Avast WEBforum

Other => General Topics => Topic started by: REDACTED on December 18, 2014, 10:33:45 AM

Title: Drep Detection
Post by: REDACTED on December 18, 2014, 10:33:45 AM
Drep detection whenver i download an executable from my own website http://whatsapphubstatus.com (http://whatsapphubstatus.com) . It a clean software i made by own. but why this detection occuring? can any body tell me how to avoid it?
Title: Re: Drep Detection
Post by: Asyn on December 18, 2014, 10:42:53 AM
-> http://sitecheck.sucuri.net/results/whatsapphubstatus.com/
-> http://zulu.zscaler.com/submission/show/97d4be4f2a1a687fb66ccd32bc0f82fe-1418895637

You can report a possible FP here: http://www.avast.com/contact-us.php?subject=VIRUS-FILE
Title: Re: Drep Detection
Post by: Para-Noid on December 18, 2014, 03:53:00 PM
Issues here http://www.dnsinspect.com/whatsapphubstatus.com/1418913738
Sinks here http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwhatsapphubstatus.com


Fine here http://dnscheck.pingdom.com/?domain=whatsapphubstatus.com&timestamp=1418913726&view=1
http://www.ipvoid.com/scan/198.46.81.170/
http://mxtoolbox.com/SuperTool.aspx?action=mx%3awhatsapphubstatus.com&run=toolpage
Title: Re: Drep Detection
Post by: HonzaZ on December 18, 2014, 04:28:10 PM
Hi,
DomainRep is a new feature of Avast, so let me explain a bit. It blocks EXE files downloads if these conditions are *all* met:
1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
3. The file is not signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download. In other words, just wait until more people try to download the file, or digitally sign your files :-).
Honza
Title: Re: Drep Detection
Post by: DavidR on December 18, 2014, 05:10:42 PM
Hi,
DomainRep is a new feature of Avast, so let me explain a bit. It blocks EXE files downloads if these conditions are *all* met:
1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
3. The file is not signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download. In other words, just wait until more people try to download the file, or digitally sign your files :-).
Honza

Isn't this a bit like the chicken and the egg (which came first) - how are you to download the file from the site if it hasn't met any of the conditions to build up a reputation of avast users.

The only way I can see this happening would be if the file was signed, otherwise the file and or domain name would remain blocked.
Title: Re: Drep Detection
Post by: abruptum on December 18, 2014, 05:49:55 PM
Is it possible to turn off DomainRep ?
Title: Re: Drep Detection
Post by: TrueIndian on December 18, 2014, 05:55:57 PM
That's a nice feature considering the fact that avast will allow a file when doesnt meet even 1 of those situations even it meets the other two.Hopefully,we will see this being worked on in a week or so.
Title: Re: Drep Detection
Post by: polonus on December 18, 2014, 06:27:08 PM
Metascan is doing the same with an executale download pre-scan but with real scan results, avast classification is a bit like the french law method, scan verdict is malign until proven benign, as suspects are guilty until their innocence has been proven above doubt. FPs could cumulate, on the other hand unknown malign executales are caught before they can infest.

polonus
Title: Re: Drep Detection
Post by: RejZoR on December 18, 2014, 07:47:28 PM
Hi,
DomainRep is a new feature of Avast, so let me explain a bit. It blocks EXE files downloads if these conditions are *all* met:
1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
3. The file is not signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download. In other words, just wait until more people try to download the file, or digitally sign your files :-).
Honza

Isn't this a bit like the chicken and the egg (which came first) - how are you to download the file from the site if it hasn't met any of the conditions to build up a reputation of avast users.

The only way I can see this happening would be if the file was signed, otherwise the file and or domain name would remain blocked.

