New Update Avira expands its APC to support script malware

Anthony Qian

Level 9
Thread author
Apr 17, 2021
Historically, Avira's APC (Protection Cloud) has only supported the analysis and detection of PE (Portable Executable) samples. This limited Avira's capability in addressing threats from script-based malware. However, recently, I've noticed a new detection name, "HEUR/APC.YAV" when testing Avira against a JS script malware (VirusTotal). Based on its naming convention, this cloud-based detection from APC is likely designed for script-based threats, as "YAV" might be Avira's categorization for script-based malware.

To further test this, I slightly modified the original sample, changing some variable names, and executed it again. It was still detected.

Here is the detection log from Avira:

[2023-08-13 08:46:21.816] [info] [BaseScan] [thread id: 8876] The file '\\?\C:\Users\Desktop\1.js' was unknown in the Protection Cloud. SHA256: '4d6b54a14476efc43b3c1a54f9eab507172827b32bbbf92353618*****' Flags: '{Upload needed}' Status: successful ----- Unknown script malware will be sent to APC for analysis.
[2023-08-13 08:46:21.817] [info] [Core] [thread id: 8876] [ProtectionCloud] [apcsdk] file: 1 of 1 unique hashes left to check
[2023-08-13 08:46:22.037] [info] [Core] [thread id: 5952] [ProtectionCloud] Starting upload of file'C:\Users\\Desktop\1.js'
[2023-08-13 08:46:22.971] [info] [Core] [thread id: 5952] [ProtectionCloud] Upload of file 'C:\Users\\Desktop\1.js' was successful
[2023-08-13 08:46:27.990] [info] [Core] [thread id: 8876] [ProtectionCloud] [apcsdk] file: 1 of 1 unique hashes left to check
[2023-08-13 08:46:28.205] [info] [BaseScan] [thread id: 8876] The file '\\?\C:\Users\\Desktop\1.js' has been uploaded to the Protection Cloud and analyzed. SHA256: '4d6b54a14476efc43b3c1a54f9eab507172827b****' Flags: '{Detected}{Upload done}' Status: successful ---- It took APC 7 sec to analyze the sample and return the detection.
[2023-08-13 08:46:28.205] [info] [BaseScan] [thread id: 8876] The file '\\?\C:\Users\\Desktop\1.js' was scanned with the Protection Cloud. SHA256: '4d6b54a14476efc43b3c1a54f9eab507172827b32bbbf9235*****' Flags: '{Detected}{Upload done}' Status: successful
[2023-08-13 08:46:28.205] [info] [BaseScan] [thread id: 8876] Detection by Protection Cloud: '{HEUR/APC.YAV} File: '\\?\C:\Users\\Desktop\1.js' SHA256:'4d6b54a14476efc43b3c1a54f9eab50717*****' ---- Detection name was also displayed.

From the logs, we can infer:
  1. A manual right-click scan of suspicious scripts doesn't trigger the APC query.
  2. Avira now not only queries the APC with file hashes, but it also uploads unknown files to the cloud for further analysis.
  3. Analysis is rapid, taking only 7-8 seconds, suggesting no dynamic analysis takes place.
  4. Unlike PE files, Avira allows script-based samples to run first, then uploads and analyzes them. If deemed malicious, the original file is removed, followed by a high-sensitivity quick scan for remediation.
  5. Unfortunately, there are no related records in the Sentry logs at this time.
The exact capabilities of APC in detecting script-based threats, supported script types (e.g., weather .bat or .ps1 are supported), require more sample tests for validation. It's a bit disappointing that there's no integration with Sentry (Avira's BB) yet. Still, APC's extension to script-based threats indicates Avira's increased attention to fileless attacks.

To further explore APC's protection against script malware, I chose five script viruses from MB: two were VBS scripts, and three were JS. Avira failed to detect all when scanned.

Details of each sample:

Test Sample 1( ... 3b001b5d82d9fa0a529)
  • Type: JS script downloader
  • Initial Results: Successfully intercepted. It was detected as TR/Dldr.Script.daa1c4 by the APC.
  • Follow-up Test: After making minor modifications to the sample and executing it, an APC upload was triggered, but the threat wasn't detected. Eventually, network protection blocked a malicious website during its runtime.
Test Sample 2 ( ... b96fb276afb49014e25)
  • Type: JS script downloader
  • Results: The threat was successfully intercepted, and the local engine detected it as HTML/ExpKit.Gen2. No APC detection was triggered.
Test Sample 3 ( ... 89d76d28db668a4a9b7)
  • Type: JS script downloader
  • Initial Results: Successfully intercepted without an upload trigger; APC detected it as JS/YAV.Minerva.7cd592.
  • Follow-up Test: After making simple alterations to the sample and executing it, an APC upload was triggered. The subsequent detection was JS/YAV.Minerva.07d701.
Test Sample 4 ( ... 88d68a5c4836cd145be)
  • Type: VBS script downloader
  • Results: APC scanning missed the threat, and there were no alert pop-ups. Based on the VT analysis, Avira was able to block the Command and Control server (C2), suggesting the script might not have run successfully on my VM.
Test Sample 5 ( ... cc3fa4dfcadd02889e5)
  • Type: VBS script, specifically the Houdini Trojan
  • Initial Results: Upon execution, an error occurred causing the script to terminate. APC was triggered, but no threat was detected.
  • Follow-up Test: After modifying the sample slightly and running it again, an APC upload was triggered. Roughly 7 seconds later, it was detected as HTML/Agent.e8dc9c, which seems quite strange.

In summary, with support for scripts, APC has significantly improved Avira's detection rate against script-based threats. However, there's still room for improvement, such as a missing integration with Sentry. Additionally, I'm curious to see if F-Secure, which utilizes the Avira engine, will benefit from this recent upgrade in APC.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.