Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: asafdem on October 05, 2003, 04:03:52 PM

Title: disapointing results for Avast! 4
Post by: asafdem on October 05, 2003, 04:03:52 PM
Sick and tired of: "Test your AV software using EICAR test string", I did some real-life testing of my own and here the resullts:

[size=0]      FILE         RAV (Online scan)   PANDA (Online scan)   AVAST 4 pro
 
  \EICAR.COM        EICAR_Test_File     Eicar.Mod        EICAR TEST  
  \EICAR.RAR       EICAR_Test_File     Eicar.Mod       -
  \BABA.ZIP       Baba.353.A      Univ.EH        Baba-353
  \CASINO.ZIP       NGV.gen         Ngv.1600.b.drp    -
  \D-DANCE.ZIP       Devil's_Dance.941.A     Devils    -   
  \ENIGMA.ZIP       Old_Yankee.1755.A  Enigma        OId Yankee
  \FDT.ZIP          Necropolis.1963.A  Necropolis.1963    -
  \GARANT.ZIP       Major.1644.A      Major.1644    Major-1644
  \HAIKU.ZIP       I_Worm:Haiku      W32/Haiku        Win32:Haiku
  \KENNEDY.ZIP       Danish_tiny.333.A  Kennedy       -
  \MANTA.ZIP       VCS.1077          VCS          -
  \NATAS.ZIP       Natas.4744      Natas.4744    -   
  \ONEHALF.ZIP       One_Half.3544.A      One          -
  \PIXEL.ZIP       Pixel.740.A      Univ        PixeI-740
  \TORERO.ZIP       Torero.1429      Torero       -
  \Ambulance.786.zip    Ambulance.796.A     Ambulance.796.A    -
  \HYDRA0.ZIP       Pixel.Hydra.736.A  Univ       -
  \AntiAVP.959.zip    AIDS.COM         AntiAVP.959    -
  \CIH_14.ZIP       Win95/CIH.1003     W95/CIH        Win95:CIH 1.x
  \AntiAVP.1235.zip    AntiAVP.1235      Astra_II       -
  \Leprosy.370.zip    Leprosy.666.A      Leprosy       -
  \NINJA.ZIP       Ninja.1616      Ninja.2090    Ninja-1852
  \Oops.368.zip       Ooops.368         Ooops.368       -
  \SIERRA.ZIP       Stoned.I.C.dr      NYB.E.Drp        NYB-A
  \Win.Lamer.zip    Win/Winlamer.1734     Winsurf.Skim.1454 Win:Lame
  \XPEH.4768.zip    Yankee_Doodle.XPEH.4928   Micropox       -
  \I-Worm.Sircam.exe    Worm.Sircam.exe    W32/Sircam        Win32:Sircam-C [Wrm]
  \I-Worm.Happy99.exe    Win32/Ska.A@m         W32/Happy    Win32:Ska
  \I-Worm.Opasoft.exe   Win32/Opaserv.A.worm     W32/Opaserv Win32:Opas [Wrm]
  \I-Worm.Klez.a.SCR   Win32/Klez.E@mm     W32/Klez.F        Win32:KIez-E [Wrm]
  \I-Worm.Numda.d.exe    Win32/Nimda.D@mm  W32/Nimda       Win32:Nimda [Wrm]
[/size]

So Avast missed 15 out of 31! :'(
Title: Re:disapointing results for Avast! 4
Post by: raman on October 05, 2003, 04:12:54 PM
Some comments/questions on it. Did you let Avast scan inside Archives? because it should find the eicar inside the RAR without problems and it finds the oops.368 without problems too.(infection: Ooops-368) So check if you activate Archivscanning.

