Status
Not open for further replies.

Mops21

Level 28
Verified
Trusted
Content Creator
Hi all

New Avast Beta version 18.6.2348

Hi everyone,

new beta version 18.6.2348 (build 18.6.3977) is released.

Fixed
  • Reporting Antivirus and Firewall state to the Windows Security Center after performed upgrade or downgrade
Known issues
  • Crash related to TLS 1.3 support under specific circumstances
  • Two detection dialogs displayed for phishing detection
  • No detection dialog displayed for Webshield or Fileshield detections under specific circumstances (malware is blocked and moved to quarantine, but dialog not shown)
  • Problems with signing to Avast account via Facebook
  • Do not Disturb mode - not working correctly in Edge browser
Download links:
https://forum.avast.com/index.php?topic=179943.0

Enjoy this beta!
We are looking forward to your feedback.

AVAST Team.

New Beta version 18.6.2348

With best Regards
Mops21
 
I am going to try this against a malware pac from today. Just the pro AV beta not the suite. And not a pac from MT.
If you ever decide you want to go all out and do a thorough test which Avast won't see coming, you could look into setting up many honeypots and using them to collect as many fresh samples as you possibly can. You'd need to setup your environments in a certain way so you can keep a backup of all new dropped to the disk (and if required, memory snapshots for file-less attacks to get more insight).

Bear in mind that this isn't a full-proof way to "catch zero-day malware" and it can be a lot of effort to maintain. Sometimes you can run into the same samples several times or more with just a new hash checksum. It's a very good method though and if you're lucky, you can have your head thrown into a pile of fresh juicy malware on a regular basis.

Avast definitely use honeypots as well as their own cloud to find new malware for analysis internally. There's no doubt about that. I'm sure they have a large amount of honeypots as well with the amount of resources they will have. :)
 

ticklemefeet

Level 23
I used those samples in the past. They were useless.
I strongly recommend against them
I could not execute them
Thank you, I will try that later. So far my AV's have been detecting most of them before I get a chance to execute them. Kaspersky would, however, take a long time to quarantine them but Cylance would do them almost instantly. So far trying Kaspersky along with Cylance, they both missed them same files and sending them to Virus total got them flagged by 25 to 40 other AV's. I installed the new Avast beta last night but have not tried it out. Also, I don't have access to the MT hub.
 

ticklemefeet

Level 23
Getting flagged by 40 vendors doesn't mean it is malicious..
just run the sample and record the suspicious actions and decide thereafter..it may be false positive!
Bitdefender's engine is used by nearly almost all the av's except a few..that explains!!
That would explain it. I didn't know Bitdefender has so many FP's. If I remember right, Avast uses BD also?
 

ticklemefeet

Level 23
I just tried today's pac and Cylance quarantined all but 8. Next, I scanned the folder and it flagged all but two of the remaining 8. I submitted those to VT with same results. About 26 engines flagged them. Two of those engines were G-Data and Symantec. Then I tried to run them with a popup saying they would not run on my computer. Next, I will try to run some of them before my AV's kick in. Or maybe just disable them to see if none of them actually execute at all.
 

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
I just tried today's pac and Cylance quarantined all but 8. Next, I scanned the folder and it flagged all but two of the remaining 8. I submitted those to VT with same results. About 26 engines flagged them. Two of those engines were G-Data and Symantec. Then I tried to run them with a popup saying they would not run on my computer. Next, I will try to run some of them before my AV's kick in. Or maybe just disable them to see if none of them actually execute at all.
that's the problem with testmyav samples. They are rarely executable so they are not malicious for many AVs to flag it
 
No ..I mean sometimes vendors may bindly include a detection from their leaders..herd of sheeps..
You can spend money on premium VirusTotal account upgrades which revokes restrictions and can assist you with identifying false positive detection's for your own product, download support, etc. I recommend you contact VirusTotal for more information on these arrangements, there's a public page out there which explains a bit about these available options somewhere.

There will be vendors out there who will blindly follow other vendors like sheep, and they may even have an automated system to setup flags on new uploads which are new to them, which would explain why sometimes when you upload to VirusTotal, a detection shows up a few minutes later out of no where randomly. It is difficult to identify this type of behavior sometimes because many vendors have automated analysis systems in-place (either in-house or licensed from a third-party like Hybrid-Analysis, free Cuckoo, etc.) and will automatically flag according to those results once the new sample they've received has passed through the automatic analysis system and generated suspicious looking logs.

