App Review Avira Free Antivirus vs WannaCry ransomware by Juan Diaz

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
2 suspicious patterns detected and quarantined (after the encrypted copies were generated).
Still, the RW was able to delete the original files left out during the creation of encrypted copies. That clearly indicates the slow detecting and/or inadequate blocking of the malicious process(es) by Avira free, be it cloud or local.

My only concern in the security setup was that the 'Use file extensions list' (that's mostly custom) was selected instead of 'Use Smart Extensions' (or All Files). I do not remember if the extensions have to be specified in this AV. I may be wrong, but probably using Smart Extensions list (like the default settings of many AVs) could have helped detect the malicious process, earlier, instead of just depending on the detection of the encrypted files in some monitored folders.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
I thought Avira detected wannacry since 2 months. Or is that a 0 day modified version?
There are some variants, for example the kill-switch call has been eliminated by modifying the hex of the executable and bypassing the concerned calls: probably these versions were not made by the original author, because by analyzing the code, it is clear that it was not done a compiler.
Indeed, subsequently to the control of the kill switch, the flow of code execution proceeds to create a service called "mssecsvc2.0" (displayed with the symbolic name "Microsoft Security Center (2.0) Service"), starting it and pulling out the ransomware component and performing it.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
perhaps the main process created many processes which a few of them were blocked but the main process was not blocked so it could still infect
I don't know if the pro version can block it or not but the cloud in free version didn't upload the file for cloud analysis this time

some people on Wilders are still saying free and pro are identical and smashing other users that they have no clue but they can't point out the difference between the 2 other than giving some unhelpful avira's descriptions, no real test
 

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
2 suspicious patterns detected and quarantined (after the encrypted copies were generated).
Still, the RW was able to delete the original files left out during the creation of encrypted copies. That clearly indicates the slow detecting and/or inadequate blocking of the malicious process(es) by Avira free, be it cloud or local.

My only concern in the security setup was that the 'Use file extensions list' (that's mostly custom) was selected instead of 'Use Smart Extensions' (or All Files). I do not remember if the extensions have to be specified in this AV. I may be wrong, but probably using Smart Extensions list (like the default settings of many AVs) could have helped detect the malicious process, earlier, instead of just depending on the detection of the encrypted files in some monitored folders.

I agree. If Avira could speed up the detection process/cloud submission probably this system wouldn't be infected.
 

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Avira has a blog post stating that they have detected wannacry 2 months before the outbreak happened, this is probably a new variant, maybe you should send it to virustotal to check the detection ratio on it. Hopefully other vendors have already reacted to it faster than Avira.

Also you should SUD this to Avira and other vendors that don't detect this variant ASAP to prevent others from getting infected as well.
 

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
220
It is hard to stop ransomware post execution.

This is where Comodo, Bitdefender and Kaspersky separate themselves.

Still like Avira, they do good work.

But currently I prefer my Windows Defender, Smart Screen block, app install limitation setup.
Machine learning is the new toy in the industry, any vendor that implements it correctly will have a good edge on the others. Avira somehow uses it, but implementation is not good. What surprised me was that machine learning is working with real time protection in Symantec endpoint protection(there are different approaches in machine learning) . So many samples get detection before execution by auto protect. That's what i call implementation.
 
  • Like
Reactions: Arin and AtlBo

MWTHelper

From Avira
Verified
Developer
Oct 27, 2016
24
Hello,
I saw this thread and also had a short conversation with @Game Of Thrones about this matter.

What I can say as summary is that we use several detection methods for the wannacry family, so they should be detected in the vast majority. There could be indeed a new variant of this virus that wasn't detected at the time of video creation, but this is impossible to tell if we don't have the file, or at least its hash in order to investigate.
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
Hello,
I saw this thread and also had a short conversation with @Game Of Thrones about this matter.

What I can say as summary is that we use several detection methods for the wannacry family, so they should be detected in the vast majority. There could be indeed a new variant of this virus that wasn't detected at the time of video creation, but this is impossible to tell if we don't have the file, or at least its hash in order to investigate.
Do Avira have any plans to integrate stronger zero day protection?
 
  • Like
Reactions: Sunshine-boy

MWTHelper

From Avira
Verified
Developer
Oct 27, 2016
24
Do Avira have any plans to integrate stronger zero day protection?
Sure. The Antivirus modules are continuous improved as a rolling release. This means that new and improved features are distributed as product updates on availability.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Sure. The Antivirus modules are continuous improved as a rolling release. This means that new and improved features are distributed as product updates on availability.
hello, could you please explain the differences between avira free and avira pro besides web guard?
Is there any difference in protection feature? Why did Avira upload more malwares to APC than Avira free in my tests?
thank you
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top