App Review Avast Free Antivirus vs. Ransomware (TSPC)

[Der.Reisende]

Thank you @ Leo from TPSC for this very nice review!



EDIT: Note that the test only shows Behavior Blocker (IDP) capabilities, all other protection mechanisms were turned off.

 

[hirudora56]

Well just finished watching this on youtube. Avast seems to have the signature but it works late. And if it is using Cybercapture, then it is worrisome. As far as I know, Leo has basically a low moderate connection. And if Avast is relying on cloud signatures, the ransomwares will do its job before it is blocked.

 

[ahity]

Well just finished watching this on youtube. Avast seems to have the signature but it works late. And if it is using Cybercapture, then it is worrisome. As far as I know, Leo has basically a low moderate connection. And if Avast is relying on cloud signatures, the ransomwares will do its job before it is blocked.

agree, i read and watch review video avast late blocking ransomware

 

[Der.Reisende]

Well just finished watching this on youtube. Avast seems to have the signature but it works late. And if it is using Cybercapture, then it is worrisome. As far as I know, Leo has basically a low moderate connection. And if Avast is relying on cloud signatures, the ransomwares will do its job before it is blocked.

Yes, of what I've learned from testing AVG (Avast and AVG use the same tech vice versa since v2017), even IDP (BB @ Avast) seems to rely on cloud to a certain amount. No idea whether it fully relies on cloud, but some fresher RW samples i tested "offline" busted my machine. With cloud, the IDP / BB reacts very fast and reliable to threats, even without signatures / cloud rep detection.

 

[Winter Soldier]

Standard security solutions (not default deny), have still to rely on signatures trying to detect the ransomware before the mess.
It seems that behavioral blockers, as already seen with Avira, are rather slow in detection, too late ...is useless.

If you take an Hex decompiler by inspecting the sample, the first thing probably you will notice are the main components to create an executable that would be the various coded libraries called by the system.
If the ransomware uses the Windows libraries for the encryption process (as usually it can happen) this may fool BB systems and delaying the detection.

 

[Der.Reisende]

Standard security solutions (not default deny), have still to rely on signatures trying to detect the ransomware before the mess.
It seems that behavioral blockers, as already seen with Avira, are rather slow in detection, too late ...is useless.

If you take an Hex decompiler by inspecting the sample, the first thing probably you will notice are the main components to create an executable that would be the various coded libraries called by the system.
If the ransomware uses the Windows libraries for the encryption process (as usually it can happen) this may fool BB systems and delaying the detection.

Exactly, a Plan B (external backups) is a must in any case (technical damage or software damage), and there is so much 3rd party Anti-Ransom on the market (Plan C), I would for sure put on next to my trusted AV (for real-time scenarios, not for single product tests in the HUB).
Waiting for the next BETA of RansomOff, seems pretty promising, but currently conflicts with ShadowDefender as it seems (had no warnings blinking up when I tested it against some ransomware - which was kept in a frozen state as long as RO was running).
Those products might rather look for file changes in monitored areas than for "typical" attack vectors. Many of those products feature a auto-file-backup and restore feature, which is great if it works and the backup is safe from getting encrypted, too

 

[DJ Panda]

This is why I tweaked Avast. Might not help at some points but with everything enabled it's a good layer of security.

 

[Alikhan]

CyberCapture wasn't triggered in this test so it's just a behaviour shield test since...

In order for CyberCapture to work, these 4 criteria must be met.
- CyberCapture needs to be enabled
- The file needs to be downloaded via HTTP(s) - At this moment of time no others methods trigger it. - This means if you transferred the malicious files via USB/FTP etc it wouldn't trigger.
- You have to have the Web Shield component installed "webshield to spot the download and mark it as being downloaded from a specific url"
- Participating in the Avast Community

Looking at this test, some samples were blocked by IDP, however, it was late to react resulting in some files to become encrypted. That could be an issue which I will escalate to the Avast devs.

 

[WinXPert]

Plan D. With that slow reaction, be ready to reinstall windows and restore from backups (Ok no backup, face palm)

 

[Orion]

Okay now let me chip in here shall we:

1) I am not impressed at all with the result to be honest.Let me tell you that this is not the first time avast's IDP has detected it late after it encrypted it.

2) The problem with late blocked has been reported and is under inspection by avast! team.Now lets come to the name of the review it says "Avast vs Ransomware" Now looking at this I will tell you that any regular watcher will think its avast (with all its shields) vs ransomware.

