checked in VT as it seems to be a toolbar bundled piece of software.

Next time, read everything before jumping to conclusions.

Also please enlighten me where you find zero-day samples that are free to use.

There is a way which requires manual hunt and then manual check. Unless you have too much time to burn, you can forget about it.

There is a site but is always down for me to download the latest 50 (back when I was testing solutions). Safegroup also opted for a different policy where only they can allow or deny the possibility to have access to their files (back then).

VirusSign would be the closest one can use should there be not too much time to prep.

 

[MDTechVideos]

Just ran the sample through VT(glad I still had the pack saved on my host machine).

https://www.virustotal.com/en/file/bfd5cd537e7121efce01695e50fb8f18551ec948b386aa138ed4f9117fdfc520/analysis/

File name: HomePage22find.exe
Detection ratio: 17 / 45
Analysis date: 2013-02-18 10:38:49 UTC ( 7 hours, 25 minutes ago )