App Review Avira vs a D+2 Ransomware file

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423

Avira is still only good in the signature and web protection department, a pity.

Good to see you again, it has been quiet around you and the video demonstrations :)
Judging from the ext, it's the latest variant of GandCrab, right? (Correct me please if there are newer ones).

Thank you for the share @ CS!
 

Mahesh Sudula

Level 17
Verified
Top Poster
Well-known
Sep 3, 2017
818
Yipee! Ransomware won the game
Avira shame on you..Your competitors are evolving into different technologies ..you are still inclined to precious dinosarous signatures
M/L , night vision are a joke...Sit along with sigatures till 2050
H+BEDV alone can change you:notworthy:(n)
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Hi Guys! Just wanted to give a bit of background to this test. An old colleague made me aware of a bunch of this malware masquerading as Cracks were showing up, written by a Bulgarian Group. I was in a process of writing a rather extensive report on AMD and as is typical for me I needed frequent breaks (to allow for Brilliance to rise to the top). Anyway, I followed this thing from the report to me until I made the video and wanted to share a few things:

1). From what my friend told me there were over a hundred different variants that were released. Some just differed in the file name, some had verbose code that was nopped out to give it a different SHA-256. But all essentially were the same. Point being, whenever you read that there are like 10,000 "New" malware thingies being released daily, in all probability it is really like 10 with 9990 semi-duplicates.

(Note: for the following I'm limiting myself to products that are utilized by the Home User)

2). The initial detection was by Kaspersky. Qihoo was second. Both had definitions in place within 12 hours of initial detection (infection).

3). Between Day 1 and 2 (D+24-48 hrs)- detection came in dribs and drabs. Eset and Avast/AVG were the first, followed by others.

4). On day 2 (when I did the video), both Avira and Webroot were the only Non-Chinese majors not to detect it. At this point I did and uploaded to YouTube a Webroot fail. But before I made it public I did one more test and Damned- Webroot now got it (about FxxxxxG Time). So I deleted that video and did this one, with Avira.

5). Today (day 3; D+72 hrs), Avira cloud now detects it. Microsoft also delayed detection until earlier today. I personally feel that Microsoft could be the best anti-malware product on the Planet but are forced to dumb-down their detection due to anti-trust concerns.

6). Tencent still allows this malware. Please, please do not use Tencent!

7). Regarding the Avira Heuristics (and please note that I heavily edited this video to fit the song- which I consider one of the Highpoints of Western Culture - If I had used the default heuristic setting, the malware would have encrypted almost immediately. At the max, Avira kept it at abeyance for about 3 minutes until allowing it (duhhhhh- I think it's OK). Avira heuristics suck big-time.

8). This point is of EXTREME IMPORTANCE- note my comment above about Microsoft (Windows defender). I've seen such delays in TTD (Time To Detection) all of the time. So whenever you see any "Pro" testing site give WD stellar results, you should know that the malware used in that test was OLD (reminds me of the Kaspersky anti-ransomware test posted here recently when the newest malware used was a year old!). Demand that the Pro sites use ONLY NEW MALWARE and do the tests on all of the products SIMULTANEOUSLY. Otherwise there is no actual Real-World signifigance no matter what they may say.

Rant Ends.
 
D

Deleted Member 3a5v73x

At this point I did and uploaded to YouTube a Webroot fail. But before I made it public I did one more test and Damned- Webroot now got it (about FxxxxxG Time). So I deleted that video and did this one, with Avira.
Ahhh, you could have kept snapshot with Webroot fail and look after 24 hours/x days if it could rollback system from encryption. It might have been interesting to see. I did this in late 2016 with Cerber, and it could succesfully rollback encrypted files. I was impressed back then. (y)

Sad about Avira. I am a part of their BETA builds, and honestly thinking to unsign from it, not because of this test, but because I am also tired that they can't come up with new innovations in malware detection capabilities. They could have at least made "Folder/Data protection" feature to not let ransomwre encrypt those areas like other AV vendors have introduced, but no.
 
Last edited by a moderator:

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
6). Tencent still allows this malware. Please, please do not use Tencent!

No idea whether another ransomware uses the .KRAB (GandCrab v4) extension, but this one is blocked easily. Maybe later versions will bypass TCPM BB / HIPS. Did not find encrypted files, neither in user folder nor over the system (I have seen RW targeting files in system folders before attacking personal files).
run.PNG

Taken from the hash at the end of the article, file to be found on AnyRun.

GandCrab V4 Released With the New .KRAB Extension for Encrypted Files

Note I have used custom settings, product version is 12.3.26562.901.
File system shield was turned off, to prevent the file being detected by signatures.

Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only

No AV is perfect.
All I want to say, it's a matter of personal preference. Q360 did not shine in the HUB lately (especially not against fileless malware, stealing precious information instead of encrypting them), and missed a RW, too, which encrypted some files until the user clicked the option to block the RW.

