Advice Request How good is Avira vs Ransomware?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

Xsjx

Level 13
Thread author
Verified
Feb 21, 2017
613
Unless Avira has a signature for the ransomware it's not a good choice at all. You could combine Abira with VoodooShield, or Comodo firewall or any other app that's solid against zero day malware.
But avira claims they have Heuristics zero day:
with Avira blocks 1 million+ ransomware attempts every month, averting damages of over 600€ per attack. We accomplish this via our unique heuristic technology, which stops ransomware before it can do you any harm.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Many ransomware circumvent AV detection using process hollowing technique by running a legitimate Windows process, but in suspended mode. At that point, it empties the memory in use by the same process and injects the payload.
In this way, the malware is executed under legitimate process by not allowing the antivirus to detect it.
The question is how Avira is good against the process hollowing.
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
But avira claims they have Heuristics zero day:
with Avira blocks 1 million+ ransomware attempts every month, averting damages of over 600€ per attack. We accomplish this via our unique heuristic technology, which stops ransomware before it can do you any harm.
I think CruelSister did a Video, or someone did one Avira vs ransomware and it failed hard.
 
W

Wave

But avira claims they have Heuristics zero day:
with Avira blocks 1 million+ ransomware attempts every month, averting damages of over 600€ per attack. We accomplish this via our unique heuristic technology, which stops ransomware before it can do you any harm.
They are almost certainly referring to static heuristics, I've barely seen Avira protect the system through dynamic mechanisms regardless of any dynamic components they may or may not even have implemented into the product.

Static heuristics is identification before it is executed through the characteristics of the portable executable, or through generic signatures (different to check-sum, it's like detecting patterns of malicious code through the bytes/HEX of the PE).

However, malware authors can bypass this detection very easily through obfuscation/packing... Therefore, unless they obtain the sample to make a new signature or the malware uses a packer which they are sufficiently able to unpack in real-time, then it won't be detected.

I agree with @ZeroDay
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
However, malware authors can bypass this detection very easily through obfuscation/packing... Therefore, unless they obtain the sample to make a new signature or the malware uses a packer which they are sufficiently able to unpack in real-time, then it won't be detected.
I agree, theoretically it would be possible to see the imports, even with obfuscated code but if the code is sophisticated enough it is a problem.
 
W

Wave

I agree, theoretically it would be possible to see the imports, even with obfuscated code but if the code is sophisticated enough it is a problem.
Use dynamic importing:

Code:
#include <windows.h>
#include <winternl.h>
#include <iostream>
using namespace std;

typedef NTSTATUS(NTAPI *def_NtTerminateProcess)(HANDLE ProcessHandle, NTSTATUS ExitStatus);

int main()
{
FARPROC targetaddr = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtTerminateProcess");
def_NtTerminateProcess NtHandle = (def_NtTerminateProcess)targetaddr;
// NtHandle(..., ...);
getchar();
return EXIT_STATUS;
}

Then you can use whatever Windows API function which is exported and available from user-mode that you want without it being detected as a static important. Apps like Dependency Walker do some more advanced things to identify dynamic imports but it's not the same.

To mess with some vendors products you can import through ordinal instead :D

In the end you can make a custom wrapper for GetProcAddress to make it more difficult or just call LdrGetProcedureAddress to be more stealth without a custom wrapper which is exported by ntdll.dll. A loadlibraryA wrapper would be decent, too.

Anyway imports shouldn't be used for detection alone, you need to make a scoring system which takes X amount of factors into account... PE File Header characteristics, IAT/EAT scanning, string output, entropy calculation, etc.
 

Xsjx

Level 13
Thread author
Verified
Feb 21, 2017
613
They are almost certainly referring to static heuristics, I've barely seen Avira protect the system through dynamic mechanisms regardless of any dynamic components they may or may not even have implemented into the product.

Static heuristics is identification before it is executed through the characteristics of the portable executable, or through generic signatures (different to check-sum, it's like detecting patterns of malicious code through the bytes/HEX of the PE).

However, malware authors can bypass this detection very easily through obfuscation/packing... Therefore, unless they obtain the sample to make a new signature or the malware uses a packer which they are sufficiently able to unpack in real-time, then it won't be detected.

I agree with @ZeroDay
Ok so can u tell me any program to work with avira for better zero day protection?
 
W

Wave

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Ok so can u tell me any program to work with avira for better zero day protection?
the best free antiransomware tool is CheckMAL appcheck

this is the order: appcheck >> kaspersky antiransomware = malwarebytes > cyberreason ransomfree >>>>>>>> bitdefender antiransomware tool.

BD is an absolutely useless tool. it blocked nothing in my test although I picked the samples which they claimed to protect against
 

Xsjx

Level 13
Thread author
Verified
Feb 21, 2017
613
Only just seen this, never saw the alert...

You can try using an external anti-ransomware product alongside Avira as long as it's compatible and works well, you'll have to do testing:
Kaspersky Anti-Ransomware Tool for Business
https://www.cybereason.com/tag/anti-ransomware/
Introducing the Malwarebytes Anti-Ransomware Beta - Malwarebytes Labs
Anti Ransomware Tool

Thx for your post and going to try Cybereason.

the best free antiransomware tool is CheckMAL appcheck

this is the order: appcheck >> kaspersky antiransomware = malwarebytes > cyberreason ransomfree >>>>>>>> bitdefender antiransomware tool.

BD is an absolutely useless tool. it blocked nothing in my test although I picked the samples which they claimed to protect against

Thx for your post! and going to also look at appcheck. :)
 

TheMalwareMaster

Level 21
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Unless Avira has a signature for the ransomware it's not a good choice at all. You could combine Abira with VoodooShield, or Comodo firewall or any other app that's solid against zero day malware.
I can't agree more. Avira is good against malware until has signatures for them (which are really good though) and the cloud doesn't fail. You should use avira combined with VodoooShield free (simple to use and needs no tweaking, but it actually can't be tweaked in the free version) or Comodo firewall (needs tweaking for maximum protection). I like avira on Windows 7 systems. I don't like programs which are focused only on ransomware (mentioned above), because VoodooShield and Comodo are good against all kind of threats, and we can't install one program focused only on every kind of single threat
 

Xsjx

Level 13
Thread author
Verified
Feb 21, 2017
613
I can't agree more. Avira is good against malware until has signatures for them (which are really good though) and the cloud doesn't fail. You should use avira combined with VodoooShield free (simple to use and needs no tweaking, but it actually can't be tweaked in the free version) or Comodo firewall (needs tweaking for maximum protection). I like avira on Windows 7 systems. I don't like programs which are focused only on ransomware (mentioned above), because VoodooShield and Comodo are good against all kind of threats, and we can't install one program focused only on every kind of single threat

Hey! So basicly if i add voodooshield i will be safe with Avira total security? :)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top