User Feedback AVG Ultimate

Software
AVG Ultimate
Installation
5.00 star(s)
Installation Feedback
Installation is simple, one-click install via Live (Online) installer.
It takes roughly 2 minutes with the package download and the product is installed with the lastest database.

Prior to the AVG/Avast setup, it is recommended that you run a removal tool for other antivirus packages installed in the past.
List of removal tools can be found here:
https://malwaretips.com/threads/removal-tools-for-common-antivirus-packages.105323/
Interface (UI)
5.00 star(s)
Interface Feedback
See bellow
Usability
5.00 star(s)
Usability Feedback
See bellow
Performance and System Impact
5.00 star(s)
Performance and System Impact Feedback
See bellow
Protection
5.00 star(s)
Protection Feedback
See bellow
Real-time file system protection
5.00 star(s)
Internet Surf protection
5.00 star(s)
Proactive Intrusion protection
5.00 star(s)
Network protection
5.00 star(s)
Pros
  1. Lots of great features
  2. Low impact on system resources
  3. Lightning fast scans
  4. Highly configurable
  5. Easy to use
  6. Ransomware protection
  7. Effective malicious URL blocking
  8. Virus signatures are updated very often
  9. Excellent scores in independent tests
  10. Great value
  11. Effective malware removal
  12. Well designed, clear interface
  13. Multiple layers of protection
Cons
  1. Includes links to paid-for components
  2. Nags about purchasing other version
Software installed on computer
More than 30 days
Computer specs
See configuration for details
Recommended for
  1. All types of users
Overall Rating
5.00 star(s)
Disclaimer
  1. Any views or opinions expressed are that of the member giving the information and may be subjective.
    This software may behave differently on your device.

    We encourage you to compare these opinions with others and take informed decisions on what security products to use.
    Before buying a product you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

McMcbrad

Level 23
Oct 16, 2020
1,252
McMcbrad,
Could you test AVG against scripting attacks? In my tests (trojan downloaders), AVG did not block almost anything (far worse than Norton). The files could be downloaded and run without problems. So, there is probably no additional script control in AVG.:unsure:
It blocks them by behaviour if they are obfuscated. If they are not, it considers the scripts user-made and either blocks C&C server or IDP blocks secondary payload by behaviour. The script and the server will then be reported and blacklisted.
 

tipo

Level 6
Jul 26, 2012
286
@McMcbrad
do you consider the free version of avg as being enough in terms of protection, covering all sorts of malware types? file shield, web shield, ransomware shield, behaviour shield- are these shields enough to secure a novice user`s (let`s say my mom 🤷‍♂️🤦‍♂️) laptop? is it a hassle free, install and forget antivirus? (i know we`re talking about the ultimate version here, sorry for the off topic)
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
It blocks them by behaviour if they are obfuscated. If they are not, it considers the scripts user-made and either blocks C&C server or IDP blocks secondary payload by behaviour. The script and the server will then be reported and blacklisted.
I can confirm that. I obfuscated the below script:
WScript.Echo "Hello world"
WScript.Quit


After obfuscation, It has been immediately detected as malware VBS:Agent-BDV[Trj]. :)
Not especially complex, but can be very efficient in the home environment.
 
Last edited:

McMcbrad

Level 23
Oct 16, 2020
1,252
@McMcbrad
do you consider the free version of avg as being enough in terms of protection, covering all sorts of malware types? file shield, web shield, ransomware shield, behaviour shield- are these shields enough to secure a novice user`s (let`s say my mom 🤷‍♂️🤦‍♂️) laptop? is it a hassle free, install and forget antivirus? (i know we`re talking about the ultimate version here, sorry for the off topic)
You don’t need to be sorry, as your topic is at the right place. Yes, the free version offers enough protection, specially if you increase heuristics sensitivity to max (as I do). It shows *some* alerts from time to time, but these are not so annoying and most people can live with them.
These shields will be more than enough to secure a user like your mum and also, the AVG browser extension (if installed) blocks trackers and displays user ratings on sites, similar to WOT. This boosts web-protection slightly.

@Andy Ful yes, or if not detected by that, they trigger IDP.Fileless.25 or something of this sort after execution. The behaviour shield is very well trained against these. Sometimes they trigger IDP.Generic. They will shortly after be added to definitions via streaming update and detected as Trojan Generic (don’t remember the exact formatting of the detection). Attackers will never leave their scripts in plain text, as it makes heuristic analyses too easy. So closing that door will prevent most of the attacks, if not all. Blocking C&C servers contributes as attacker might host 100 updated scripts on a single server and all of them will be blocked. Blocking the script itself will block many new C&C servers where attacker might host it or its secondary payload.
A behavioural profile of the script can then be created to block what other attackers might attempt to do.
All other malware that somehow connects to the C&C server will be prevented from working properly and will be quickly identified.

It also seems to intercept calls from a legit app to a script interpreter when code is passed as an argument. E.g CMD PowerShell.exe -e <base64 malicious code>.