Another one:
run.PNGpage.PNGrun1.PNGrun1_1.PNGfiles.PNGfiles2.PNG
Triggers UAC, is active in memory for about 5 seconds, calls out. No files encrypted.


EDIT: The malware triggered both SmartScreen as well as UAC, both have been confirmed.
The URL was not intercepted by Google Webfilter or Avira Browser extension by the time of download.
No idea on F-Secure, the webfilter option in FreeDome has been shut down by the time of testing to not interfere with malware.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
8). This point is of EXTREME IMPORTANCE- note my comment above about Microsoft (Windows defender). I've seen such delays in TTD (Time To Detection) all of the time. So whenever you see any "Pro" testing site give WD stellar results, you should know that the malware used in that test was OLD (reminds me of the Kaspersky anti-ransomware test posted here recently when the newest malware used was a year old!). Demand that the Pro sites use ONLY NEW MALWARE and do the tests on all of the products SIMULTANEOUSLY. Otherwise there is no actual Real-World signifigance no matter what they may say.
Rant Ends.
Very interesting remark. But, your tests were usually done on Windows 7. Please, clarify how is the above remark related to the updated Windows 10.
If I correctly understood your post, then Defender detection means signature detection + dynamic detection (default Defender settings).
Regards.
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
What about Comodo Firewall In your config?

Actually running both of these samples used in this test under Cruel Comodo is kind of cool (I really should do a video about it, but I don't do videos anymore). You can see the damage that the malware is doing in the VTRoot directory (the virtualized space); it's so pathetic that it almost makes you feel bad for the malware (and CF also stopped ~500 Network Intrusions in 5 minutes). Also note one thing- in order to see how easily Containment handles the malware, I shut off the Cloud AV. If I had enabled the AV I would have just got an error message that the file could not be run, with that malware file being deleted by the AV. Needless to say there would be no fun there!

(both malware samples eventually just terminated themselves in despair).

With leads me to my complaint about CF- in previous builds a reboot would have cleared the Sandbox. Currently things like the above will hang out in VTRoot until a manual sandbox cleaning is done. In spite of innumerable private and a couple of Public requests, they still essentially told me to GFM (they hate me). Oh Well (sigh)...

Fun Fact- there was a new Worm file that was brought to my attention last week- to my total surprise Comodo was the ONLY consumer level AV that detected and deleted it. Not believing my eyes I immediately ran that worm in my Kaspersky VM and it indeed did get right past it (I almost fainted). Understand that in statistics we would call this a N=1 test (no actual significance), but perhaps the Comodo Cloud AV does not suck as much as I think.

Andy- Your answer is more complex:

1). Although I chose to do my videos under Win7 (the most popular OS), my initial testing is always under Win10. Normally this does not matter EXCEPT in the case of WD.
2). From the start I was a proponent of IMMEDIATELY switching from whatever Windows build to Win 10 because of the intrinsic increase in malware protection (I LOVED AMSI- Scriptors Beware!). Sadly many were swayed by Bullshit articles written by the ignorant that stated that MSFT was just trying to track people with Win10, so they both missed out on a superior OS and missed out on getting it for FREE. WD on Win10 is without doubt vastly superior to WD on WIN(not 10).
3). Tests like: Malware Protection Test March 2018 | AV-Comparatives
are done with WD at default with no further Bells and Whistles. 100% Detection my (firm and extremely shapely) Ass! A zero-day info stealer can cut right through WD on 10 like a knife through soft butter. Anyone putting their faith in a test like this could reasonably assume that WD provides perfect protection. This makes me angry as my only concern is that the Peeps out there live a malware free life, and believing crap like this will lead to anything but.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
Andy- Your answer is more complex:

1). Although I chose to do my videos under Win7 (the most popular OS), my initial testing is always under Win10. Normally this does not matter EXCEPT in the case of WD.
2). From the start I was a proponent of IMMEDIATELY switching from whatever Windows build to Win 10 because of the intrinsic increase in malware protection (I LOVED AMSI- Scriptors Beware!). Sadly many were swayed by Bullshit articles written by the ignorant that stated that MSFT was just trying to track people with Win10, so they both missed out on a superior OS and missed out on getting it for FREE. WD on Win10 is without doubt vastly superior to WD on WIN(not 10).
3). Tests like: Malware Protection Test March 2018 | AV-Comparatives
are done with WD at default with no further Bells and Whistles. 100% Detection my (firm and extremely shapely) Ass! A zero-day info stealer can cut right through WD on 10 like a knife through soft butter. Anyone putting their faith in a test like this could reasonably assume that WD provides perfect protection. This makes me angry as my only concern is that the Peeps out there live a malware free life, and believing crap like this will lead to anything but.
Thanks for clarifying. Maybe you will find the time someday to test Defender Controlled Folder Access + ASR against the ransomware on Windows 10 ver. 1803.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top