3) If you disable file shield you are cutting off avast! autosandbox tech too with evo--gen and filerep which are avast means of detecting malware.Avast by no means is a tradational AV:
Avast Technology

4) This does not reflect real world usage its just a test that pokes at IDP only.If you really have to test a AV against undetected Malware do it downloading a proper undetected malware from the actual source in presence of the AV in this case avast so it reflects real world and all avast shields come into play even cybercapture in this case since it will see it was downloaded from the internet.

There is really no need to take this or any test at face value its a small test of what IDP can do its not like it cannot completely block ransomwares it does done it many a times before in our malware hub tests it(IDP) blocked Wannacry before it could do any harm these are just one of those "misses".

Now from avast! team point of view,they don't necessarily feel IDP is a silver bullet it does have a lot of things in it to make it as bulletproof as possible as they don't consider it as bypass since their cloud and backend pick up on jaff and other ransomware quite,their cloud and evo-gen are really strong any tester at our malware hub will admit it.There is one another feature that is strictly coming to protect user data to get encrypted by ransom malware but I am not allowed to disclose it here.

 

[Orion]

Okay here is a answer from a avast! dev responsible for IDP:

As I said several times before, IDP is no silver bullet, you can't expect it to detect all ransomware with 100% hit rate, at the Jaff case in the video, the detection is again from cloud, the reason why it is from cloud is because the sample tested was old, so Avast cloud had already classified it, so IDP sent a cloud check query and got back that it is a malware. While File Shield does this query synchronously, e.g. it will block the malware process creation while the query result gets back from the cloud, IDP does this check asynchronously, I will not get into the details why, but this is the reason why it detects the sample "late", because Jaff is very quick and by the time the query result gets back from the cloud, it manages to encrypt some of the files on the disk and if you remember the new feature I showed you in Prague, that is exactly developed because we know that we are not able to catch 100% all ransomware, so we create a new layer for protecting your files.
also, for Jaff, we are able to catch the typical dropper for Jaff, which is the PDF -> Office -> macro downloader scenario, so the test is a bit artificial in the sense that it does not test the infection vector

 

[silversurfer]

Okay now let me chip in here shall we:

1) I am not impressed at all with the result to be honest.Let me tell you that this is not the first time avast's IDP has detected it late after it encrypted it.

2) The problem with late blocked has been reported and is under inspection by avast! team.Now lets come to the name of the review it says "Avast vs Ransomware" Now looking at this I will tell you that any regular watcher will think its avast (with all its shields) vs ransomware.

3) If you disable file shield you are cutting off avast! autosandbox tech too with evo--gen and filerep which are avast means of detecting malware.Avast by no means is a tradational AV:
Avast Technology

4) This does not reflect real world usage its just a test that pokes at IDP only.If you really have to test a AV against undetected Malware do it downloading a proper undetected malware from the actual source in presence of the AV in this case avast so it reflects real world and all avast shields come into play even cybercapture in this case since it will see it was downloaded from the internet.

There is really no need to take this or any test at face value its a small test of what IDP can do its not like it cannot completely block ransomwares it does done it many a times before in our malware hub tests it(IDP) blocked Wannacry before it could do any harm these are just one of those "misses".

Now from avast! team point of view,they don't necessarily feel IDP is a silver bullet it does have a lot of things in it to make it as bulletproof as possible as they don't consider it as bypass since their cloud and backend pick up on jaff and other ransomware quite,their cloud and evo-gen are really strong any tester at our malware hub will admit it.There is one another feature that is strictly coming to protect user data to get encrypted by ransom malware but I am not allowed to disclose it here.

It seems you want to talk like an expert but it only sounds like a opinion of avast fanboys! Malware testing in the Hub here are always unbiased

 

[mekelek]

Okay now let me chip in here shall we:

1) I am not impressed at all with the result to be honest.Let me tell you that this is not the first time avast's IDP has detected it late after it encrypted it.

2) The problem with late blocked has been reported and is under inspection by avast! team.Now lets come to the name of the review it says "Avast vs Ransomware" Now looking at this I will tell you that any regular watcher will think its avast (with all its shields) vs ransomware.

3) If you disable file shield you are cutting off avast! autosandbox tech too with evo--gen and filerep which are avast means of detecting malware.Avast by no means is a tradational AV:
Avast Technology

4) This does not reflect real world usage its just a test that pokes at IDP only.If you really have to test a AV against undetected Malware do it downloading a proper undetected malware from the actual source in presence of the AV in this case avast so it reflects real world and all avast shields come into play even cybercapture in this case since it will see it was downloaded from the internet.

There is really no need to take this or any test at face value its a small test of what IDP can do its not like it cannot completely block ransomwares it does done it many a times before in our malware hub tests it(IDP) blocked Wannacry before it could do any harm these are just one of those "misses".

