Hi, everyone! It's been almost three days since AVG/Avast customer support indicated that a sample I uploaded is indeed a malware, but it's still not being detected by their products. Looks like a major hole in AVG/Avast protection to me... Ordinary users are not supposed to be hunting for malware, and to be doing their job for them. There's no other explanation for this ridiculous situation, unless someone on the inside in AVG/Avast doesn't want this particular malware to be detected. 'Cause this one is detected virtually by every other security vendor, except by AVG/Avast. Makes me wonder if it's because this malware was actually originated by someone from AVG/Avast VirusTotal They are saying "it is already being detected by Avast apps", but it is a lie...
AVG/Avast could be lying....
- Thread starter Pilot777
- Start date
- Jan 8, 2011
- 22,361
There must a logical explanation for this, Easter.
Are you able to verify that VirusTotal has the latest updates for the Avast engine?
Are you able to verify that VirusTotal has the latest updates for the Avast engine?
- Oct 16, 2022
- 110
Perhaps they are right and it is indeed marked as malicious by Avast/AVG but not updated in the VirusTotal database yet. In line with the VirusTotal report, the hash goes undetected by F-Secure even though it uses the signatures of Bitdefender, and Bitdefender does detect it
- Mar 16, 2019
- 3,633
F-Secure uses Avira.
Virustotal detection and in-product detections are not always the same.
Anyway, I just checked, it's not detected by Avast. It seems the file is corrupt. It won't run, so maybe that's why it's not detected.
- Apr 13, 2013
- 3,142
GrandCrab is still extensively distributed to customers (RAAS) with many of them malformed as SeriousHoax correctly points out. Of those that recently been in the Wild, AVAST has no problems detecting those that do actually work but will blow off those that won't run.
So although the VT results may rightly make an AVAST user concerned it is in this case of no consequence.
So although the VT results may rightly make an AVAST user concerned it is in this case of no consequence.
This. It's Easter. AVAST is European and owned by Norton which is American. Big time of the year in the Christian world. Bigger than XMAS.
- Feb 7, 2023
- 1,714
@Pilot777 hello and belated welcome to MalwareTips.
As @cruelsister and @SeriousHoax previously pointed out, this is ransomware-as-a-service (RAAS) and the sample is malformed for one reason or another, perhaps someone’s had a little play with it.
As a security vendor Avast does not participate in malware creation and distribution (it is a criminal offence as well). In fact, Avast has released decryptors throughout the years for various ransomware families/strains.
I believe the Avast parser may be unable to read the file properly or due to the sample being damaged, they may have refused to add detection, as a properly-working sample may already be covered by other detections and protection methods. It my have been miscommunication between the support agent and the analyst. For more information, it would be best to reply to this email and ask Avast.
It has been discussed by @struppigel who works at GData on another thread that not everything that gives off a malicious vibe gets added to definitions. They are not a recycle bin, they are operated in accordance with strict policies that different vendors have implemented. For example Symantec would refuse to add artefacts by themselves not malicious (for example a driver that has been used as part of BYOVD attack or a PDF that contains links to malicious sites). Avira would add a detection for everything in definitions.
Avast would certainly add a detection for something that’s truly malicious and has been sent to them, regardless whether it’s a working day or festive.
As @cruelsister and @SeriousHoax previously pointed out, this is ransomware-as-a-service (RAAS) and the sample is malformed for one reason or another, perhaps someone’s had a little play with it.
As a security vendor Avast does not participate in malware creation and distribution (it is a criminal offence as well). In fact, Avast has released decryptors throughout the years for various ransomware families/strains.
I believe the Avast parser may be unable to read the file properly or due to the sample being damaged, they may have refused to add detection, as a properly-working sample may already be covered by other detections and protection methods. It my have been miscommunication between the support agent and the analyst. For more information, it would be best to reply to this email and ask Avast.
It has been discussed by @struppigel who works at GData on another thread that not everything that gives off a malicious vibe gets added to definitions. They are not a recycle bin, they are operated in accordance with strict policies that different vendors have implemented. For example Symantec would refuse to add artefacts by themselves not malicious (for example a driver that has been used as part of BYOVD attack or a PDF that contains links to malicious sites). Avira would add a detection for everything in definitions.
Avast would certainly add a detection for something that’s truly malicious and has been sent to them, regardless whether it’s a working day or festive.
