Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Beta - Avast => Topic started by: TrueIndian on August 20, 2014, 09:57:10 AM

Title: FLAW In Protection: VBS malware and deepscreen
Post by: TrueIndian on August 20, 2014, 09:57:10 AM
I see that .vbs malware from USB dont trigger any deepscreen anaysis!? I guess avast should add triggers for such type of nasties as well.As they seem to be on the rise.

Anything trying to mess with wscript.exe should be sandboxed.I guess avast needs to add more triggers into the program.I just got 2 files of .vbs  both were pretty much the same VBS:malware-gen crap and both got through without any peeps from deepscreen.It didnt even try to analyze it.Neither does hardened mode deal with vbs type crap.

I definately think avast can add a trigger for .vbs files in deepscreen.Just add a rule in the program somewhere that any randomly named vbs file from USB or any removable media must be sandboxed and if it accesses wscript.exe it should be detected as malware right away.In this way,avast can be completely immune to those VBS malware from USB.
This needs to be fixed.
Title: Re: VBS malware and deepscreen
Post by: Eddy on August 20, 2014, 02:44:31 PM
Do you have selected to scan all files in the file system shield ?
If not, please do so and check if they files are scanned.
For that you may need to enable debug logging.
Title: Re: VBS malware and deepscreen
Post by: RejZoR on August 20, 2014, 03:05:21 PM
As far as i know DeepScreen only work son EXE files. Unless if they have changed this in v2015...
Title: Re: VBS malware and deepscreen
Post by: TrueIndian on August 20, 2014, 05:38:36 PM
Rej it still seems to be a flaw...As a alot of USB malware is coming in form of VBS script and it triggers hell of a nasty damage.It executes wscript.exe and keeps launching itself over the bootup and infects every other clean usb.I think this trigger should be added as it is a major threat gate.
Title: Re: VBS malware and deepscreen
Post by: TrueIndian on August 24, 2014, 07:32:15 AM
BUMP: Any update to this topic?

This is a serious flaw as vbs malware is increasing especially via USB sticks.They are also polymorphic and hard to detect.
Title: Re: VBS malware and deepscreen
Post by: Eddy on August 24, 2014, 03:05:01 PM
Have you tried as I suggested ?
Title: Re: VBS malware and deepscreen
Post by: TrueIndian on August 24, 2014, 05:33:05 PM
Have you tried as I suggested ?

I have done that before no difference.  :)
Title: Re: VBS malware and deepscreen
Post by: essexboy on August 24, 2014, 05:59:31 PM
I would agree that this is a flaw that needs rectifying..  The vast majority of the time it is from a USB or SD card, so mayhap tweak the USB on insertion scan
Title: Re: VBS malware and deepscreen
Post by: TrueIndian on August 25, 2014, 11:53:23 AM
I would agree that this is a flaw that needs rectifying..  The vast majority of the time it is from a USB or SD card, so mayhap tweak the USB on insertion scan

Thanks essex.I agree this needs to be fixed because there is alot of USB malware which are coming in this VBS format.Hope to see progress on this issue  :)
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: TrueIndian on August 26, 2014, 05:58:03 AM
Added to topic.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: Alikhan on August 26, 2014, 04:14:15 PM
+ 1.

It would be a good addition in protection.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: TrueIndian on August 26, 2014, 04:33:09 PM
Thanks Alikhan.This is definately a rule and a trigger that avast deepscreen developers must consider.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: DavidR on August 26, 2014, 04:52:19 PM
Now there was me thinking that .VBS files would be scanned by the old script shield, now incorporated into another shield. That however, may be incorporated into the web shield rather than the file system shield.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: TrueIndian on August 26, 2014, 04:55:58 PM
Now there was me thinking that .VBS files would be scanned by the old script shield, now incorporated into another shield. That however, may be incorporated into the web shield rather than the file system shield.

The problem here is not the shields.But the VBS infections coming from USB are sort of polymorphic type that change constantly.So if avast adds a trigger for a vbs files for deepscreen then maybe they can also add a rule which will sandbox vbs files and as they are accessing wscript.exe it should be immediately quarantined by deepscreen.

VBS file runs>>deepscreened>>accessing wscript.exe>>blocked and quarantined.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: DavidR on August 26, 2014, 07:02:25 PM
Well essentially I want to know why the script scanning isn't running on a script file being executed, regardless of where it is located. If it was then theoretically there would be no requirement for a rule.

The merging of several shields (script/network/P2P, etc.) into the remaining shields shouldn't lessen the protection.

Your example of the actions is flawed as there would be many instances of legit .VBS software that has to run wscript.exe. Any blocking and quarantining should only be done if it is found to be malicious.

Another point being those who have the Hardened Mode set to Aggressive may have bypassed the deep screening function.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: TrueIndian on August 26, 2014, 07:16:18 PM
Dave they could use dyna rules and stuff they like they do for other files.They should be adding dyna rules for these type of VBS malware.First all they need to have deepscreen working on vbs files.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: DavidR on August 26, 2014, 07:24:23 PM
Dave they could use dyna rules and stuff they like they do for other files.

It doesn't really matter what they could use - Personally I'm against creating rules when there is meant to be a script scanning function built in to avast.

Creating a rule would also require an underlying routine to cater for .vbs instead of/as well as .exe's in deepscreen.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: TrueIndian on August 26, 2014, 07:26:56 PM
Dave I think avast reputation service already has enough no of files in whitelist.Regardless not having rules/trigger for deepscreen for a major threat gate is a flaw.

Script scanning function?? Those are based on the AV database and these are polymorphic viruses and this wouldnt cut it because these change everday like rootkits.This makes some sense I guess.

And from previous experiences avast is not the quickest or smartest to pick the newer varients quickly either instead we have some proactive analysis system.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: DavidR on August 26, 2014, 11:47:14 PM
I have not mentioned reputation services or whitelisting of files in any of my replies.

I'm clearly stating the the supposed script scanning of avast should be scanning these scripts in the same way that they did when there was a Script Shield. This scanned scripts on both the web pages and scripts run locally.

Deepscreen to date hasn't been the beast it is meant to be, perhaps we will see more of in beta2. As I have mentioned those that have set Hardened Mode to Aggressive are essentially bypassing deepscreen. So any Rule if it were to have rules wouldn't be effective if the Hardened Mode were set to Aggressive.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: TrueIndian on August 27, 2014, 03:54:27 AM
Dave neither hardened mode nor deepscreen blocks targets vbs extension files which they should be doing now because if this usb malware.I have done some deep testing on this before making this topic.

Nothing to argue on deepscreen improvements in beta2.I have full faith in the developers that they are surely making deepscreen worthy.
Title: Re: FLAW In Protection: VBS malware and deepscreen
Post by: TrueIndian on August 28, 2014, 05:48:29 AM
Also its not just vbs format.There are many other formats like *.js that are not targeted by deepscreen.

I have been testing this with different file format and so far .vbs and .js are not targeted.