Now from avast! team point of view,they don't necessarily feel IDP is a silver bullet it does have a lot of things in it to make it as bulletproof as possible as they don't consider it as bypass since their cloud and backend pick up on jaff and other ransomware quite,their cloud and evo-gen are really strong any tester at our malware hub will admit it.There is one another feature that is strictly coming to protect user data to get encrypted by ransom malware but I am not allowed to disclose it here.

yet for example disabling everything in Kaspersky products except the System watcher yields the same result as having everything on.(when testing ransomware)
you can blame it on disabling features but at the end of the day, if a module is meant to be targeted to a certain malicious thing like ransomware, and it fails hard, then you might want to just admit that said module needs improvement and not blame it on other things.

why do people talk about security suite like their favorite football team..

 

[Orion]

Sorry but I just spoke my mind and I think everyone can do the same here.

How can I be a Fanboy when I myself am dissatisfied with the result here? I am also someone who has critized avast in previous threads(Please check my previous posts here) and on wilders too previously.Fanboy is someone who defends the product everytime I was just stating some facts and response from devs and you can search the malware hub for wannacry and IDP did stop it.

IDP is no silver bullet as Avast team already said.You are comparing 2 completely different products and argueably one being industry leader(Kaspersky).

You can call me a Fanboy (MT is known for this) or a critic I don't care for either label.I have and will be a critic of testing AV's and potential flaws in a product or a test will be pointed out(Go ask umbra) and if the devs have said something I can only quote it.Its upto you to read it.

It's simply a test that pokes at IDP only.I can go out shooting at YouTube tests and their flaws which some of you will not like.

I am also someone who has been in squat circle of AV and malware since my childhood.

Please check my posts on here before doing so.

 

[Game Of Thrones]

well, every product is different, some modules are connected together some are not in the diffrent product. I'm sorry if my sentences make any of our friends uncomfortable but I think many forums are toward Kaspersky and others( even samples). in this specific test it is not a good test. as I said av's are different and their modules are sometimes connected together so we can not compare any av in this matter directly. for example, trend micro can not be tested by its modules and real-time is controlling everything, eset is hard to test, and many others, when we don't know how a product works we can not test it and say it's a bad product. sometimes av's loose to malware this is real world. please stop making this forum comfortable for a specific av and make it look like a god.

 

[Orion]

I would agree with the above.Its not just a product.Please stop making YouTube testing look like God.All the conclusions based on the product on such tests over here seem rather to be taken at face value despite the prior notice.

Some testers are just more technically accurate in this area than others however it's still interesting to watch and it gives YouTube a new look it should never be taken at face value.

This testing is done out of curiousty and there are flaws to it that I can point out also some testers have no knowledge of how a product works.Take it with a grain of salt.

 

[Game Of Thrones]

It seems you want to talk like an expert but it only sounds like a opinion of avast fanboys! Malware testing in the Hub here are always unbiased

well, many of his sentences were correct man, like real world testing. youtube av testing is one of the worst things that happened in youtube, I'm not talking about some people who just test for fun and test just some modules or behavior. when you have the audience from everywhere then you have more responsibility.YouTubers testings are not good for example they do not test the products at the same time with the same pack, they always use different packs and url and then compare the av's!!

 

[Orion]

I think some of the members over here have rather been ignorant to see the obvious points of any test and its results.I am surprised to see more than one person wanting to make this test "real world 100% accuracy" type thing by discrediting my statements.They should go back to my previous post where I pointed out Avast for all the negatives in this forum before tagging me a Fanboy.

I am just a critic of testing and someone who loves pointing out abvious flaws and sometimes what I think can be fixed or what the devs thought in this case.

I am not against any kind of testing.Youtube tests is just not as accurate(some testers are much better) and this test is only for IDP and I have already posted what the devs said there is a feature coming to fix the delay in response from cloud to IDP.

 

[amico81]

I don't understand the problems from Avast...they have 400 million users, so a big network for detection and earning money. And they are just on 3. or 4. place versus other av companies.

 

[Orion]

I don't understand the problems from Avast...they have 400 million users, so a big network for detection and earning money. And they are just on 3. or 4. place versus other av companies.

I can show you X Antivirus component bypassed by X sample

Again this test is only demonstrating IDP not the entire product.This statement makes no sense with what IDP does.Its been acknowledged by devs that there is a sync issue which is done on purpose and to compensate it a new feature to protect user data is coming.The files tested are already detected by file shield which was disabled during the test.

Avast,Avira and some products have come a long way since 2009 and its a ever evolving process there will never be a #1 Antivirus which detects 99% of everything out there.

Everything made by humans has flaws.I rest my case.