App Review Avira Antivirus Pro vs WannaCry ransomware by Juan Diaz

[Xsjx]

it makes no difference, I tested Avira thoroughly and this option too, it makes no difference about the cloud


yeah, I said the same thing in my post related to Avira in Avira section. they should tell people that pro is a really better product. I know it did not defend this sample but Avira pro is a really good product when its cloud hepls it.

Ask support they say Avira pro is better

"Does avira have bb?" For that functionality you can count on pro


Btw avira blocks it tested myself 0_0 If anyone can give me some better safety
( for vm) instructions i am gonna test and record on my gaming pc.

Also wannacry - Avira Virus Lab

 

[Evjl's Rain]

Ask support they say Avira pro is better

"Does avira have bb?" For that functionality you can count on pro


Btw avira blocks it tested myself 0_0 If anyone can give me some better safety
( for vm) instructions i am gonna test and record on my gaming pc.

Also wannacry - Avira Virus Lab

I think avira blocked 1 of wannacry variants by signatures but not the latest one demonstrated by some videos we have seen
the one in the video is not the sample they detected 2 months ago

perhaps the latest variants didn't match the criteria to upload to the cloud that's why it failed even avira pro

 

[WinXPert]

Thnx for sharing this test @Arin

Well Avira clearly says on its blog
WannaCrypt0r: The ransomware that hit computers all over the world - Avira Blog
" Avira offers security of mind and for your PC

While we are still continuing to investigate the details of the WannaCrypt0r attack – after all a malware analyst’s job is never done – we can already confirm that our software successfully detects it, as variants of the ransomware have first been detected by our scans approximately two months ago."

Detecting is one thing, stopping the carnage is another.

 

[Winter Soldier]

Detecting is one thing, stopping the carnage is another.

I agree, I understand the media wave triggered by WannaCry, and as a result security vendors are conform to it, by showing various pop-ups or in their webpages, the ability to detect WCRY. And as you said, detecting is one thing, to block and kill the malware before it encrypts the files, is another thing.

Lets say that vendors statements have a relative validity, because WCRY variants are already in the wild and no AV vendors can certainly say to stop the new variants.

Or at least, if they say this, it is their full responsibility.

 

[WinXPert]

I agree, I understand the media wave triggered by WannaCry, and as a result security vendors are conform to it, by showing various pop-ups or in their webpages, the ability to detect WCRY. And as you said, detecting is one thing, to block and kill the malware before it encrypts the files, is another thing.

Lets say that vendors statements have a relative validity, because WCRY variants are already in the wild and no AV vendors can certainly say to stop the new variants.

Or at least, if they say this, it is their full responsibility.

ON one of my FB forums, I also made a test on an AV claiming they can protect you from wannacry. It failed because it's a new variant. That's the problem with sigs. Once the malware is changed, it gets pass the security. Hope they upgrade their BB more just like EAM when I tested it with File Guard off, BB caught the malware.

At least don't believe everything, specially media hype. When in doubt, test it.

 

[kamla5abi]

its a known fact that avira is one of the weakest when it comes to ransomware or zeroday threads. Tested it over and over again. But here is one guy on MalwareTips that thinks Avira is the best av in the world and beats every other av easly. Hope his mind changes in the future when he is able to get facts right. Avira has one of the best Signatures avaiable with Eset and Kaspersky but thats it. The zeroday protection is just realy weak.

@Xsjx What would you do if this happened with your PC? Do you still feel protected using Avira? I would not if I were using Avira.

no worries @Xsjx won't show up here.

I cant describe my satisfaction when wannacry bypassed Avira. My first though was Xsjx

to all:
I've only been registered on this forums for a week, and browsed before that once in a while, and i immediately thought of Xsjx too haha

the question is how Avira passed av comparative test against this?!

i haven't read that one yet i think but i noticed many don't give details about which definitions update they used, or other settings, their methods, etc..

Thnx for sharing this test @Arin

Well Avira clearly says on its blog
WannaCrypt0r: The ransomware that hit computers all over the world - Avira Blog
" Avira offers security of mind and for your PC

While we are still continuing to investigate the details of the WannaCrypt0r attack – after all a malware analyst’s job is never done – we can already confirm that our software successfully detects it, as variants of the ransomware have first been detected by our scans approximately two months ago."

