Arequire

Level 23
Content Creator
Verified
I think Avira free does not have the cloud as seen here...
With pro Cerber is nothing ;P


Still Why on the website it says Free users also have Cloud?
good to know. I also tested many malware packs from the hub in my video. I saw the pro version blocked almost everything except 1 PUP

perhaps the free version sucks although it also has cloud but not working


Free and Pro versions use the same cloud analysis. The problem lies in cloud scanning being hit-and-miss.
 

giants8058

Level 4
I don't understand why avira missed those samples that giants tested. I also tested the same samples but the pro version blocked everything by cloud. Also malwareblocker's video didn't show any action of the cloud.

something is wrong here
In the video it either didn't need the cloud for some samples or it checked and didn't find a match and let it execute. Like Spawn's screenshot shows, it is designated with (Cloud) in the security alert.

Btw this is the pack and sample I used:
https://malwaretips.com/threads/20-3-2017-17.69781/

https://malwaretips.com/threads/js-downloader-cerber-ransomware.69762/
 
Last edited:
  • Like
Reactions: spaceoctopus

Evjl's Rain

Level 41
Content Creator
Trusted
Malware Hunter
Verified
In the video it either didn't need the cloud for some samples or it checked and didn't find a match and let it execute. Like Spawn's screenshot shows, it is designated with (Cloud) in the security alert.

Btw this is the pack and sample I used:
https://malwaretips.com/threads/20-3-2017-17.69781/

https://malwaretips.com/threads/js-downloader-cerber-ransomware.69762/
here is the test using the latest samples from the hub. The sample in the second link was included in my video. Not sure if it was running then

https://malwaretips.com/threads/20-3-2017-17.69781/#post-610601

Containment: VMware Workstation 12.5.2 build-4638234
Guest/OS: Windows 7 Pro x86 SP1
Product: Avira Pro 2017, Default settings
Static: 6/17
Dynamic: 8/11
Total: 14/17
SUD: 11
Files encrypted: No
System Final Status: Infected
8427.js terminated everything after 5 seconds

View attachment 143646 View attachment 143645
20612.js triggered avira cloud upload. Finally blocked

View attachment 143647
48843.png.exe blocked by avira cloud

Codice.jpg.exe blocked by cloud

gdfers.vbs triggered wscript, copied itself into temp, running for >5 minutes but nothing happened. Created an autorun entry -> rebooted -> same, nothing happened

View attachment 143650
MK847589.jse blocked by cloud

View attachment 143654
user.php.exe blocked by cloud

View attachment 143648
Case_4785_Details.js blocked by cloud

View attachment 143649
cerber.exe blocked by cloud

View attachment 143651
notice_6452842UK.js blocked by cloud

View attachment 143658
yg4peajz.exe blocked by cloud
 

spaceoctopus

Level 15
Content Creator
Verified
I don't understand why avira missed those samples that giants tested. I also tested the same samples but the pro version blocked everything by cloud. Also malwareblocker's video didn't show any action of the cloud.

something is wrong here
Perhaps the answer to that, is that there are some technologies and functions under the hood that they remove in the Free version. For marketing they may tell you that the cloud tech is the same as the Prenium versions too for example, but in fact,it's a trimmed down version. I noticed that too in some tests, Avira Free is bad. But when the Pro version is tested, it usually gives good results.

here is the test using the latest samples from the hub. The sample in the second link was included in my video. Not sure if it was running then

https://malwaretips.com/threads/20-3-2017-17.69781/#post-610601

Containment: VMware Workstation 12.5.2 build-4638234
Guest/OS: Windows 7 Pro x86 SP1
Product: Avira Pro 2017, Default settings
Static: 6/17
Dynamic: 8/11
Total: 14/17
SUD: 11
Files encrypted: No
System Final Status: Infected
8427.js terminated everything after 5 seconds

View attachment 143646 View attachment 143645
20612.js triggered avira cloud upload. Finally blocked

View attachment 143647
48843.png.exe blocked by avira cloud

Codice.jpg.exe blocked by cloud

gdfers.vbs triggered wscript, copied itself into temp, running for >5 minutes but nothing happened. Created an autorun entry -> rebooted -> same, nothing happened

View attachment 143650
MK847589.jse blocked by cloud

View attachment 143654
user.php.exe blocked by cloud

View attachment 143648
Case_4785_Details.js blocked by cloud

View attachment 143649
cerber.exe blocked by cloud

View attachment 143651
notice_6452842UK.js blocked by cloud

View attachment 143658
yg4peajz.exe blocked by cloud
Thanks for this detailed test. Now we can clearly see the Cloud protection kicking in and doing its job. ;)
 
