Avira logic in detecting malicious files

[Game Of Thrones]

Hi everyone, i had a research on many AV companies but today i saw something that i want to ask to see if anyone have the answer. I'm using avira pro.
Avira is not detecting a extract from 7z compressed file (19MB malicious exe file) on sight and it detects it after execution(or right click scan) . Even though it has the detection offline so no need for cloud. But i tested it with eicar test file and it detects it after extract from 7z compressed form.
I searched this behavior but found nothing that how avira works and what is the logic of this.
Edit1: avira cloud is out of question here since the signature is in offline database too. But even if it was in cloud, in pro products the cloud works in real time not just on execution.

 

[Winter Soldier]

In static mode it is very difficult for a Avira but generally for a common AV, check back the source code of a compiled program ( the scripts maintain the source code). Also, having a source code, an AV is not able to fully understand it.
Of course, the AVs can scan the code through signatures (pattern, checksum, etc), behavioral info (IAT, syscalls, I/O behaves, etc.) and runtime checks.

In dynamic mode, when you run the malware, usually it creates one or more processes.
The process has a Security IDentifier (SID) that constitute the access token that can directly ensure special privileges.
When a process tries to access an object, it is used in the access token to check if the process has rights which are unconditional on the object, otherwise the Windows kernel scans the ACL.
Then an AV checks also (but not only this) these executions, and according to the algorithms, can decide whether to flag the sample or not.

 

[Game Of Thrones]

In static mode it is very difficult for a Avira but generally for a common AV, check back the source code of a compiled program ( the scripts maintain the source code). Also, having a source code, an AV is not able to fully understand it.
Of course, the AVs can scan the code through signatures (pattern, checksum, etc), behavioral info (IAT, syscalls, I/O behaves, etc.) and runtime checks... .

Thanks for your help and clarification, but as i said the file is in offline database and right click scan knows it immediately.since right click scan is static detection(i need clarification about this since there is no documentation) which should be the same as real time signature detection So i think this logics you said are not related to this.
I think it might have something to do with the size of the file(19MB is big for a malware file) maybe avira is not scanning the big exe files, which i doubt.

 

[WinXPert]

I'm no longer familiar with what in Avira, but does that have a setting like scanning archives only when its filesize is less than X Megabytes?

 

[Winter Soldier]

Avira is not detecting a extract from 7z compressed file (19MB malicious exe file) on sight and it detects it after execution(or right click scan) .

Then I misunderstood, because according to what you said right-click, and execution are not the same thing.

 

[Parsh]

If the default settings of real-time protection aren't changed/brought down, Avira Pro not detecting files after extraction but detecting them, before execution, by a custom scan of the extracted files (if this is exactly what you said) is either incomprehensible or its the cloud that is used for processing any of the unknown extracted files (that's the function of the cloud).
I'm not sure about the latter, since on reading the Avira Manual that states how all of their functions work, they mention the use of Cloud only for running programs, services and start-up entries and Not for static scan (except for a quick system scan).

 

[Parsh]

I'm no longer familiar with what in Avira, but does that have a setting like scanning archives only when its filesize is less than X Megabytes?

Apparently he's asking about detection after extracting files from compressed form, and not scanning zips/7z/rar files.
So this shouldn't be applicable.

I think the problem needs to be demonstrated @Game Of Thrones, for comprehension or correction.

 

[Game Of Thrones]

If the default settings of real-time protection aren't changed/brought down, Avira Pro not detecting files after extraction but detecting them, before execution, by a custom scan of the extracted files (if this is exactly what you said) is either incomprehensible or its the cloud that is used for processing any of the unknown extracted files.
I'm not sure about the latter, since on reading the Avira Manual that states how all of their functions work, they mention the use of Cloud only for running programs, services and start-up entries and Not for static scan (except for a system scan).

Thank to you and everyone who's participating in this thread. Well in pro version the cloud is indeed assisting real-time protection, i should test more, like testing it with some malware packs. But since it's on one of my main machines(others are on trend micro) , it's risky. The file is old and it's a fake flash player installer(it's a Trojan not a pup)

 

[WinXPert]

Make sure you test in VM.