It finds the natas also and i think the others too. Unpack and scan them again.  You will find it out by your own. The samples you use(exept the last few) are d*mn old. I do not think that they are still able to infeced under newer Windows versions anymore!?
Title: Re:disapointing results for Avast! 4
Post by: asafdem on October 05, 2003, 04:51:30 PM
Almost all viruses Avast! 4 has found, were within zip files, so I guess that means that I selected archives option. And I did it again, just to be sure. (see attached "options and results.gif"). "Old samples" sounds like a lame excuse.

Summary: 15 misses, 1 false positive. ( Too bad, I was looking for something to replace resource hungry NAV 200x  :'()
Title: Re:disapointing results for Avast! 4
Post by: raman on October 05, 2003, 05:25:59 PM
Aure. (see attached "options and results.gif"). "Old samples" sounds like a lame excuse.

Have searched for these old ones and if you will unpack them Avast will find them too. I do not know, but avast has some problems to identify some old PK-Zip Headers. But i do not know why it do not find the Eicar inside of the Rar Archive.
Avast finds the following with follow names:
[RAV]
i:\temp\3544.EXE | Infected: One_Half.3544.A
i:\temp\370.COM | Infected: Leprosy.370
i:\temp\4744A.COM | Infected: Natas.4744
i:\temp\4744A.EXE | Infected: Natas.4744
i:\temp\4928.COM | Infected: Yankee_Doodle.XPEH.4928
i:\temp\ANTI1235.COM | Infected: AntiAVP.1235
i:\temp\HYDRA0.COM | Infected: Pixel.Hydra.736.A
i:\temp\MANTA.COM | Infected: VCS.1077
i:\temp\ONEH3544.EXE | Infected: One_Half.3544.A
i:\temp\ONEHALF.BIN | Infected: OneHalf
i:\temp\OOPS.COM | Infected: Ooops.368
i:\temp\TORERO.COM | Infected: Torero.1427
i:\temp\UNKNOWN.COM | Infected: VCS.1077

[AVAST]
I:\temp\3544.EXE [L] One half-3544/3577 (0)
I:\temp\370.COM [L] Leprosy-37X (0)
I:\temp\4744A.COM [L] Natas-4744 (0)
I:\temp\4744A.EXE [L] Natas-4744 (0)
I:\temp\4928.COM [L] Yankee Doodle (0)
I:\temp\ANTI1235.COM [L] AntiAVP-1235 (0)
I:\temp\HYDRA0.COM [L] Pixel-Hydra-736-B (0)
I:\temp\MANTA.COM [L] VCS 1.0 (0)
I:\temp\ONEH3544.EXE [L] One half-3544/3577 (0)
I:\temp\OOPS.COM [L] Ooops-368 (0)
I:\temp\TORERO.COM [L] Torero-1427 (0)
I:\temp\UNKNOWN.COM [L] VCS 1.0 (0)

Title: Re:disapointing results for Avast! 4
Post by: asafdem on October 05, 2003, 06:00:30 PM
It appears that you have to set scan level to thorough. Once I did that I got:

[size=0]
\EICAR.COM                                           Infection: EICAR Test-NOT virus!!
\EICAR.RAR\EICAR.COM                          Infection: EICAR Test-NOT virus!!
\CPAV.EXE                                             Infection: Emmie-3097
\BABA.ZIP\BABA.EXE                               Infection: Baba-353
\D-DANCE.ZIP\D-DANCE.COM                   Infection: DeviI's Dance-941
\ENIGMA.ZIP\ENIGMA.EXE                        Infection: OId Yankee
\FDT.ZIP\FDT.COM                                  Infection: Necropolis-1963
\GARANT.ZIP\GARANT.EXE                       Infection: Major-1644
\HAIKU.ZIP\Haiku.exe                              Infection: Win32:Haiku
\KENNEDY.ZIP\KENNEDY.COM                  Infection: Danish Tiny-Kennedy-333
\MANTA.ZIP\MANTA.COM                         Infection: VCS 1.0
\NATAS.ZIP\NATAS.COM                          Infection: Natas-4744
\ONEHALF.ZIP\ONEHALF.COM                  Infection: One half-3544/3577
\PIXEL.ZIP\PIXEL.EXE                              Infection: PixeI-740
\TORERO.ZIP\TORERO.COM                     Infection: Torero-1429
\Ambulance.786.zip\ambulanc.com            Infection: Ambulance-795
\HYDRA0.ZIP\HYDRA0.COM                      Infection: PixeI-Hydra-736-B
\AntiAVP.959.zip\AVP-AIDS.COM               Infection: AntiAVP-959
\CIH  14.ZIP\CIH  14.EXE                         Infection: Win95:CIH 1.x
\AntiAVP.1235.zip\ANTICARO.COM           Infection: AntiAVP-1235
\Leprosy.370.zip\LEPROSY.COM               Infection: Leprosy
\NINJA.ZIP\NINJA.EXE                            Infection: Ninja-1852
\Oops.368.zip\oops.com                          Infection: Ooops-368
\SIERRA.ZIP\FIoppy.exe                          Infection: NYB-A
\Win.Lamer.zip\WINLAME2.EXE                Infection: Win:Lame
\XPEH.4768.zip\XPEN4928.COM               Infection: Yankee Doodle
\I-Worm.Sircam.exe\I-Worm.Sircam.exe   Infection: Win32:Sircam-B
\I-Worm.Sircam.exe                                Infection: Win32:Sircam-C [Wrm]
\I-Worm.Happy99.exe                             Infection: Win32:Ska
\I-Worm.Opasoft.exe                               Infection: Win32:Opas [Wrm]
\I-Worm.KIez.a.SCR                                 Infection: Win32:KIez-E [Wrm]
\I-Worm.Numda.d.exe                              Infection: Win32:Nimda [Wrm]

[/size]

Conclusion: 30 found (Win32:Sircam-B & Win32:Sircam-C [Wrm] within same file!), 1 missed (CASINO.COM->(PKLite) - NGV.gen ), 1 false.  ???

Comments?
Title: Re:disapointing results for Avast! 4
Post by: igor on October 05, 2003, 06:05:52 PM
How about setting the Thorough scan, instead of Standard? Does it change anything? It is indeed very strange that Eicar has not been found within a RAR archive - RAR archives definitelly are supported.

Since you labeled the column as "Avast 4 Pro" - what are the results when you create your own task in the Enhanced User Interface and set the appropriate Packer options?

Probably a stupid question, but just for sure: weren't you running another resident antivirus protection in background?
Title: Re:disapointing results for Avast! 4
Post by: igor on October 05, 2003, 06:12:54 PM
Seems you were faster with posting the answer before I even sent the quesion :)

As for the Sircam-B & Sircam-C thing: Sircam-C is probably a packed version of Sircam-B (btw, the Sircam-B name is really without the [Wrm] tag?). When Sircam has been added to the virus database, avast! did not feature UPX/AsPack unpacking (or whatever Sircam-B is packed with) - so, the signature for the packed version has been added. Now, when it's able to unpack the packed executable, it finds even the "inner" file, which is Sircam-B.
I think it's not a problem... the signatures for the packed versions make it possible to identify the virus even with an older version of avast, or with archive-scanning turned off.
Title: Re:disapointing results for Avast! 4
Post by: raman on October 05, 2003, 06:13:25 PM
1 missed (CASINO.COM->(PKLite) - NGV.gen ), 1 false.  ???

Unpack the PKLITE and Avast reports nuke-1680. But i thought Avast is able to unpack PK-lite by itself?
Title: Re:disapointing results for Avast! 4
Post by: asafdem on October 05, 2003, 06:13:52 PM
Igor

Did you read the very first line in my previous post?  ::)
Title: Re:disapointing results for Avast! 4
Post by: asafdem on October 05, 2003, 06:17:34 PM
Igor

Thank you for clarification.
Title: Re:disapointing results for Avast! 4
Post by: igor on October 05, 2003, 06:27:18 PM
Yes, I did, but only afterwards - since you posted it while I was writing the followup :)
Title: Re:disapointing results for Avast! 4
Post by: asafdem on October 05, 2003, 07:39:54 PM
Igor

Quote
(btw, the Sircam-B name is really without the [Wrm] tag?)