I'm wondering the same thing actually...
Title: Re: Drep Detection
Post by: Michael (alan1998) on December 18, 2014, 08:59:26 PM
Hi,
DomainRep is a new feature of Avast, so let me explain a bit. It blocks EXE files downloads if these conditions are *all* met:
1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
3. The file is not signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download. In other words, just wait until more people try to download the file, or digitally sign your files :-).
Honza

OK. So, what does this mean for sites like portal.nbed.nb.ca (My School Domain) in which Students can transfer files? The idea behind this sounds Fantastic, but there ought to be measures in place (Hopefully) in which I can manually add certain sites (Like that one) to a Whitelist?
Title: Re: Drep Detection
Post by: DavidR on December 18, 2014, 11:37:10 PM
<snip quote>

OK. So, what does this mean for sites like portal.nbed.nb.ca (My School Domain) in which Students can transfer files? The idea behind this sounds Fantastic, but there ought to be measures in place (Hopefully) in which I can manually add certain sites (Like that one) to a Whitelist?

Essentially the school domain is more likely to be recognised as in point 2. so the remainder should fall into place as only one condition needs to be met to allow the download to take place.

I don't know if in placing the school domain in the URL exclusions would achieve that, not scanned.
Title: Re: Drep Detection
Post by: Michael (alan1998) on December 19, 2014, 12:56:29 AM
David, the thing is. That is how I transfer my Projects (Coding Projects) like EXE and .SLN files. There needs to be a way, in which I can have Avast! not auto scan and flag those items.

In case you're curious to why I do not use USB's at school. The security there sucks. There is nothing active short of Windows Firewall and Microsoft Security Essentials. (And since MCShield usually flags EXE and VB related files, I'd have to disable any security there).

Even aside from that.... Our local Technicians at school know jackcrap about how to remove an infection (Which is, slightly frustrating)....

1) The file, wouldn't be recognized by Avast!. (Even as it is now, most of the time they are still "flagged" by something, whether it be Hardened Mode, The Evo-Gen detections of something else)
2) The portal isn't very known. Most teachers don't even know about it, let alone to students.
3) None of my files are digitally signed.
Title: Re: Drep Detection
Post by: DavidR on December 19, 2014, 01:22:01 AM
Lets put it this way, if this function is already in place as appears to be the case given this topic - then simply try downloading some of the files you have up there and see.
Title: Re: Drep Detection
Post by: Michael (alan1998) on December 19, 2014, 01:45:03 AM
Something must be satisfying avast!, because it's not currently complaining. (Although Chrome does).

Title: Re: Drep Detection
Post by: Asyn on December 19, 2014, 04:38:19 AM
Hi,
DomainRep is a new feature of Avast, so let me explain a bit. It blocks EXE files downloads if these conditions are *all* met:
1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
3. The file is not signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download. In other words, just wait until more people try to download the file, or digitally sign your files :-).
Honza

Isn't this a bit like the chicken and the egg (which came first) - how are you to download the file from the site if it hasn't met any of the conditions to build up a reputation of avast users.

The only way I can see this happening would be if the file was signed, otherwise the file and or domain name would remain blocked.

I'm wondering the same thing actually...
Same here. Also, can/should this be reported as FP (if proven clean) or not..??
Title: Re: Drep Detection
Post by: DavidR on December 19, 2014, 03:29:54 PM
Something must be satisfying avast!, because it's not currently complaining. (Although Chrome does).

Why chrome would be different is beyond me when other browsers aren't alerting.

Are you sure this is avast alerting in chrome and not something like google safe browsing ?
Title: Re: Drep Detection
Post by: Michael (alan1998) on December 19, 2014, 03:59:43 PM
No, Google Chrome flags the download. ("This file is not commonly downloaded and May be malicious").

Very annoying.
Title: Re: Drep Detection
Post by: DavidR on December 19, 2014, 04:22:44 PM
No, Google Chrome flags the download. ("This file is not commonly downloaded and May be malicious").

Very annoying.

So avast isn't alerting at all then (only google chrome) which is somewhat off topic, e.g. not a Drep Detection.
Title: Re: Drep Detection
Post by: avastmobile2 on March 05, 2015, 05:59:24 PM
I just stumbled upon this "feature" also. And I think it's stupid. Let me explain why.

I'm a small software business. I create specialized software which will be used only by a small group of people. I also create other software which I either put of as freeware or as shareware. My problem is that all my users who are using Avast are unable to download my software from my website. Because it doesn't meet any of the requirements:

1. The file is not prevalent enough, ie. not enough Avast users launched the file yet
Of course it's not prevalent enough. In case of the specialized software, only a handful of people will download it. In case of newly released freeware/shareware, no-one has downloaded it yet.

2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet
Same as above.

3. The file is not signed or Avast does not trust the signature.
I'm not going to spend extra money to get a trusted certificate just to satisfy a virus scanner. In fact, it would be easier for me to tell my clients to simply use another virus scanner instead. Which BTW is what I'm doing now.
Title: Re: Drep Detection
Post by: bob3160 on March 05, 2015, 09:09:31 PM
I just stumbled upon this "feature" also. And I think it's stupid. Let me explain why.

I'm a small software business. I create specialized software which will be used only by a small group of people. I also create other software which I either put of as freeware or as shareware. My problem is that all my users who are using Avast are unable to download my software from my website. Because it doesn't meet any of the requirements:

1. The file is not prevalent enough, ie. not enough Avast users launched the file yet
Of course it's not prevalent enough. In case of the specialized software, only a handful of people will download it. In case of newly released freeware/shareware, no-one has downloaded it yet.

2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet
Same as above.

3. The file is not signed or Avast does not trust the signature.
I'm not going to spend extra money to get a trusted certificate just to satisfy a virus scanner. In fact, it would be easier for me to tell my clients to simply use another virus scanner instead. Which BTW is what I'm doing now.
You could also report this to avast and if found to be clean, the alerts would stop. :)
Title: Re: Drep Detection
Post by: avastmobile2 on March 05, 2015, 10:20:11 PM
You could also report this to avast and if found to be clean, the alerts would stop. :)

There are about 60 programs or so that would need to be checked. Also, new ones are added almost weekly, sometimes daily or multiple times a day (new versions of existing programs). It's faster for my clients to temporarily disable Avast (or install a different virus scanner) than having to wait on Avast to clear my programs.

I still have to explain my clients why Avast is blocking the download. The alert says the program they are trying to download has been blocked because it contains a virus. It doesn't say that it actually blocks the download because it has no idea what it's downloading. There's a huge difference. If the message was more descriptive, and it offered the user the option to download anyway, it wouldn't be as useless as it is now.
Title: Re: Drep Detection
Post by: bob3160 on March 05, 2015, 10:32:11 PM
I'v e reported this to a Moderator. Let's see if we get a comment from Avast. :)
Title: Re: Drep Detection
Post by: REDACTED on April 03, 2015, 12:54:30 PM
I just stumbled upon this "feature" also. And I think it's stupid. Let me explain why.

I'm a small software business. I create specialized software which will be used only by a small group of people. I also create other software which I either put of as freeware or as shareware. My problem is that all my users who are using Avast are unable to download my software from my website. Because it doesn't meet any of the requirements:

1. The file is not prevalent enough, ie. not enough Avast users launched the file yet
Of course it's not prevalent enough. In case of the specialized software, only a handful of people will download it. In case of newly released freeware/shareware, no-one has downloaded it yet.

2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet
Same as above.

3. The file is not signed or Avast does not trust the signature.
I'm not going to spend extra money to get a trusted certificate just to satisfy a virus scanner. In fact, it would be easier for me to tell my clients to simply use another virus scanner instead. Which BTW is what I'm doing now.

Create your own Certificate Authority, create and sign your own certificate for all of your software, then Avast has the option to trust your certificate and all of the signed software (or not trust your certificate if anything untoward is found in your software).

As an alternative, you can submit each of your applications to Avast, as well as any updates every time you make changes.

Your own certificate is definitely easier. If you don't have your own Certificate Authority setup, you can always use XCA to create a CA and certificate to sign your applications.

I'm in a similar situation, just not with as many programs, with my own CA and self-signed certificate on all of my programs.

I submitted 2 files when I came across this and this is what I was told:

Quote
The point of Drep is that sometimes viruses are being hosted on hacked sites, which didn't distribute any files. This is a case for Drep, to block those viruses from the start. But we do not want to block legit programs from legit sites, so after a couple of files (or one file a couple of times) were downloaded from a single domain, that domain will not be flagged again ever. This makes sense, as download sites add hundreds of new unique files daily, and of course we do not want to block them.

You can send us the files you will make so we can add them to our cleanset, even before you publish them online... I actually added your cert to the clean list, just to be double sure.