 

[Game Of Thrones]

exactly the problem is this, you said it in a short format .

Apparently he's asking about detection after extracting files from compressed form, and not scanning zips/7z/rar files.
So this shouldn't be applicable.

I think the problem needs to be demonstrated @Game Of Thrones, for comprehension or correction.

 

[lab34]

Hello,
yesterday, I did the test with avira "free" https://malwaretips.com/threads/9-5-2017-16.71282/#post-627237 and avira detect the malware just after extraction.
It was precisely what I liked in avira when I was using it during many years.

 

[Game Of Thrones]

ok i tested with the latest samples in malware hub. indeed it detects the malwares right after extracting them, i think the problem is with the size of the sample, maybe avira is not scanning large exe files for performance reasons. another important point is there is a clear difference in detection between pro version and free version, i tested the 16 samples(the latest) right after they came out in a virtual machine with avira pro and one of the nice users here tested it with free which he posted the results,in my testing the pro version detected all the samples(exept the js files the url is dead) i think avira should tell about this to users that there is a clear difference in detection between pro and free, the pro IMO is right on par with trend micro and kaspersky​

 

[Game Of Thrones]

Hello,
yesterday, I did the test with avira "free" https://malwaretips.com/threads/9-5-2017-16.71282/#post-627237 and avira detect the malware just after extraction.
It was precisely what I liked in avira when I was using it during many years.

yeah i wrote about it in my last post. i tested this samples right after they posted on malware hub. the sample that you mentioned was detected by pro version

 

[Xsjx]

ok i tested with the latest samples in malware hub. indeed it detects the malwares right after extracting them, i think the problem is with the size of the sample, maybe avira is not scanning large exe files for performance reasons. another important point is there is a clear difference in detection between pro version and free version, i tested the 16 samples(the latest) right after they came out in a virtual machine with avira pro and one of the nice users here tested it with free which he posted the results,in my testing the pro version detected all the samples(exept the js files the url is dead) i think avira should tell about this to users that there is a clear difference in detection between pro and free, the pro IMO is right on par with trend micro and kaspersky​

The people still dont believe it, ``Avira pro is avira free with Web shield``

I said it some long time ago but people still seem to dislike my posts about it

 

[Game Of Thrones]

The people still dont believe it, ``Avira pro is avira free with Web shield``

I said it some long time ago but people still seem to dislike my posts about it

Well to be honest i was one of them too since there is no documentation about this. But after i saw this by accident(i was just testing it for myself but then i saw the results of our friend here with free version) i saw that pro version cloud is really powerful IMO and this incident made me trust avira again. There were times a long time ago that avira was number one in real world detection and everyone in my country was installing it for use or when they had malwares in their systems. i have a license for avira and I'm going to test it in my main laptop(other systems are on trend), i hope the good old days are back.(the detection of pro version is really sometimes shock me )

 

[Xsjx]

Well to be honest i was one of them too since there is no documentation about this. But after i saw this by accident(i was just testing it for myself but then i saw the results of our friend here with free version) i saw that pro version cloud is really powerful IMO and this incident made me trust avira again. There were times a long time ago that avira was number one in real world detection and everyone in my country was installing it for use or when they had malwares in their systems. i have a license for avira and I'm going to test it in my main laptop(other systems are on trend), i hope the good old days are back.(the detection of pro version is really sometimes shock me )

The good old times areee back!

Hopefully more people see it soon and hopefully someone gets to test it in malware hub

 

[Game Of Thrones]

The good old times are back!

Hopefully, more people see it soon and hopefully, someone gets to test it in malware hub

well, to be honest, i test Emsisoft Avira and TrendMicro and even viper!! in my virtual machines right after our malware hunters post them.
I just do not have the time and the mood to send the results, so far Avira pro and TrendMicro are my favorites

 

[WinXPert]

The good old times areee back!

Hopefully more people see it soon and hopefully someone gets to test it in malware hub

Do the honors of testing it. You are more than welcome.