There used to be a list of reputable vendors who were bound to do their own research using their own minds instead of acting as a sheep, but it is what it is. Sometimes, an analyst at a company may do it, and it wouldn't be fair to flame the whole company down because of one employee who didn't want to do their job and decided to just flag for the sake of it without caring whether other vendors they trust were actually mistaken or not.

In 2015, I thought Baidu were blindly following ESET and Microsoft detection's. Of course, that doesn't mean they really were, but it is my opinion based on what I saw on a regular basis throughout the year; needless to say, I don't notice them too much these days and thus do not think they are doing that anymore, if they are even alive in 2018.
 

Mahesh Sudula

Level 17
Verified
Copy cats are even present now..running after detections ...That's one of the reason I like Kaspersky and TRend micro.
They use their brains ..may be slow but steady.
The fact is I have the files for which the VT detection is above 98% ..but Kaspersky and TRend gave them safe rating..
Including their proactive components.!
I definitely think there will be a day where VT would shut down or at least black hats would suspend it for few hours..then the real test begins! I am so sick of these VT detections by many many Av's..they just don't analyze copying the hash signatures by just giving a new name._/\_
 
The fact is I have the files for which the VT detection is above 98% ..but Kaspersky and TRend gave them safe rating..
It could be nothing to do with copying detection's though but I know exactly what you're talking about (you already know that I agree copying goes on by some vendors because of my last reply) and I agree that Kaspersky and Trend-MIcro are good vendors. Aside from copying though, the detection's could be raised through generic signatures, static/dynamic heuristics and/or ML/Ai. Remember that reputation checks is nothing new for VirusTotal flagging as well.

A generic signature is one which will be used to flag multiple samples aside from just one. That isn't actually true, you can make a generic signature to detect only a single sample until another sample shows up in the future which triggers because of the signature for the first sample... but I'm sure you understand where I am going with this. There can be many different implementations for this though. You could rely on raw byte patterns as a signature (and include wild-cards where applicable to keep the signature more reliable for the future in-case the malware author updates the code), or you could rely on an engine implementation like YARA for pattern matching based on a wider-range criteria (or equivalent/different).

A new sample upload could be sent to a vendors cloud and be passed through extensive static and dynamic analysis. The logs could be used to determine whether the sample is flagged or not for the time being, and the sample could be re-assessed through the same system or manually analysed in the lab should a false-positive detection flops up on the support submissions.

A different example would be with Machine Learning/Artificial Intelligence. This could raise many false positives depending on the data-sets for the training of the engine... it could lead any packed binary (whether clean or malicious - genuine developers may use packing to lower file sizes or make reverse engineering harder) being flagged just for having a high entropy when the samples used in training to be identified as safe (and thus any scanned alike the trained also declared as safe). It could also do the opposite if the system was intentionally designed to do so. It depends on how it is implemented (the type of model, the data-sets, etc.).

In regards to reputation checks, vendors like Norton may flag a sample just because it has never encountered it before. It could be a harmless "hello world" with a hash checksum they've never encountered before, and it could be flagged just for this reason. Fair dues to Norton though because they usually outline it as being a reputation detection IIRC.

It all depends on what the engine supports and how everything combines together: which ones are relied on first, whether other systems are skipped depending on one implementations verdict, whether technology is licensed from a third-party and how they operate internally, etc.

I think it is worth noting that the engine a vendor puts on VirusTotal is not always the same engine in the services they provide to customers (be it home or enterprise). They have the right to make the engines they submit for VirusTotal usage more aggressive or weaker than those used in their actual services used by customers, and this is something which I see many people ignoring. If a vendor called "Farm-Straw Defender" (looks like a fake AV name actually) flags sample "post reply.exe" with a hash of <insert SHA-256 hash here>, it could be for a number of reasons, and it may not even be flagged when actually using a product of theirs.

You can try asking the vendor directly as to why they flagged a sample; it may not even be their fault if they rely on third-party technology.
 
Status
Not open for further replies.
Top