AV-Comparatives Malware Protection Test March 2022

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Arequire

Level 28
Verified
Top poster
Content Creator
Feb 10, 2017
1,708
Unless something's changed since I last used it, 7-Zip absolutely removes MOTW upon extraction. The only two archivers I know that don't are Bandizip and Windows' built-in unzip utility (does it even have an official name?).

Edit: Just tested and 7-Zip does still remove MOTW.
 
Last edited:

Anthony Qian

Level 7
Verified
Well-known
Apr 17, 2021
320
Unless something's changed since I last used it, 7-Zip absolutely removes MOTW upon extraction. The only two archivers I know that don't are Bandizip and Windows' built-in unzip utility (does it even have an official name?).

Edit: Just tested and 7-Zip does still remove MOTW.
Thanks for testing. Just curious: since 7-zip removes MOTW, why CyberCapture can still be triggered and block some threats?
 

Arequire

Level 28
Verified
Top poster
Content Creator
Feb 10, 2017
1,708
Thanks for testing. Just curious: since 7-zip removes MOTW, why CyberCapture can still be triggered and block some threats?
Couldn't tell you. Are you sure it's triggering CyberCapture and not Deep Screen (or whatever Avast calls it nowadays)? The blue alert in @Andy Ful's previous post is Deep Screen while the red alert is CyberCapture. They work different; as far as I'm aware Deep Screen analyses the file locally on your system, while CyberCapture sends the file to Avast for analysis.

Edit: I was wrong about the blue alert being Deep Screen. See @Anthony Qian's post below.
 
Last edited:

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
Thanks for testing. Just curious: since 7-zip removes MOTW, why CyberCapture can still be triggered and block some threats?

The CyberCapture sandbox was not triggered:

1650359464158.png

CyberCapture can recognize that the file was downloaded from the Internet when the file has got MOTW. One can force CyberCapture to use the sandbox for any EXE file by adding the MOTW. This is done for example by Hard_Configurator or RunBySmartscreen.

In theory, the malware can be undetected by the CyberCapture sandbox, but this happens very rarely (for malware with strong anti-sandbox features). But, you wrote in one of your posts that you saw many such samples - this seemed strange to me. Now we know that these samples did not have MOTW, so they were not analyzed in the CyberCapture sandbox.(y)
 
Last edited:

Anthony Qian

Level 7
Verified
Well-known
Apr 17, 2021
320
Couldn't tell you. Are you sure it's triggering CyberCapture and not Deep Screen (or whatever Avast calls it nowadays)? The blue alert in @Andy Ful's previous post is Deep Screen while the red alert is CyberCapture. They work different; as far as I'm aware Deep Screen analyses the file locally on your system, while CyberCapture sends the file to Avast for analysis.
According to a senior user on Avast's forum, Deep Screen has been removed and integrated into CyberCapture. (how to activate deep screen avast)
 

Anthony Qian

Level 7
Verified
Well-known
Apr 17, 2021
320
The CyberCapture sandbox was not triggered:

View attachment 265993

CyberCapture can recognize that the file was downloaded from the Internet when the file has got MOTW. One can force CyberCapture to use the sandbox for any EXE file by adding the MOTW. This is done for example by Hard_Configurator or RunBySmartscreen.

In theory, the malware can be undetected by the CyberCapture sandbox, but this happens very rarely (for malware with strong anti-sandbox features). But, you wrote in one of your posts that you saw many such samples - this seemed strange to me. Now we know that these samples did not have MOTW, so they were not analyzed in the CyberCapture sandbox.(y)
The fact that CyberCapture missed a lot of samples was noticed by a lot of Avast testers on a Chinese malware testing forum, not just by me. 🤔

In the case of the MBR killer sample, I'm pretty sure Avast's cloud-based automatic analysis system can't properly detect this kind of threat, because I've submitted similar samples to Avast before and had to wait hours for them to add a detection. If Avast's cloud-based automatic analysis system can classify a threat, a detection will be added within minutes, as we all know.
 

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
...
In the case of the MBR killer sample, I'm pretty sure Avast's cloud-based automatic analysis system can't properly detect this kind of threat, ...
There is no perfect sandbox, so it is possible. Anyway, you can check it by yourself by uploading the sample to OneDrive (online) and downloading the sample from OneDrive to the disk. The sample will get MOTW.
You can also use the Windows built-in unpacker to unpack the Zip file downloaded directly from the Internet (the MOTW will be transferred to the unpacked executable).(y)
 

Anthony Qian

Level 7
Verified
Well-known
Apr 17, 2021
320
There is no perfect sandbox, so it is possible. Anyway, you can check it by yourself by uploading the sample to OneDrive (online) and downloading the sample from OneDrive to the disk. The sample will get MOTW.
You can also use the Windows built-in unpacker to unpack the Zip file downloaded directly from the Internet (the MOTW will be transferred to the unpacked executable).(y)
I think I’ll use Bandzip instead of 7-zip. :)