The more you over-complicate a solution, the more variable and fuzzy result it will produce for you. The proof is in Kaspersky Application Control and Norton Insight. They are expensive to execute and maintain, but they revolve around one very simple concept, where user should work only with trusted code and are both very effective.
Avast’s simple way of dealing with scripts is more than enough in a home environment.

Avast seems to extract a lot of intelligence from one single threat quickly and that helps a lot.
 
Last edited:

oldschool

Level 59
Verified
Mar 29, 2018
4,833
@tipo you may minimize AVG ads/annoyances by blocking AVGUI.exe outbound connection in Windows Firewall. Configure AVG @ High Sensitivity + Hardened Mode for your mom and it's set-and-forget protection.

Or use Windows Defender + ConfigureDefender @ High setting. Easy, no hassle.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
@Andy Ful
...
The more you over-complicate a solution, the more variable and fuzzy result it will produce for you. The proof is in Kaspersky Application Control and Norton Insight. They are expensive to execute and maintain, but they revolve around one very simple concept, where user should work only with trusted code and are both very effective.
Avast’s simple way of dealing with scripts is more than enough in a home environment.
I like it as a solution in the home environment. In fact, I was curious for a long time if any AV would adopt it for protection. Of course, it will not be sufficient in the targeted attacks.
 

McMcbrad

Level 23
Oct 16, 2020
1,252
I like it as a solution in the home environment. In fact, I was curious for a long time if any AV would adopt it for protection. Of course, it will not be sufficient in the targeted attacks.
The fileless Tesla I discovered is part of a targeted attack. PowerPoint presentation named “Wired Payment” with malicious Macro downloads an obfuscated JS script. The script in turn downloads another JS script, which downloads 2 PS scripts, ensuring their persistence(scheduled task and startup entry). The final payload is injected into msbuild.exe and cvtres.exe and is a version of Agent Tesla.
AVG first blocked the PowerPoint presentation from executing the macro. After downloading the JS script manually, it was deleted. After browsing the host I found the 2 PowerShell scripts and executed them. Password Protection Shield blocked Agent Tesla from stealing my credentials and IDP kicked in, suspending cvtres and msbuild. Connection to the C&C (second server, not the host) prior to removal was blocked by Web Shield. Minutes later, all 3 scripts (Scheduled Tasks Creator + PS Tesla) were blocked and the host was blacklisted. Sensitive data access could be prevented by ransomware shield, if initiated. Password Protection shield is a knock-off of this component, protecting browser repositories instead of user-selected folders.

Of course targeted attacks will be carried out against businesses and I am not sure what other protection Avast offers there, but I’m pretty sure it excels. :)
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
I can use Base64 encoded script (trojan downloader) and it is allowed by AVG.
$base64="here is encoded script"
$a = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))
iex $a

So one can possibly use obfuscated PowerShell script, encode it via Base64 and use the above script to bypass AVG.
 

McMcbrad

Level 23
Oct 16, 2020
1,252
I can use Base64 encoded script (trojan downloader) and it is allowed by AVG.
$base64="here is encoded script"
$a = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))
iex $a

So one can use obfuscated PowerShell script, encode it via Base64 and use the above script to bypass AVG.
To execute this script attacker will need to bypass execution policy so they will call PowerShell from another app (most likely *bat file CMD-> PowerShell) or Word/Excel. The attack chain will be suspended. Even if it’s not, final payload delivered via this method will look very suspicious to IDP and will be removed. I’ve tested it.
The only way to bypass it will be to deliver final payload directly to the memory and without too much suspicious behaviour (without accessing credentials, etc.). Then again, it will require quite a lot of testing of what wouldn’t trigger a behavioural detection.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
To execute this script attacker will need to bypass execution policy so they will call PowerShell from another app (most likely *bat file CMD-> PowerShell) or Word/Excel. The attack chain will be suspended. Even if it’s not, final payload delivered via this method will look very suspicious to IDP and will be removed. I’ve tested it.
Probably not if the script will inject the code filelessly. By allowing the scripting code, there are many ways to skirt around the heuristics, web shield, and behavior-based protection. So, AVG will have a hard time with fileless attacks. Of course, many such attacks will be detected and blocked, but many new ones will not.

The script execution policy can be easily bypassed in many ways. The simplest is via shortcut.
 

McMcbrad

Level 23
Oct 16, 2020
1,252
Probably not if the script will inject the code filelessly. By allowing the scripting code, there are many ways to skirt around the heuristics, web shield, and behavior-based protection. So, AVG will have a hard time with fileless attacks. Of course, many such attacks will be detected and blocked, but many new ones will not.

The script execution policy can be easily bypassed in many ways. The simplest is via shortcut.
In the event that you are patient 0 and everything has failed, ransomware shield and Password Protection shield can prevent exfiltration to some extent. They can also prevent encryption (if the purpose of the attack is to plant ransomware). So the overall harm will be reduced.
Ransomware Shield doesn’t have too many whitelisted apps in normal mode and in strict mode user will be prompted regardless of the app. Injecting in a trusted process won’t help.