Last edited by a moderator:

XhenEd

Level 27
Content Creator
Trusted
Verified
And heuristics is different from a behavior blocker. Most AVs have heuristics by default, which are built into their engine, but also offer some type of post execution behavioral analysis like Kaspersky, Emsisoft, Avast and Norton.
As far as Emsisoft is concerned, their BB can be called heuristics. No, Emsisoft doesn't have the heuristics similar to that of Kaspersky, Avast, ESET, etc., but for the Emsisoft team, BB is just a large scale heuristics. It all really depends on how one defines heuristics. :) I need to find the thread to support what I said. :D

As for Avira, if indeed that it has a trimmed version of the cloud tech, then it's just bad. You would always want the Free version to shine, so that it gives the users the incentive to buy the Pro version. But I don't really think that they have trimmed down the Free version's cloud functionality. :)


Edit: For Emsisoft, IDS, Behavior blocker, Heuristic, what is the difference?
My explanation might not be accurate, so an explanation straight from the horse's mouth is good. :D I think I misunderstood it. The post is saying about the similarities of IDS and BB, but not Heuristics and BB. So, my explanation isn't accurate after all. :D

"It is a common misconception that Emsisoft’s Behavior Blocker uses conventional heuristics. Heuristics checks files on your hard-drive for malicious routines and then classifies a file as dangerous or safe based on a calculation of probability. Emsisoft’s Behavior Blocker works on a higher level though, and directly monitors how active programs behave on your system." - Efficient protection against new malware: Emsisoft’s Behavior Blocker

Also,
That depends on what you consider a heuristic. The term is awfully broad and everyone seems to have their own definition. For a lot of people heuristics are intertwined with the ability to emulate the execution of a program and watch what it does in such an emulated environment as part of the normal file scan. We don't do any of that in our engine. For others all methods that are not aimed at detecting a specific malware or malware family, but detecting malicious files in general are considered heuristics. We do use those in our engine. However, we rarely call them out as being a "heuristic detection" anymore. I think the last detection that actually made itself known as being a heuristic detection was Heuristic.Possible.MBR.Rootkit that has since then been removed. That rule for example triggered the scan engine to read the disk's MBR using various methods (Windows API, talking to the disk directly, etc.) and comparing the results whether or not they were identical, which would indicate an application hiding the real contents of the MBR from the rest of the system. Although I am sure a lot of people with different definitions of "heuristic" than us would disagree that this rule was a heuristic to begin with.
- Old Signatures
 
Last edited:
5

509322

As far as Emsisoft is concerned, their BB can be called heuristics. No, Emsisoft doesn't have the heuristics similar to that of Kaspersky, Avast, ESET, etc., but for the Emsisoft team, BB is just a large scale heuristics. It all really depends on how one defines heuristics. :) I need to find the thread to support what I said. :D

As for Avira, if indeed that it has a trimmed version of the cloud tech, then it's just bad. You would always want the Free version to shine, so that it gives the users the incentive to buy the Pro version. But I don't really think that they have trimmed down the Free version's cloud functionality. :)


Edit: For Emsisoft, IDS, Behavior blocker, Heuristic, what is the difference?
My explanation might not be accurate, so an explanation straight from the horse's mouth is good. :D
Heuristics is based upon probabilities and stochastics (probabilistic trends). Fabian will tell you Emsisoft uses no heuristics anywhere in their part of the products.
 
Last edited by a moderator:
5

509322

As far as Emsisoft is concerned, their BB can be called heuristics. No, Emsisoft doesn't have the heuristics similar to that of Kaspersky, Avast, ESET, etc., but for the Emsisoft team, BB is just a large scale heuristics. It all really depends on how one defines heuristics. :) I need to find the thread to support what I said. :D

As for Avira, if indeed that it has a trimmed version of the cloud tech, then it's just bad. You would always want the Free version to shine, so that it gives the users the incentive to buy the Pro version. But I don't really think that they have trimmed down the Free version's cloud functionality. :)


Edit: For Emsisoft, IDS, Behavior blocker, Heuristic, what is the difference?
My explanation might not be accurate, so an explanation straight from the horse's mouth is good. :D

"It is a common misconception that Emsisoft’s Behavior Blocker uses conventional heuristics. Heuristics checks files on your hard-drive for malicious routines and then classifies a file as dangerous or safe based on a calculation of probability. Emsisoft’s Behavior Blocker works on a higher level though, and directly monitors how active programs behave on your system." - Efficient protection against new malware: Emsisoft’s Behavior Blocker
The cloud is the same in the paid and free products.