Last edited:
- Mar 13, 2021
- 416
That is true, biblically speaking. But in reality, Christmas is much bigger.
My boy F-Secure is also lacking according to VT. Avast, AVG, Avira, and F-Secure are the only four vendors of any consequence that don’t detect this file. Do you think Avira decided not to add definitions due to the sample being corrupt? And regardless of what Avira does, I would hope F-Secure adds its own sig, since they say they don’t just rely on Avira but also have their own engines.
Virgo, DeepGuard, and Hydra, where you at? Gotta pick up the slack when Capricorn is sleeping.
- Feb 7, 2023
- 1,714
In the beginning of the file this is what they’ve placed:
Should be:
This is what renders the sample unable to execute and before scanning a file, an AV must use parsers to discover the true file type. The invalid headers may confuse some parsers and because of that, the scan engine may be unable to handle the file properly.
Most likely somebody just wanted to pass a quick static analysis to see if the sample is detected and they damaged the file.
Last edited:
- Feb 7, 2023
- 1,714
Btw just for testing purposes, in Avast Resident Shield settings, there is an option called “Test Whole Files”. Can somebody enable that and scan the file? Also, maybe disable scanning by file type and select scan all files by extension. Let’s see if the scanner is failing to calculate the offset or something of this sort.
I don’t have access to the real file, I just saw the preview on Joe Sandbox from my phone.
I don’t have access to the real file, I just saw the preview on Joe Sandbox from my phone.
Last edited:
Interested in this as well. When I used Avast many many moons ago, I always made these adjustments so everything was scanned. That + letting Avast re-scan the same files, even if there were no changes. Some AVs don’t scan a file a second time after the first scan unless they detect a “change” in it.
For a paranoic like me, that was just asking for trouble. I never underestimate malware authors from finding an ingenious way to trick an AV into thinking a file hasn’t been changed, when it has. And so the AV fails to stop the infection even if they had the right sigs.
- Feb 7, 2023
- 1,714
With SHA256 I don’t think it’s possible, more likely a file will get cached and after a signature is added (if the cache is not purged on definitions update) it may not be scanned for some time or until a system restart.
They don’t reveal too much information on how the cache is managed (for obvious reasons) but I would assume they cache files that are trusted and don’t cache unknown files so they could be rescanned again and again with streaming updates.
Even on files that are added to persistent cache, these will have digital signature. Avast can revoke the digital signature at any time using their Win32/BadSig detection and this will remove the file.
- Mar 19, 2022
- 650
Welcome.
I had this situation with AVG recently:
Wanting to test AVG for threat detection - I downloaded some malware samples.
After extracting, AVG was silent detecting nothing.
After analyzing the files on VT - AVG and Avast should detect these files as a threat.
Databases like the AVG program itself up to date.
Could it be that these files are corrupted ? That is why they are not detected ?
I had this situation with AVG recently:
Wanting to test AVG for threat detection - I downloaded some malware samples.
After extracting, AVG was silent detecting nothing.
After analyzing the files on VT - AVG and Avast should detect these files as a threat.
Databases like the AVG program itself up to date.
Could it be that these files are corrupted ? That is why they are not detected ?
- Feb 7, 2023
- 1,714
VirusTotal is a tool used mainly for analysts and for reference. Detections on VirusTotal might differ from detections in any actual product that’s deployed on wide scale. Without having the samples it’s hard to tell but I would assume there was some factor of non-maliciousness. Did you try executing them? What were they? If they were installers, did you have scanning of compressed files enabled?
- Feb 7, 2023
- 1,714
Try to enable scanning of archives, scanning for PUP and tools, testing of whole files and scan by extension, not by content type. You can change all these settings for contextual scan and then right click on these files, and scan them.AVG is set to maximum
I have these files on disk still but I haven't run them
- Mar 19, 2022
- 650
- Feb 7, 2023
- 1,714
All 3 samples are 10-year-old+. One of them surely is a false positive, it is a Chinese game, signed with a valid signature (not revoked). The other 2 are infostealers/keyloggers, but because they’ve long been decommissioned, they are not a threat to confidentiality, integrity or availability of information. Hence, they’ve been removed from definitions. They are not detected on VT either.
I'm happy to report that the issue has been resolved. Well done, AVG/Avast!
Similar threads