"our software successfully detects it"....but doesn't stop files from being encrypted, d'oh!
"variants of the ransomware have first been detected by our scans approximately two months ago" notice again how they don't say anything about stopping it, only "detected" by it

 

[darko999]

Well, I think not only Avira but many other traditional AV vendors would fail with recent / new variants of WannaCry. It is a known fact that signature detection is not enough to battle top notch malware. This said, why blame it all on Avira?. People have free will to install whatever AV they want.

 

[kamla5abi]

Thank you for your recommendations!

I'm now examining Comodo website.
is CF only av I need? CIS is confusing me.

CFW (Comodo FireWall) already includes cloud based AV detection/BB/HIPS
CIS = CFW + Comodo AV (Offline AV detection/On Demand Scan)
so CFW setup properly is all you need
CAV is not that great and the opinion that CAV isn't that great is all over these forums, if you search for it you will see many people with same conclusion.
I can't say for sure but I'm 99% sure @cruelsister also said CAV is useless (meaning CIS also useless, since theres nothing more than CAV+CFW), so CFW is all you need.
If cruelsister says CFW is all you need, CAV is unnecessary, i would go with that she seems quite expert in all things malware/ransomware/etc (as you can see from her posts and videos), and since it is her config that everyone loves and is proven to protect against malware/ransomware, i would trust her

with cruelsister's config, and assuming you set it up properly according to her config, you don't need any other AV. the only thing another AV will do is use it's definition/signature based detection to remove malware right away, otherwise if it does somehow get opened it'll be run automatically inside CFW sandbox, meaning it cant do any damage. Only way malware will get past CFW sandbox (i think) is if it's using forged/stolen security certificate to make it on the trusted list

CF only or CIS which is CF with av in it

see above

agree. I found avira pro is a very strong product but avira free is not good
avira's cloud is very good but the product seems not upload all files for cloud analysis, to reduce server workload
I suspect avira cloud is similar to zemana, which has multiple engines licensed by metadefender

i also read this somewhere, not every suspicious file gets uploaded to avira cloud for analysis to reduce cloud workload
the reasoning was something like "not every file needs to be uploaded to be declared safe/unsafe, there is criteria in place that determines if the file gets uploaded or not" but couldn't find any information about the "criteria" that decides which file to upload and which file not to upload

I tried to explain in wilders security forum that there is indeed a difference between free and pro version, despite what Avira says, but some Avira's funboys immediately started to attack me saying that's not true

I found this forum (MalwareTips) through wilders security forums, so for that i am thankful to wilders forums....but thats about it
I didn't see ANY negative things about avira there, no "bad" reviews, etc... so to me that stuck out as weird to me then eventually i found this forum and found out why

At first i didnt wanted to reply, but for me after suspicous file has been found cloud comes in action and kills it..
Also why didnt he show cloud settings ?

that was one problem i found with avira pro... I'll explain.
1) Yes, avira cloud does decent job. Yes, avira definitions are awesome.
2)The problem: when malware isnt detected by avira definitions, it already gets past avira's first/biggest line of defense.

Next, avira cloud supposed to check file, right? Problem: IF avira cloud is too slow at responding, malware gets past avira cloud too sometimes...
You would think that avira cloud would check malware file out, before allowing malware to run, to determine if its allowed or not allowed.
but i've seen avira cloud be too slow to respond, and by then malware is already done some damage...

And i'm not even sure what would happen if malware got on your computer via USB or bluetooth file transfer etc, but if you are offline...meaning you are not connected to internet...does avira cloud have any way of protecting you then? i think not... ??

ouch, anyone got some Aloe Vera?

hahaha i see what you did there A[loe]Vira lol

Well, I think not only Avira but many other traditional AV vendors would fail with recent / new variants of WannaCry. It is a known fact that signature detection is not enough to battle top notch malware. This said, why blame it all on Avira?. People have free will to install whatever AV they want.

yes i agree with you, many other AV that ONLY rely on definition/signature detection probably will fail to protect.
that's why to protect against ransomware, malware behavior etc protection is needed

 

[kamla5abi]

i will repost my reply in another thread about bitdefender total security ransomware protection module behavior that i saw, regarding just regular picture editing software NOT any malware... (this is the key point to what i am saying in my post below)

I know this thread is about avira pro vs wannacry ransomware, but my point is that bitdefender total security blocked a legit picture software from renaming/deleting a picture file saying it was ransomware like behavior....

this video for avira pro shows it detected ransomware behavior AFTER encryption already started.