All you see here is people saying stuff when they don't know what they're talking about.

One cannot compare Avira to other products like Emsisoft and Kaspersky. Avira is limited feature whereas other protection softs are more fully featured. That's comparing Apples to Pineapples - which makes no sense.

Avira's most direct comparison is with the likes of Windows Defender and Ikarus - and that is what Avira is, a good Windows Defender replacement.
 
Last edited by a moderator:

giants8058

Level 4
I had an extensive conversation here a couple weeks ago with Christian from Emsisoft, and I can confirm they do incorporate heuristics along with a separate Behavior Blocker module. But it's not within their engine but instead the Bitdefender engine. So yeah it has both. Threats flagged by heuristics have the heur designation within the name.
 

XhenEd

Level 27
Content Creator
Trusted
Verified
I had an extensive conversation here a couple weeks ago with Christian from Emsisoft, and I can confirm they do incorporate heuristics along with a separate Behavior Blocker module. But it's not within their engine but instead the Bitdefender engine. So yeah it has both. Threats flagged by heuristics have the heur designation within the name.
Maybe what he's saying is that the Bitdefender signatures include the B-Have signatures, the heuristic detection signatures of Bitdefender.
 

giants8058

Level 4
Maybe what he's saying is that the Bitdefender signatures include the B-Have signatures, the heuristic detection signatures of Bitdefender.
I was wondering the exact same thing so I asked him that, but he said that the heuristics analysis occurs in real time with the BD engine and not a detection that was picked up in the past and pushed out with the heur designation in the sig name.
 
5

509322

I had an extensive conversation here a couple weeks ago with Christian from Emsisoft, and I can confirm they do incorporate heuristics along with a separate Behavior Blocker module. But it's not within their engine but instead the Bitdefender engine. So yeah it has both. Threats flagged by heuristics have the heur designation within the name.
Bitdefender signatures are not an Emsisoft product. Yes, Bitdefender employs heuristics.

Emsisoft itself does not use heuristics in their signatures. That's what I meant.

Go over to the Emsisoft support forum and you will see Fabian's comments.
 

XhenEd

Level 27
Content Creator
Trusted
Verified
I asked him that, but he said that the heuristics analysis occurs in real time with the BD engine and not a detection that was picked up in the past and pushed out with the heur designation in the sig name.
Thanks for that info! :)

The only thing that prevents me from completely believing that, no offense to you, is the fact that Emsisoft never published anything about this yet. :)

But that maybe is true because it's Christian, the CEO. :)
 

giants8058

Level 4
Thanks for that info! :)

The only thing that prevents me from completely believing that, no offense to you, is the fact that Emsisoft never published anything about this yet. :)

But that maybe is true because it's Christian, the CEO. :)
Try reaching out to him yourself. He's has the Emsisoft username here. I didn't know I was even talking to him until more than half way through the conversation when he told me. Thought it was one of their devs. I thought it was pretty cool though that a CEO would take the time to explain everything the way he did.
 

Azure

Level 23
Content Creator
Verified
Heuristics is based upon probabilities and stochastics (probabilistic trends). Fabian will tell you Emsisoft uses no heuristics anywhere in their products.
Perhaps not from Emsisoft's own engine, however regarding Bitdefender's

Question about the Bitdefender engine
"It includes everything related to on-demand file detection including file based signatures as well as heuristics."
 

giants8058

Level 4
Bitdefender signatures are not an Emsisoft product. Yes, Bitdefender employs heuristics.

Emsisoft itself does not use heuristics in their signatures. That's what I meant.

Go over to the Emsisoft support forum and you will see Fabian's comments.
Correct. That's why I said the BD engine does but not the Emsisoft engine. Would be nice though if they would incorporate it in their engine as well.
 
Last edited:
5

509322

Correct. That's why I said the BD engine does but not the Emsisoft engine.
The topic gets muddied because people will say "Emsisoft uses heuristics." You have to qualify what they mean by "Emsisoft uses heuristics."

Emsisoft employs Bitdefender signatures - and the Bitdefender signatures utilize heuristics - but no part of the Emsisoft products proper use heuristics. At least that is how I have understood Fabian's comments about the products over the years. Now whether or not any of that has changed over the years... I don't know. Products can change, but from what I can tell, I don't think Fabian is a fan of heuristics - among a lot of other things.