Yes it is. From Avast! 4 log:

[size=0]\I-Worm.Sircam.exe\I-Worm.Sircam.exe [L] Win32:Sircam-B (0)
\I-Worm.Sircam.exe [L] Win32:Sircam-C [Wrm] (0)
[/size]
 ;)
Title: Re:disapointing results for Avast! 4
Post by: techie101returns on October 06, 2003, 12:08:43 AM
As you have discovered, setting Avast to scan inside archives and setting it to Thorough (sensitivity at high) allows Avast to detect 99% of all viruses.

NOW, if you also make sure that the Heuristic feature is selected for the respective On line Access Protection modules, and you have a nice secure setup.

ANY anti-virus software will overlook some viruses is its' search engine sensitvity is lowered.

This "lowering" should only be used when a substantial number of "false positives" are registered, but only low enough to stop them.

Thank you for taking the time to share your test results with us.

 :D
Title: Re:disapointing results for Avast! 4
Post by: Culpeper on October 06, 2003, 03:34:49 AM
I'm still not clear if the user was using the Pro or Free versions?  I thought the Free version didn't support RAR files.
Title: Re:disapointing results for Avast! 4
Post by: Vlk on October 06, 2003, 11:19:36 AM
The Home version does support RAR archives (and always has).

For a comparison table please refer to http://www.avast.com/i_idt_1018.html .

Vlk
Title: Re:disapointing results for Avast! 4
Post by: asafdem on October 06, 2003, 11:13:55 PM
techie101

Quote
NOW, if you also make sure that the Heuristic feature is selected for the respective On line Access Protection modules, and you have a nice secure setup.
I see heuristics only in Internet mail provider ( I don't use Outlook and I turned off p2p provider). Was that what you mean?

Quote
Thank you for taking the time to share your test results with us.

No problem. ;D
Title: Re:disapointing results for Avast! 4
Post by: asafdem on October 07, 2003, 09:32:43 PM
On the subject of false detection in cpav.exe again...

Quote
(from the Kaspersky Anti-Virus Personal / Personal Pro 4.5  USER GUIDE) ...The extracting tool...can also deal with some versions of immunizers, programs protecting executable files from viruses by attaching checking code blocks (CPAV and F-XLOCK) and enciphering programs (CryptCOM) to them.

I guess this (virus-like behaviour of CPAV.EXE) sheds some light on why Avast! 4 detects non-existent virus in CPAV.EXE It also shows that something can be done about it! ;)
Title: Re:disapointing results for Avast! 4
Post by: asafdem on October 08, 2003, 02:59:03 AM
Final analysis
Title: Re:disapointing results for Avast! 4
Post by: Lisandro on October 08, 2003, 03:29:58 AM
The Home version does support RAR archives (and always has).
Vlk

Please, Vlk, can you confirm that Pro and Home versions use the same VPS (I mean, can detect the same virus)? I think they do but I am a little bit confused now...  ::)
Btw, what is the behavior with CAB files?
Title: Re:disapointing results for Avast! 4
Post by: MWassef on October 10, 2003, 03:39:43 PM
The Home version does support RAR archives (and always has).
Vlk

Please, Vlk, can you confirm that Pro and Home versions use the same VPS (I mean, can detect the same virus)? I think they do but I am a little bit confused now...  ::)
Btw, what is the behavior with CAB files?

http://www.avast.com/i_idt_1018.html (http://www.avast.com/i_idt_1018.html)


Title: Re:disapointing results for Avast! 4
Post by: Vlk on October 10, 2003, 05:31:47 PM
Technical, indeed, avast Home and Pro both use the same engine, same samples, same kernel.