Maybe avira cloud was too slow to respond ?? or cloud didn't even receive the file... or some other reason why avira pro failed ??

i have been using BD TS for the past little while, heres what i've noticed.
I have turned on the "ransomware protection" module inside BD (turned off by default) and enabled "protection at boot" and AutoPilot turned On.
then the usual folders are all automatically added by default to protection (c:\users\<username>\desktop, documents, music, pictures, videos, Onedrive) and you can add others too (like downloads, etc).

Next:
I downloaded and installed an image processing software to try it, and loaded it up. Chose an image inside my pictures folder and started playing around with stuff. The entire time, it was fine and let me make changes to image, even save a copy of it, etc. But then i clicked something in the picture software that would rename the current file to append a few letters to the end of the file name. So it would change "Picture 012.jpg" to "Picture 012.jpg.xxx" (where xxx represents appended file extension, whatever letters the program was trying to append to the end of it, i dont remember what exactly it was...) From looking at it, i think the picture software was trying to add those letters to the end temporarily to mark it as a different type of file, i am not sure why, maybe the picture software does that while the image is still being worked on when you enable that option of the software

Anyways, BD TS actually alerted me to that and blocked it automatically saying ransomware type behavior was detected. If the BD TS alert didn't pop up, i would have no idea the extension was being changed/appended by the picture software. So in this case, BD TS let me edit/save/copy picture file no problem. But when the software tried to change the file extension, it detected that behavior and alerted me (+ blocked it automatically).

My point is that ransomware seems to function similarly, where it appends something to the filename extension (or processes it, which ends up appending the file extension) and then deletes the original, leaving you stuck with the encrypted file only. So if that picture software was ransomware, it would have blocked that from happening i think right ?

so in this case, even though it wasn't ransomware or anything "bad" that changed the file name, it was picture software, it still stopped that from happening saying ransomware protection...
Then i could manually allow that action if the program that made the action was safe.

[MRG] ETERNALBLUE vs Internet Security Suites and nextgen protections

 

[garlictaker]

CFW (Comodo FireWall) already includes cloud based AV detection/BB/HIPS
CIS = CFW + Comodo AV (Offline AV detection/On Demand Scan)
so CFW setup properly is all you need
CAV is not that great and the opinion that CAV isn't that great is all over these forums, if you search for it you will see many people with same conclusion.
I can't say for sure but I'm 99% sure @cruelsister also said CAV is useless (meaning CIS also useless, since theres nothing more than CAV+CFW), so CFW is all you need.
If cruelsister says CFW is all you need, CAV is unnecessary, i would go with that she seems quite expert in all things malware/ransomware/etc (as you can see from her posts and videos), and since it is her config that everyone loves and is proven to protect against malware/ransomware, i would trust her

with cruelsister's config, and assuming you set it up properly according to her config, you don't need any other AV. the only thing another AV will do is use it's definition/signature based detection to remove malware right away, otherwise if it does somehow get opened it'll be run automatically inside CFW sandbox, meaning it cant do any damage. Only way malware will get past CFW sandbox (i think) is if it's using forged/stolen security certificate to make it on the trusted list

Thank you for detailed explaination.
I'm currently using CIS with cruelsister's config. (yes, I had examined comodo configs for a while, as I was new to it )
I know CAV isn't good enough compared to other AVs, and I know there's no AV needed if I set it up properly.

But I just wanted to keep things simple.
only CFW would turn on WD automatically, which I hate so much bcuz it slows my rig down too much.
so I had chosen CIS to keep WD away. (I don't want to bother to turn it off forcibly neither.)

btw, CAV is not that bad IMO. I found it's more responsive and more lighter than WD.
I'm very happy now with comodo. alright