AV-Comparatives Malware Protection Test March 2022

Disclaimer

  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

A

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
Anthony Qian said:
7-zip. :)
Click to expand...
Unless something's changed since I last used it, 7-Zip absolutely removes MOTW upon extraction. The only two archivers I know that don't are Bandizip and Windows' built-in unzip utility (does it even have an official name?).

Edit: Just tested and 7-Zip does still remove MOTW.
 
Last edited:
  • Like
Reactions: [correlate], SeriousHoax, Nightwalker and 4 others
Anthony Qian

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
454
Arequire said:
Unless something's changed since I last used it, 7-Zip absolutely removes MOTW upon extraction. The only two archivers I know that don't are Bandizip and Windows' built-in unzip utility (does it even have an official name?).

Edit: Just tested and 7-Zip does still remove MOTW.
Click to expand...
Thanks for testing. Just curious: since 7-zip removes MOTW, why CyberCapture can still be triggered and block some threats?
 
  • Like
Reactions: [correlate], SeriousHoax, Andy Ful and 1 other person
A

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
Anthony Qian said:
Thanks for testing. Just curious: since 7-zip removes MOTW, why CyberCapture can still be triggered and block some threats?
Click to expand...
Couldn't tell you. Are you sure it's triggering CyberCapture and not Deep Screen (or whatever Avast calls it nowadays)? The blue alert in @Andy Ful's previous post is Deep Screen while the red alert is CyberCapture. They work different; as far as I'm aware Deep Screen analyses the file locally on your system, while CyberCapture sends the file to Avast for analysis.

Edit: I was wrong about the blue alert being Deep Screen. See @Anthony Qian's post below.
 
Last edited:
  • Like
Reactions: [correlate], SeriousHoax and Gandalf_The_Grey
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Anthony Qian said:
Thanks for testing. Just curious: since 7-zip removes MOTW, why CyberCapture can still be triggered and block some threats?
Click to expand...

The CyberCapture sandbox was not triggered:

1650359464158.png

CyberCapture - FAQs | Official Avast Support

A list of frequently asked questions about CyberCapture in Avast Antivirus on Microsoft Windows.
support.avast.com support.avast.com

CyberCapture can recognize that the file was downloaded from the Internet when the file has got MOTW. One can force CyberCapture to use the sandbox for any EXE file by adding the MOTW. This is done for example by Hard_Configurator or RunBySmartscreen.

In theory, the malware can be undetected by the CyberCapture sandbox, but this happens very rarely (for malware with strong anti-sandbox features). But, you wrote in one of your posts that you saw many such samples - this seemed strange to me. Now we know that these samples did not have MOTW, so they were not analyzed in the CyberCapture sandbox.(y)
 
Last edited:
  • Like
Reactions: [correlate], SeriousHoax, mkoundo and 2 others
Anthony Qian

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
454
Arequire said:
Couldn't tell you. Are you sure it's triggering CyberCapture and not Deep Screen (or whatever Avast calls it nowadays)? The blue alert in @Andy Ful's previous post is Deep Screen while the red alert is CyberCapture. They work different; as far as I'm aware Deep Screen analyses the file locally on your system, while CyberCapture sends the file to Avast for analysis.
Click to expand...
According to a senior user on Avast's forum, Deep Screen has been removed and integrated into CyberCapture. (how to activate deep screen avast)

Andy Ful said:
The CyberCapture sandbox was not triggered:

View attachment 265993

CyberCapture - FAQs | Official Avast Support

A list of frequently asked questions about CyberCapture in Avast Antivirus on Microsoft Windows.
support.avast.com support.avast.com

CyberCapture can recognize that the file was downloaded from the Internet when the file has got MOTW. One can force CyberCapture to use the sandbox for any EXE file by adding the MOTW. This is done for example by Hard_Configurator or RunBySmartscreen.

In theory, the malware can be undetected by the CyberCapture sandbox, but this happens very rarely (for malware with strong anti-sandbox features). But, you wrote in one of your posts that you saw many such samples - this seemed strange to me. Now we know that these samples did not have MOTW, so they were not analyzed in the CyberCapture sandbox.(y)
Click to expand...
The fact that CyberCapture missed a lot of samples was noticed by a lot of Avast testers on a Chinese malware testing forum, not just by me. 🤔

In the case of the MBR killer sample, I'm pretty sure Avast's cloud-based automatic analysis system can't properly detect this kind of threat, because I've submitted similar samples to Avast before and had to wait hours for them to add a detection. If Avast's cloud-based automatic analysis system can classify a threat, a detection will be added within minutes, as we all know.
 