It will not be like King Kaspersky protection, but it’s still sufficient to a home user and beats other big names. Additional IoCs will also be available if the threat has to be persistent so the attack will be easier to spot.

All technologies against scripts can be bypassed via unpatched AMSI vulnerability. Since script scanning is mostly done via AMSI, once you get around that, very little can be done afterwards if the final code is injected in another process space. However, this is all very complex and not worth applying in a home user environment.
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
Unfortunately, Base64 encoding/decoding is commonly used by several kinds of malware. There is another possibility that can help in business environment. One can restrict PowerShell to Constrained Language Mode. This will prevent most of the advanced PowerShell methods, including Base64 encoding/decoding. It can be applied via Windows built-in SRP, Applocker, and Application Control.(y)
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
There is an interesting AVG feature that can block an executable by other protection features like:
  1. Ransomware protection,
  2. Webcam Protection,
  3. Sensitive Data Shield,
  4. Password Protection.
I tried to block scripting engines in this way. It may be helpful in some cases, but it did not block the scripts used by me (also Base64 encoded).
Using the Blocked & Allowed apps settings screen in ... | AVG Support
 

McMcbrad

Level 23
Oct 16, 2020
1,252
Unfortunately, Base64 encoding/decoding is commonly using by several kinds of malware. There is another possibility that can help. One can restrict PowerShell to Constrained Language Mode. This will prevent most of the advanced scripting methods, including Base64 encoding/decoding. It is applied in Windows built-in SRP, Applocker, and Application Control. (y)
I freshly downloaded and installed AVG for a test.
I grabbed few base-64 encoded strings and pasted them in PowerShell.
One of them triggered that:
1608673033529.png


Another one triggered that:
1608673060805.png


Third one triggered these 2 reactions:
1608673131082.png
1608673142386.png


4th one:
1608673293981.png


The code starts with POwersheLL -w hidden -ENCOD
I suspected initially that that -w hidden might be the trigger, so I removed it, but the same detection occurs.
Not sure what distinguishes this in-the-wild malware from custom-based one.

Of course, blocking constrained language completely would be even more secure, but it doesn't look like Avast is inefficient.
I tried pasting this same code in scheduled task and shortcut, but the outcome is the same. Scheduled task gets deleted after detection.

1608673621945.png
1608673640660.png
1608673721314.png
1608673903476.png


I decoded and cleared one of them code as much as I could. It might be the additional obfuscation that triggers detection, as I have tried obfuscated loaders with BITS and other methods and it blocks them. Obfuscation is the only thing they have in common.
1608676175218.png
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
I freshly downloaded and installed AVG for a test.
I grabbed few base-64 encoded strings and pasted them in PowerShell.
One of them triggered that:
View attachment 251659

Another one triggered that:
View attachment 251660

Third one triggered these 2 reactions:
View attachment 251661View attachment 251662

4th one:
View attachment 251663

The code starts with POwersheLL -w hidden -ENCOD
I suspected initially that that -w hidden might be the trigger, so I removed it, but the same detection occurs.
Not sure what distinguishes this in-the-wild malware from custom-based one.

Of course, blocking constrained language completely would be even more secure, but it doesn't look like Avast is inefficient.
I tried pasting this same code in scheduled task and shortcut, but the outcome is the same. Scheduled task gets deleted after detection.

View attachment 251665View attachment 251666View attachment 251667View attachment 251669
In your case, 2 samples are blocked by the Web Shield (blacklisted URL detected). Others are blocked by detecting the command line (probably POwersheLL -w hidden -ENCOD is detected).
Try something like the below (in shortcut):

Code:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'c:\RunRemote\VBSObfuscator\encoded.ps1'"

I do not use ENCOD in the command line, but in the script like in my previous post:
User Feedback - AVG Ultimate | MalwareTips Community
I use the shortcut and script (2 files).
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
It is also easy to use an innocent unobfuscated script (PowerShell or Windows Script Host) to run another script that uses obfuscated code encoded via Base64. This can be done from infected Pendrive or via packed email attachment (password protected). Anyway, in my tests, most AVs could be bypassed because they use only anti-script protection against very popular methods and there are many possibilities open to attackers.

In the home environment, the AVG protection is very promising and anti-scripting protection is above average.
 

McMcbrad

Level 23
Oct 16, 2020
1,252
It is also easy to use an innocent unobfuscated script (PowerShell or Windows Script Host) to run another script that uses obfuscated code encoded via Base64. This can be done from infected Pendrive or via packed email attachment (password protected). Anyway, in my tests, most AVs could be bypassed because they use only anti-script protection against very popular methods and there are many possibilities open to attackers.
It's good that attackers haven't yet discovered these methods :D
You are one step ahead of them. They only know the -encod method and have been using it for ages. Maybe that's the reason companies haven't gone beyond that.
 
Top