The detection rates should therefore be the same as well.

Version 4.0 Home lacked support for CAB archives, but these were included in 4.1.

Vlk
Title: Re:disapointing results for Avast! 4
Post by: Culpeper on October 10, 2003, 08:54:32 PM
So the results look good for Avast set on HIGH. :D
Title: Re:disapointing results for Avast! 4
Post by: Culpeper on October 10, 2003, 08:55:55 PM
Technical, indeed, avast Home and Pro both use the same engine, same samples, same kernel.

The detection rates should therefore be the same as well.

Version 4.0 Home lacked support for CAB archives, but these were included in 4.1.

Vlk

That was what I was trying to remember.  It was the CAB not RAR files the Home version used to leave out.
Title: Re:disapointing results for Avast! 4
Post by: Lisandro on October 11, 2003, 02:54:38 AM
Technical, indeed, avast Home and Pro both use the same engine, same samples, same kernel.

The detection rates should therefore be the same as well.

Version 4.0 Home lacked support for CAB archives, but these were included in 4.1.

Vlk

Thanks Vlk.  ;)
Sorry, minacross for my simple question. I just want a confirmation of this fact. Thanks for you post.  ;)
Title: Re:disapointing results for Avast! 4
Post by: asafdem on October 11, 2003, 05:40:05 AM
Having a forum like this is a great way to make a good product even better. Still, in version 4.1.280 the same problems I pointed out earlier in this thread, remain:

1. False positive in CPAV.EXE
2. Missed virus in PKLite packed file which other products in the market are able to detect
3. "Double detection" of two worm wariants within the same file.

I hope, you people from Alwil, will fix those and other problems in an upcoming release.  :)
Title: Re:disapointing results for Avast! 4
Post by: MWassef on October 11, 2003, 09:27:46 AM
Technical, indeed, avast Home and Pro both use the same engine, same samples, same kernel.

The detection rates should therefore be the same as well.

Version 4.0 Home lacked support for CAB archives, but these were included in 4.1.

Vlk

Thanks Vlk.  ;)
Sorry, minacross for my simple question. I just want a confirmation of this fact. Thanks for you post.  ;)

no problem.. ;D
you're most welcome Technical  :)
Title: Re:disapointing results for Avast! 4
Post by: mantra on October 11, 2003, 10:25:49 AM
look here http://www.avast.com/forum/index.php?board=2;action=display;threadid=1436
Title: Re:disapointing results for Avast! 4
Post by: Lisandro on October 12, 2003, 04:18:02 PM
look here http://www.avast.com/forum/index.php?board=2;action=display;threadid=1436

This link send me in circle reference...  ???
mantra, are you an avast! reverend or not? What is this title forum (disapointing...)  :(
Title: Re:disapointing results for Avast! 4
Post by: igor on October 12, 2003, 05:14:13 PM
asafdem: I'm not sure if the detection of two variants within a single file will be "fixed". It is easily possible that a file is infected by a virus, then packed, and then infected by another virus. So, in general it's correct to announce both (all) the infections.
Title: Re:disapointing results for Avast! 4
Post by: Lisandro on October 13, 2003, 05:16:18 AM
asafdem: I'm not sure if the detection of two variants within a single file will be "fixed". It is easily possible that a file is infected by a virus, then packed, and then infected by another virus. So, in general it's correct to announce both (all) the infections.


Thanks igor... A file double infected... I have never thought on this before...
Maybe is because I have no virus on my computer since a very long time  ::)
Title: Re:disapointing results for Avast! 4
Post by: asafdem on October 14, 2003, 02:10:58 AM
igor
Quote
I'm not sure if the detection of two variants within a single file will be "fixed". It is easily possible that a file is infected by a virus, then packed, and then infected by another virus. So, in general it's correct to announce both (all) the infections.
Sounds very reasonable. But, just to make sure, how about, I send you the sample and when you have time, you take look at it and then say what's really the case? :)