  • Like
  • Thanks
Reactions: Trident, [correlate], RansomwareRemediation and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Anthony Qian said:
...
In the case of the MBR killer sample, I'm pretty sure Avast's cloud-based automatic analysis system can't properly detect this kind of threat, ...
Click to expand...
There is no perfect sandbox, so it is possible. Anyway, you can check it by yourself by uploading the sample to OneDrive (online) and downloading the sample from OneDrive to the disk. The sample will get MOTW.
You can also use the Windows built-in unpacker to unpack the Zip file downloaded directly from the Internet (the MOTW will be transferred to the unpacked executable).(y)

Anthony Qian said:
The fact that CyberCapture missed a lot of samples was noticed by a lot of Avast testers on a Chinese malware testing forum, not just by me. 🤔
...
Click to expand...

The reason for that was probably using samples without MOTW. If you are a member of this forum, you can ask them about it.
 
  • Like
Reactions: roger_m, [correlate], SeriousHoax and 1 other person
Anthony Qian

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
454
Andy Ful said:
There is no perfect sandbox, so it is possible. Anyway, you can check it by yourself by uploading the sample to OneDrive (online) and downloading the sample from OneDrive to the disk. The sample will get MOTW.
You can also use the Windows built-in unpacker to unpack the Zip file downloaded directly from the Internet (the MOTW will be transferred to the unpacked executable).(y)
Click to expand...
I think I’ll use Bandzip instead of 7-zip. :)
 
  • Like
Reactions: OhioRebel, roger_m, Arequire and 3 others
L

likeastar20

Level 9
Verified
Mar 24, 2016
423
Andy Ful said:
The CyberCapture sandbox was not triggered:

View attachment 265993

CyberCapture - FAQs | Official Avast Support

A list of frequently asked questions about CyberCapture in Avast Antivirus on Microsoft Windows.
support.avast.com support.avast.com

CyberCapture can recognize that the file was downloaded from the Internet when the file has got MOTW. One can force CyberCapture to use the sandbox for any EXE file by adding the MOTW. This is done for example by Hard_Configurator or RunBySmartscreen.

In theory, the malware can be undetected by the CyberCapture sandbox, but this happens very rarely (for malware with strong anti-sandbox features). But, you wrote in one of your posts that you saw many such samples - this seemed strange to me. Now we know that these samples did not have MOTW, so they were not analyzed in the CyberCapture sandbox.(y)
Click to expand...
And if an .exe does not have a MOTW, you can trick Avast by using RunBySmartscreen?
 
  • Like
Reactions: Andy Ful
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
What other users have observed about CyberCapture is true, it is not resistant to evasion and many times reports malware as safe only for behavioural blocking to remove it after. This means that they are able to properly classify the malicious behaviour but they haven’t been able to get to it.

CyberCapture is a small supplement in the whole Avast ecosystem (last line of defence) and is neither as essential nor it is well developed as business solutions that have been perfecting emulation for more than a decade. Eset LiveGuard is not any better. It has been confirmed by Marcos (Eset forum admin) that LiveGuard doesn’t simulate user activity for example. That was discussed on one of my statuses.

@Andy Ful not all vendors need the MOTW, some like Norton, Trend Micro, Check Point and McAfee use sensors to detect downloading behaviour/downloaded files. These do not depend on MOTW at all and will perform their scan flow regardless whether it is presented. Avast has decided to minimise the number of files emulated due to the substantial cost.

@Anthony Qian CyberCapture is not local at all. DeepScreen is local and attempts to perform local emulation whilst the behaviour is processed through online classifiers. CyberCapture attempts to place the malware in a more controlled environment. The logic upon the initial design was that human analysis will be performed when the automated one fails. Maybe this still is the case but human analysis will take some time.
 
Last edited:
  • Like
Reactions: simmerskool and roger_m
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Trident said:
@Andy Ful not all vendors need the MOTW, some like Norton, Trend Micro, Check Point and McAfee use sensors to detect downloading behaviour/downloaded files. These do not depend on MOTW at all and will perform their scan flow regardless whether it is presented. Avast has decided to minimise the number of files emulated due to the substantial cost.
Click to expand...

I would say that most AV vendors do not rely much on MOTW. :)
Microsoft Defender is an exception, but some features (like ASR rules) do not need MOTW at all.
Smart App Control does not need MOTW to protect PE files - it is required for non-PE files like scripts, disk images, etc.
Avast uses MOTW only in CyberCapture, but Hardened Mode does not rely on MOTW.
 
Last edited:
  • Like
Reactions: roger_m, simmerskool and Trident

Similar threads

Gandalf_The_Grey
    • Like
    • Thanks
    • +Reputation
AV-Comparatives Consumer Malware Protection Test September 2024
Replies
2
Views
643
Security Statistics and Reports
Sorrento
Sorrento
Gandalf_The_Grey
    • Like
    • Thanks
    • Wow
AV-Comparatives Advanced Threat Protection (ATP) Test 2024
Replies
0
Views
635
Security Statistics and Reports
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • Hundred Points
    • Applause
AV-Comparatives Fake-Shops Detection Test November 2024
Replies
2
Views
345
Security Statistics and Reports
Vitali Ortzi
Vitali Ortzi

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top