Known Problems with Most Common AV's

Status
Not open for further replies.

Ludditus

Level 1
Verified
Aug 12, 2015
29
  • Win32:Malware-gen is not a proper detection. Avast uses it (and AVG now) for a huge range of heuristic detection that include 99% of the FPs raised by Avast/AVG.
  • FileRepMalware is not a real detection either. It means "bad reputation in the Cloud." That doesn't mean anything to me. Can be FP too.
  • There are NO good script detectors; most security solutions underdetect, while some overdetect (meaning FPs).
  • One can block the execution of specific scripts or file types, and also disable potentially dangerous Windows features, by using either of OSArmor (real-time monitoring) or SysHardener, both being free.
  • I'm tired of hearing of .COM files. Most 64-bit systems shouldn't be able to execute such a file, and not even try to, because by extension is 16-bit.
 
4

436880927

Win32:Malware-gen is not a proper detection. Avast uses it (and AVG now) for a huge range of heuristic detection that include 99% of the FPs raised by Avast/AVG.
Yes, it is a proper detection. It's a generic signature/heuristic detection, it simply hasn't been classified into an explicit category - this implies that the signature used or the heuristic algorithm causing the flag is merely looking for "suspicious" things as opposed to something explicitly tied to a known malware family.

For clarification, generic signatures these days tend to be executable code (e.g. either native or in a run-time).
 
Last edited by a moderator:
4

436880927

@venustus The engines on VirusTotal do not have to be the same engines integrated into the home or enterprise consumer services provided by the vendor; the engines submitted to VirusTotal by a vendor can be less aggressive or more aggressive. The vendors will neither state which one it is, or whether it is the same as the commercial engines in their actual solutions - they do not have to.

See: AV product on VirusTotal detects a file and its equivalent commercial version does not
 

Ludditus

Level 1
Verified
Aug 12, 2015
29
Yes, it is a proper detection. It's a generic signature/heuristic detection.
No, it's not a proper detection. You yourself said "generic" and "heuristic"! I can show you famous ransomware bearing the Win32:Malware-gen label MONTHS AFTER everyone else has given the malware an explicit name, and harmless keygens bearing the same label. (The same as Panda's Trj/CI.A.) How can one trust such an identification that can be with almost identical probabilities one of the following:
  • Hugely destructive malware, such as ransomware.
  • Inoffensive packed binaries, such as some keygens.
  • Plain FPs, e.g. normal binaries that don't do anything peculiar, except maybe that they're packed in a way meant to prevent cracking.
I do not trust such "identifications." It's pure and simple laziness. I repeat, sometimes Avast didn't bother to properly reclassify famous ransomware strains, leaving them at Win32:Malware-gen. At the same time, two thirds of the keygens are going to be classified using the same label. I wouldn't pay a penny to such security vendors.
 
Last edited:

Ludditus

Level 1
Verified
Aug 12, 2015
29
If you understand what a generic signature is, you'll understand the link to the term "heuristic".
If you understand what a generic signature is, you'll understand such signatures can't blindly be trusted.

There are countless examples of a keygen which has malicious code embedded within it. Therefore, it makes perfect sense for an AV to go on a mass-blockage for such content.
No, it does not. An AV doesn't even know it's a keygen. All it knows is that it's packed in a way that makes the analysis impossible unless you actually run it.

If the sample is already flagged then they may not bother adding an explicit generic signature for the family. They will have other work to do such as flagging families which aren't being detected with existing generic signatures.
Why, oh why would they bother to make their (paying) customers aware when they encounter an extremely dangerous ransomware currently in the wild, when they could show them a signature that SOME such customers might choose to ignore SPECIFICALLY BECAUSE they have encountered it in so many FP cases. Makes sense, yeah. They're busy with more important things. (Some other vendors, such as Kaspersky, have nothing else to do than to waste their time and label keygens or patches with "not-a-virus:", and Avast can't be bothered to properly label ransomware?!).

At the end of the day, you need to stop acting like a bitch and know your place because you don't know what you're talking about. Stop spreading bullshit.
This applies to you too. I have probably encountered the first virus before you were even born. Stop spreading arrogance. You have no right to assume you have a better understanding of malware than I do.
 

davisd

Level 3
Verified
Jan 27, 2019
108
This applies to you too. I have probably encountered the first virus before you were even born. Stop spreading arrogance. You have no right to assume you have a better understanding of malware than I do.
According to your knowledge posted above of embroids, you caught a virus in a womb which still shows a presence of your fantazised assumptions of other members here. Before jumping onto someone with your self-proclaimed malware understanding, get your psyche in check before replying in online forums. Malware removal process is never guaranteed to full extent from the system, so I suggest you to format yourself and make a new nickname, you're done my guy.
 
P

Pkjfkknm

  • Win32:Malware-gen is not a proper detection. Avast uses it (and AVG now) for a huge range of heuristic detection that include 99% of the FPs raised by Avast/AVG.

you talk about labeling and not detection method. the label given to file does not correlate with the detection method, whether it is local or cloud, and then using a range of techs, or combinations thereof.

labels are irrelevant coz every last vendor assigns labels that are vague. it isn't the label that is assigned that matters coz the label is not part of the detection algorithm. there are a lot of parts that are universal to malware, so designing a system to autoassign some basic label makes sense. all the effort is in the detection and not the labeling. plus short term detections get turned into long term generic sigs to save memory. it is the detection itself that matters. calling it detection abc or xyz does not matter.

you are using the label in a way for which the entire av industry never intended it to be used.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top