Parsh

Level 24
Trusted
Malware Hunter
Verified
2 suspicious patterns detected and quarantined (after the encrypted copies were generated).
Still, the RW was able to delete the original files left out during the creation of encrypted copies. That clearly indicates the slow detecting and/or inadequate blocking of the malicious process(es) by Avira free, be it cloud or local.

My only concern in the security setup was that the 'Use file extensions list' (that's mostly custom) was selected instead of 'Use Smart Extensions' (or All Files). I do not remember if the extensions have to be specified in this AV. I may be wrong, but probably using Smart Extensions list (like the default settings of many AVs) could have helped detect the malicious process, earlier, instead of just depending on the detection of the encrypted files in some monitored folders.
 

Winter Soldier

Level 25
I thought Avira detected wannacry since 2 months. Or is that a 0 day modified version?
There are some variants, for example the kill-switch call has been eliminated by modifying the hex of the executable and bypassing the concerned calls: probably these versions were not made by the original author, because by analyzing the code, it is clear that it was not done a compiler.
Indeed, subsequently to the control of the kill switch, the flow of code execution proceeds to create a service called "mssecsvc2.0" (displayed with the symbolic name "Microsoft Security Center (2.0) Service"), starting it and pulling out the ransomware component and performing it.
 

Evjl's Rain

Level 40
Content Creator
Trusted
Malware Hunter
Verified
perhaps the main process created many processes which a few of them were blocked but the main process was not blocked so it could still infect
I don't know if the pro version can block it or not but the cloud in free version didn't upload the file for cloud analysis this time

some people on Wilders are still saying free and pro are identical and smashing other users that they have no clue but they can't point out the difference between the 2 other than giving some unhelpful avira's descriptions, no real test
 

brod56

Level 15
Verified
2 suspicious patterns detected and quarantined (after the encrypted copies were generated).
Still, the RW was able to delete the original files left out during the creation of encrypted copies. That clearly indicates the slow detecting and/or inadequate blocking of the malicious process(es) by Avira free, be it cloud or local.

My only concern in the security setup was that the 'Use file extensions list' (that's mostly custom) was selected instead of 'Use Smart Extensions' (or All Files). I do not remember if the extensions have to be specified in this AV. I may be wrong, but probably using Smart Extensions list (like the default settings of many AVs) could have helped detect the malicious process, earlier, instead of just depending on the detection of the encrypted files in some monitored folders.
I agree. If Avira could speed up the detection process/cloud submission probably this system wouldn't be infected.
 

Atlas147

Level 30
Content Creator
Verified
Avira has a blog post stating that they have detected wannacry 2 months before the outbreak happened, this is probably a new variant, maybe you should send it to virustotal to check the detection ratio on it. Hopefully other vendors have already reacted to it faster than Avira.

Also you should SUD this to Avira and other vendors that don't detect this variant ASAP to prevent others from getting infected as well.
 

Game Of Thrones

Level 5
Verified
It is hard to stop ransomware post execution.

This is where Comodo, Bitdefender and Kaspersky separate themselves.

Still like Avira, they do good work.

But currently I prefer my Windows Defender, Smart Screen block, app install limitation setup.
Machine learning is the new toy in the industry, any vendor that implements it correctly will have a good edge on the others. Avira somehow uses it, but implementation is not good. What surprised me was that machine learning is working with real time protection in Symantec endpoint protection(there are different approaches in machine learning) . So many samples get detection before execution by auto protect. That's what i call implementation.
 
  • Like
Reactions: Arin and AtlBo

MWTHelper

From Avira
Developer
Verified
Hello,
I saw this thread and also had a short conversation with @Game Of Thrones about this matter.

What I can say as summary is that we use several detection methods for the wannacry family, so they should be detected in the vast majority. There could be indeed a new variant of this virus that wasn't detected at the time of video creation, but this is impossible to tell if we don't have the file, or at least its hash in order to investigate.
 

ZeroDay

Level 27
Verified
Hello,
I saw this thread and also had a short conversation with @Game Of Thrones about this matter.

What I can say as summary is that we use several detection methods for the wannacry family, so they should be detected in the vast majority. There could be indeed a new variant of this virus that wasn't detected at the time of video creation, but this is impossible to tell if we don't have the file, or at least its hash in order to investigate.
Do Avira have any plans to integrate stronger zero day protection?
 
  • Like
Reactions: Sunshine-boy

MWTHelper

From Avira
Developer
Verified
Do Avira have any plans to integrate stronger zero day protection?
Sure. The Antivirus modules are continuous improved as a rolling release. This means that new and improved features are distributed as product updates on availability.
 

Evjl's Rain

Level 40
Content Creator
Trusted
Malware Hunter
Verified
Sure. The Antivirus modules are continuous improved as a rolling release. This means that new and improved features are distributed as product updates on availability.
hello, could you please explain the differences between avira free and avira pro besides web guard?
Is there any difference in protection feature? Why did Avira upload more malwares to APC than Avira free in my tests?
thank you
 
Last edited: