Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Alikhan on June 22, 2016, 01:33:57 AM

Title: CyberCapture
Post by: Alikhan on June 22, 2016, 01:33:57 AM
Could Avast give some information on this?

I understand that:

CyberCapture works on low prevalent files downloaded from web and then executed. But is it only files from the web and are there more conditions that need to be met???

CyberCapture is basically an inverted Secure Virtual Machine. It does same or even extended analysis, but on avast! servers. What type of analysis is done and are the detections good?


Since the file is uploaded to Avast servers - if a file is 15 MB then the full 15mb file is uploaded to Avast servers or just parts of it?


Title: Re: CyberCapture
Post by: RejZoR on June 22, 2016, 02:02:15 AM
That part about files being downloaded from web only triggering CyberCapture is bizarre. What if file arrives via USB thumb drive? avast! will just ignore it because it's not from a web link? Unfortunately we never got answer to that from avast! team for some reason.
Title: Re: CyberCapture
Post by: Milos on June 22, 2016, 09:10:24 AM
Hello,
files downloaded from web and executed and low prevalent. No other conditions to trigger CyberCapture.

We use our internal tools for analysis, NG, our scanner with detections which are not released, ...

Whole file is uploaded because it will be run in our NG.

Files from USB thumb will not trigger CyberCapture.

Milos
Title: Re: CyberCapture
Post by: Eddy on June 22, 2016, 09:20:09 AM
Kinda sucks for people with a low bandwidth.
Title: Re: CyberCapture
Post by: RejZoR on June 22, 2016, 09:28:15 AM
Hello,
files downloaded from web and executed and low prevalent. No other conditions to trigger CyberCapture.

We use our internal tools for analysis, NG, our scanner with detections which are not released, ...

Whole file is uploaded because it will be run in our NG.

Files from USB thumb will not trigger CyberCapture.

Milos

Sorry, but that's a bit dumb design. Whole point of proactive features is to keep all entry points covered. Only covering web downloads, even though most common is like wearing bullet proof helmet, but no bullet proof west... Makes as much sense...
Title: Re: CyberCapture
Post by: Eddy on June 22, 2016, 09:32:11 AM
Quote
downloaded from web
Is ftp, p2p, mail attachments and such also covered ?
Title: Re: CyberCapture
Post by: RejZoR on June 22, 2016, 09:41:27 AM
I don't understand logic behind their design at all. Wouldn't collection of as many unknown EXE files as possible make more sense? Then you throw them through a huge system of sorting and classification, not necessarily directly to NG on their servers. That's how you proactively combat unknown malware and protect all entry points later on without the need to focus on a single infection vector only...
Title: Re: CyberCapture
Post by: Eddy on June 22, 2016, 09:49:00 AM
Seems to me there is no need to upload every file.
Get the hash from a file.
Upload it to the avast server.
If it is unknown upload the file.
If it is known, there is no need to upload the file.
Seems to me much better for people with a low bandwidth and especially for those who have a data limit.
Title: Re: CyberCapture
Post by: Milos on June 22, 2016, 12:46:04 PM
Quote
downloaded from web
Is ftp, p2p, mail attachments and such also covered ?
Hello,
current implementation covers http(s) sources.

Milos
Title: Re: CyberCapture
Post by: Milos on June 22, 2016, 12:50:44 PM
Seems to me there is no need to upload every file.
Get the hash from a file.
Upload it to the avast server.
If it is unknown upload the file.
If it is known, there is no need to upload the file.
Seems to me much better for people with a low bandwidth and especially for those who have a data limit.
Hello,
yes, if we don't have the file (prevalence = 0) then we upload it to our servers. Other users with same hash don't upload the file.

Milos
Title: Re: CyberCapture
Post by: RejZoR on June 22, 2016, 12:55:50 PM
Quote
downloaded from web
Is ftp, p2p, mail attachments and such also covered ?
Hello,
current implementation covers http(s) sources.

Milos

So, you're leaving out P2P, e-mails and USB sources entirely. Very bad policy. VERY BAD. And it's kinda becoming a tradition with avast!.  Awesome new feature released and then you start digging and you realize it's once again limited to a very specific narrow scope of potential malware. Why are you guys doing this all the freaking time?  :-\

It's almost hard to be enthusiastic anymore about new technology in avast! because I can already tell you this won't really have a noticeable impact on end user protection. It's again just a trend that keeps repeating and I very much want you guys to finally prove me wrong...
Title: Re: CyberCapture
Post by: TrueIndian on June 22, 2016, 01:50:25 PM
I don't like this implementation...so only for downloaded files?? what if its already on the pc? or comes from a usb stick...this isn't comodo sanbox.Hell! even they have a setting to change that.

And why even implement this if it can't even cover e-mail and P2P....Come on! I am sure avast! team knows Locky and other threats are spreading from e-mail.  :P  Stop trying to make this Norton Download Insight I hate that :o

And what happened to the sandbox anaylsis? Can't they just link up the files that are sandboxed to their servers to analyze them.What's the catch for cybercapture?? doesn't do what the sandbox or ng used to do?? atleast we avast! used to sandbox unknown files...downloaded or not.
Title: Re: CyberCapture
Post by: Lord_Ami on June 22, 2016, 03:02:08 PM
I believe it's limited to downloaded files only because there would be too many requests for every file on PC. 230+ million users...

I'd imagine they start small and see how the tech works in real world. Then they will expand it. Let's wait and see.
Title: Re: CyberCapture
Post by: Alikhan on June 22, 2016, 04:18:44 PM
Hello,
current implementation covers http(s) sources.

Milos

I think this is ridiculous.

There are many other ways of getting infected such as via email, P2P, FTP and USBs - will avast just let those malware through.

Seriously, this is frustrating, you hear something positive and you're excited about it and then when more details emerge, it's the same old Avast.

A lot of malware testing done by AV vendors and people who test malware on virtual machines download the malware and put it on a USB to transfer to a virtual machine, that would simply mean that CyberCapture would be useless in those cases.

I seriously think the Avast team need to rethink this.
Title: Re: CyberCapture
Post by: RejZoR on June 22, 2016, 07:47:22 PM
It needs to be expanded to P2P, e-mail and removable drives. These are the most common infection vectors and sources of suspicious binaries.
Title: Re: CyberCapture
Post by: Vlk on June 22, 2016, 07:58:43 PM
Hi guys,

Glad to see some excitement about CyberCapture here -- it indeed is quite an exciting piece of technology (really taking benefit of a bunch of things that we have been building for years) and we can't wait to see it in action -- that is, can't wait till the Nitro Update really starts rolling out to millions of users and our backend systems start getting some serious load with this. :-)

Anyway... I totally hear your concern, and would like to say one thing from the very beginning: there's absolutely no design limitation that would imply that CyberCapture can only work with http/https downloads. And in fact, we totally plan to extend its scope in the upcoming weeks and months. The beautiful thing about it is that the decision process takes place (again) in the cloud, so these things can actually be changed at any time.

The reason why we have limited it to http/https downloads for now is that this is the category of files that carries most infections, and at the same time, contains some additional metadata (e.g. the source URL) that allow us to minimize false positives and generally make faster and more accurate decisions. And it also allows us to slightly lower the number of files coming to the system, which is important to make sure our backend stuff can gradually handle the load (we're quite confident we have built them robustly, but it's always a good practice to roll such things out in stages).

Remember, CyberCapture has been in production for about 1 day now. Here's a proposal. Let's give it a bit of time, and make sure that it handles the http/https vector really well (which would already be quite an accomplishment, given that statistically, 85%+ of all malware comes through that channel). And in parallel, let us work on the other vectors.

Deal?

Thanks
Vlk
Title: Re: CyberCapture
Post by: Alikhan on June 22, 2016, 08:33:21 PM
Hi guys,

Glad to see some excitement about CyberCapture here -- it indeed is quite an exciting piece of technology (really taking benefit of a bunch of things that we have been building for years) and we can't wait to see it in action -- that is, can't wait till the Nitro Update really starts rolling out to millions of users and our backend systems start getting some serious load with this. :-)

Anyway... I totally hear your concern, and would like to say one thing from the very beginning: there's absolutely no design limitation that would imply that CyberCapture can only work with http/https downloads. And in fact, we totally plan to extend its scope in the upcoming weeks and months. The beautiful thing about it is that the decision process takes place (again) in the cloud, so these things can actually be changed at any time.

The reason why we have for now limited it to http/https downloads is that this is the category of files that carries most infections, and at the same time, contains some additional metadata (e.g. the source URL) that allow us to minimize false positives and generally make faster and more accurate decisions. And it also allows us to slightly lower the number of files coming to the system, which is important to make sure our backend stuff can gradually handle the load (we're quite confident we have built them robustly, but it's always a good practice to roll such things out in stages).

Remember, CyberCapture has been in production for about 1 day now. Let's give it a bit of time, and make sure that it handles the http/https vector really well (which is already quite an accomplishment, given that statistically, 85%+ of all malware comes through that channel). And in parallel, let us work on the other vectors.

Deal?

Thanks
Vlk

That's a fair enough deal and that it will reach other vectors soon.

But it's important for you guys to realise by not including other vectors such as USB, you will be missing malware. Many users don't run a file straight from the Internet, they might save it to the USB and run it at another time too for example.

Thanks for your explanation Vlk. I hope it lives up to its expectations.
Title: Re: CyberCapture
Post by: RejZoR on June 22, 2016, 09:11:06 PM
Hi guys,

Glad to see some excitement about CyberCapture here -- it indeed is quite an exciting piece of technology (really taking benefit of a bunch of things that we have been building for years) and we can't wait to see it in action -- that is, can't wait till the Nitro Update really starts rolling out to millions of users and our backend systems start getting some serious load with this. :-)

Anyway... I totally hear your concern, and would like to say one thing from the very beginning: there's absolutely no design limitation that would imply that CyberCapture can only work with http/https downloads. And in fact, we totally plan to extend its scope in the upcoming weeks and months. The beautiful thing about it is that the decision process takes place (again) in the cloud, so these things can actually be changed at any time.

The reason why we have limited it to http/https downloads for now is that this is the category of files that carries most infections, and at the same time, contains some additional metadata (e.g. the source URL) that allow us to minimize false positives and generally make faster and more accurate decisions. And it also allows us to slightly lower the number of files coming to the system, which is important to make sure our backend stuff can gradually handle the load (we're quite confident we have built them robustly, but it's always a good practice to roll such things out in stages).

Remember, CyberCapture has been in production for about 1 day now. Here's a proposal. Let's give it a bit of time, and make sure that it handles the http/https vector really well (which would already be quite an accomplishment, given that statistically, 85%+ of all malware comes through that channel). And in parallel, let us work on the other vectors.

Deal?

Thanks
Vlk

I know it's a long shot, but would be nice if you could provide CyberCapture webpage with some statistics how service is operating, what's the malware hit ratio and other interesting statistics about it.  So we can kinda see how many received files are marked as malicious, how many were found clean, what countries have most new detected malware through the system and all that.

Since introduction of faster evolving program with monthly updates and relocation of a lot of things to cloud, I hope CyberCapture will evolve into actually powerful feature and not yet another cool tech that never really made proper results to the end users.
Title: Re: CyberCapture
Post by: Secondmineboy on June 22, 2016, 09:14:37 PM
How about a site where you can check files if they are unknown to it, marked safe, malicious or undefined?

So that also Avast can be informed of malwares that are mised by it to keep improving it or other was save the analysis data of each file thats marked clean or undecided and check it manually to keep improving it :)
Title: Re: CyberCapture
Post by: RejZoR on June 22, 2016, 09:19:10 PM
I think it's better to keep it program only so malware writers have a really hard time creating malware because they can't just check through webpage, but they'd have to actually test on a functioning program that would be able to feed captured data to the cloud and track all their malware writing process. That's the huge benefit of cloud, malware writers can't ever be sure how system will react to their attempts to bypass it.
Title: Re: CyberCapture
Post by: Eddy on June 22, 2016, 09:21:16 PM
I would like to know what it does (if anything at all) with web-based email as that is http(s).
Title: Re: CyberCapture
Post by: jefferson sant on June 22, 2016, 09:23:45 PM
Hello,
files downloaded from web and executed and low prevalent. No other conditions to trigger CyberCapture.
Milos

What does the function Filerep,almost one the characteristics, not referring detections since they are still necessary? I see no advantage of this resource remain.
Title: Re: CyberCapture
Post by: Lisandro on June 22, 2016, 09:30:53 PM
Other users with same hash don't upload the file.
I suppose hash is done in the server site.
Hash is known as intensive action for big archives.
Won't is slow down https browsing?
Is there a archive size limit?
How would you know if prevalence =0 without hashing every single file in the HTTPS traffic?
Title: Re: CyberCapture
Post by: Lisandro on June 22, 2016, 09:34:52 PM
Anyway... I totally hear your concern, and would like to say one thing from the very beginning: there's absolutely no design limitation that would imply that CyberCapture can only work with http/https downloads. And in fact, we totally plan to extend its scope in the upcoming weeks and months. The beautiful thing about it is that the decision process takes place (again) in the cloud, so these things can actually be changed at any time.
How would hashing be done in an USB file if it is not done in our computers (client size)?
Remember, CyberCapture has been in production for about 1 day now. Here's a proposal. Let's give it a bit of time, and make sure that it handles the http/https vector really well (which would already be quite an accomplishment, given that statistically, 85%+ of all malware comes through that channel). And in parallel, let us work on the other vectors.
Deal?
Thanks
Vlk
Ok. Please, publish and hype the results... Oh, make sure the competence does not copy the technology (that soon) ;D
Title: Re: CyberCapture
Post by: TrueIndian on June 23, 2016, 07:55:52 AM
Well I think that's a deal.Questions I have:

1.What is this Nitro update feature.How is it going to be any different than the streaming updates? This is more confusing.

2.I agree that cybercapture is a strong feature.But then the same thing was being done by IQ community sensors but with a delay.So is this thing any different than that.Or the IQ community is now being put to use after years of usage.

3.Any limitations to the file size that cybercapture may upload to your servers??

4.Is the sandbox and cybercapture now one and the same?? If not what's the difference?? Analysis on users machine and analysis on cloud is the only difference.
Title: Re: CyberCapture
Post by: Vlk on June 23, 2016, 01:28:47 PM
I know it's a long shot, but would be nice if you could provide CyberCapture webpage with some statistics how service is operating, what's the malware hit ratio and other interesting statistics about it.  So we can kinda see how many received files are marked as malicious, how many were found clean, what countries have most new detected malware through the system and all that.

Good idea. It would be kind of cool. And similarly, on an individual file level (so that YOU, as the contributor, could check the status of your files in real time).

I would like to know what it does (if anything at all) with web-based email as that is http(s).

This scenario is already covered.

I suppose hash is done in the server site.
Hash is known as intensive action for big archives.
Won't is slow down https browsing?
Is there a archive size limit?
How would you know if prevalence =0 without hashing every single file in the HTTPS traffic?

Hashes are always done on client side, of course. That's the whole point -- so that we don't need to update files that we already have / know about.
I wouldn't be concerned about any slow downs caused by the calculation of the hash. In fact, in our implementation, we compute the hash "on the fly", as the file is being downloaded. I.e. every time a chunk of data is fetched from the network, we update the hash, so there's no need to calculate the whole hash when the donwload completes; we already have it by then.

There's no file size limit per se.

1.What is this Nitro update feature.How is it going to be any different than the streaming updates? This is more confusing.

Nitro is a name we have given to the latest version of Avast (not a name of a feature), to emphasize the effort we have spent on making it faster and leaner. Internally, for us it also means some other changes and I will be communicating these in the forum soon... I think you will like it.

2.I agree that cybercapture is a strong feature.But then the same thing was being done by IQ community sensors but with a delay.So is this thing any different than that.Or the IQ community is now being put to use after years of usage.

There's a number of differences. The one most important from the protection point of view is its synchronous nature. I.e. we actually don't allow the captured file to run until a definitive decision is made. CyberCapture also helped us here in the Threat Labs to streamline a number of processes and get better at detecting stuff.

3.Any limitations to the file size that cybercapture may upload to your servers??

See above, no.

4.Is the sandbox and cybercapture now one and the same?? If not what's the difference?? Analysis on users machine and analysis on cloud is the only difference.

Sandbox (DeepScreen) is a part of CyberCapture. We use it both locally (on the user's computer -- to filter out the most obvious malware) and also on the backend (in a controlled environment, with full NG support and much more time to play with it).

Thanks
Vlk
Title: Re: CyberCapture
Post by: Be Secure on June 23, 2016, 01:48:46 PM
It still can't block JS malwares.
Title: Re: CyberCapture
Post by: Vlk on June 23, 2016, 01:56:27 PM
It still can't block JS malwares.

By JS, you mean JavaScript, right?

CyberCapture is a technology designed to block binary malware, correct. We have different technologies (particularly in the Web shield) that focus on JavaScript, but CyberCapture is not one of them. With that said, it's worth adding that in the vast majority of cases, even if you hit a Javascript piece of malware, the payload is then downloaded in binary form and can therefore be successfully blocked by CyberCapture.

Thanks,
Vlk
Title: Re: CyberCapture
Post by: Be Secure on June 23, 2016, 02:00:13 PM
It still can't block JS malwares.

By JS, you mean JavaScript, right?

CyberCapture is a technology designed to block binary malware, correct. We have different technologies (particularly in the Web shield) that focus on JavaScript, but CyberCapture is not one of them. With that said, it's worth adding that in the vast majority of cases, even if you hit a Javascript piece of malware, the payload is then downloaded in binary form and can therefore be successfully blocked by CyberCapture.

Thanks,
Vlk
Yes!.Thanks for the info.You and your team is great and doing great work...so go on. :D ;D
Title: Re: CyberCapture
Post by: Asyn on June 23, 2016, 02:05:23 PM
I know it's a long shot, but would be nice if you could provide CyberCapture webpage with some statistics how service is operating, what's the malware hit ratio and other interesting statistics about it.  So we can kinda see how many received files are marked as malicious, how many were found clean, what countries have most new detected malware through the system and all that.

Good idea. It would be kind of cool. And similarly, on an individual file level (so that YOU, as the contributor, could check the status of your files in real time).
Sounds interesting. Does "Good idea" mean we'll see it rather soon..? ;)
Title: Re: CyberCapture
Post by: RejZoR on June 23, 2016, 02:31:46 PM
@Vlk I have one more idea. Currently, when CyberCapture locks the file into custody, you can opt to run it without waiting for verdict. You could add "Run in Sandbox" as an option for Pro, Internet Security and Premier editions since they already employ sandbox tech. This way users can run the suspicious stuff risk free in an isolated environment (if the app will work in it of course since not all do) even before they get definitive answer from CyberCapture servers. This way you add additional layer of security when users decide to run it anyway.
Title: Re: CyberCapture
Post by: Vlk on June 23, 2016, 02:52:22 PM
@Vlk I have one more idea. Currently, when CyberCapture locks the file into custody, you can opt to run it without waiting for verdict. You could add "Run in Sandbox" as an option for Pro, Internet Security and Premier editions since they already employ sandbox tech. This way users can run the suspicious stuff risk free in an isolated environment (if the app will work in it of course since not all do) even before they get definitive answer from CyberCapture servers. This way you add additional layer of security when users decide to run it anyway.

Thanks, that sounds like something that could be implemented very easily.

Vlk
Title: Re: CyberCapture
Post by: Vlk on June 23, 2016, 02:53:37 PM
Btw, you can read more about CyberCapture here: https://blog.avast.com/cybercapture-protection-against-zero-second-attacks
Title: Re: CyberCapture
Post by: RejZoR on June 23, 2016, 03:11:02 PM
You're mentioning server side polymorphic malware, since you guys often mention contextual detections, is your system designed to combat this in such a way that if CyberCapture spots several different malicious samples on a same domain, that it blacklists that domain (or IP) automatically and feeds it into Web Shield URL blocker? Because once you block a fixed URL address, they can spawn trillions of new malware samples and they'd all get blocked by URL:Mal part of the Web Shield proactively.
Title: Re: CyberCapture
Post by: Be Secure on June 23, 2016, 04:07:47 PM
@Vlk I have one more idea. Currently, when CyberCapture locks the file into custody, you can opt to run it without waiting for verdict. You could add "Run in Sandbox" as an option for Pro, Internet Security and Premier editions since they already employ sandbox tech. This way users can run the suspicious stuff risk free in an isolated environment (if the app will work in it of course since not all do) even before they get definitive answer from CyberCapture servers. This way you add additional layer of security when users decide to run it anyway.
Why leftout Free? :(
Title: Re: CyberCapture
Post by: Asyn on June 23, 2016, 04:15:19 PM
@Vlk I have one more idea. Currently, when CyberCapture locks the file into custody, you can opt to run it without waiting for verdict. You could add "Run in Sandbox" as an option for Pro, Internet Security and Premier editions since they already employ sandbox tech. This way users can run the suspicious stuff risk free in an isolated environment (if the app will work in it of course since not all do) even before they get definitive answer from CyberCapture servers. This way you add additional layer of security when users decide to run it anyway.
Why leftout Free? :(
Because, there is no sandbox. ;)
Title: Re: CyberCapture
Post by: Alikhan on June 23, 2016, 04:19:39 PM
@Vlk I have one more idea. Currently, when CyberCapture locks the file into custody, you can opt to run it without waiting for verdict. You could add "Run in Sandbox" as an option for Pro, Internet Security and Premier editions since they already employ sandbox tech. This way users can run the suspicious stuff risk free in an isolated environment (if the app will work in it of course since not all do) even before they get definitive answer from CyberCapture servers. This way you add additional layer of security when users decide to run it anyway.

+1.

This is a great idea.
Title: Re: CyberCapture
Post by: Be Secure on June 23, 2016, 04:20:00 PM
@Vlk I have one more idea. Currently, when CyberCapture locks the file into custody, you can opt to run it without waiting for verdict. You could add "Run in Sandbox" as an option for Pro, Internet Security and Premier editions since they already employ sandbox tech. This way users can run the suspicious stuff risk free in an isolated environment (if the app will work in it of course since not all do) even before they get definitive answer from CyberCapture servers. This way you add additional layer of security when users decide to run it anyway.
Why leftout Free? :(
Because, there is no sandbox. ;)
But many users used this and avast! send the basic product to testing companies..so why not avast! implement somthing that good for all. :)
Title: Re: CyberCapture
Post by: bob3160 on June 23, 2016, 04:26:11 PM
Here is an explanation of CyberCapture directly from Ondrej:
https://blog.avast.com/cybercapture-protection-against-zero-second-attacks (https://blog.avast.com/cybercapture-protection-against-zero-second-attacks)
Hopefully this will be a better answer than NG in defending against the latest and as yet unknown threats.
Title: Re: CyberCapture
Post by: Milos on June 23, 2016, 04:41:18 PM
You're mentioning server side polymorphic malware, since you guys often mention contextual detections, is your system designed to combat this in such a way that if CyberCapture spots several different malicious samples on a same domain, that it blacklists that domain (or IP) automatically and feeds it into Web Shield URL blocker? Because once you block a fixed URL address, they can spawn trillions of new malware samples and they'd all get blocked by URL:Mal part of the Web Shield proactively.
Yes, we have already implemented this.

Milos
Title: Re: CyberCapture
Post by: RejZoR on June 23, 2016, 05:09:47 PM
@Vlk I have one more idea. Currently, when CyberCapture locks the file into custody, you can opt to run it without waiting for verdict. You could add "Run in Sandbox" as an option for Pro, Internet Security and Premier editions since they already employ sandbox tech. This way users can run the suspicious stuff risk free in an isolated environment (if the app will work in it of course since not all do) even before they get definitive answer from CyberCapture servers. This way you add additional layer of security when users decide to run it anyway.
Why leftout Free? :(
Because, there is no sandbox. ;)
But many users used this and avast! send the basic product to testing companies..so why not avast! implement somthing that good for all. :)

Because:
a) Free version doesn't have sandbox component, at least not one that allows execution of files like paid versions do
b) In the end, they need paying customers and this tiny feature separates Free from paid versions without really affecting user security (if you just wait for the verdict to arrive back).
Title: Re: CyberCapture
Post by: TrueIndian on June 23, 2016, 06:43:58 PM
Interesting stuff would love to see this feature cover all the entry points.Yep would definately like this.

Right i will try to get this thing triggered :)

Have been too hard coming down on avast!.Can't blame anyone because this program is very reputated and so if it fails its a big no no  for its fanbase.Keep up the good work!
Title: Re: CyberCapture
Post by: RejZoR on June 23, 2016, 08:56:43 PM
Don't feel bad for giving honest criticism. Constructive criticism, even if it looks harsh at first, only makes things better. Pretending everything is fine and praising things to death leads to stagnation. avast! has once again proven it has one of the best communities in the world. Not like for example product which starts with C and ends with O, where I got banned like 3 times on their forums because I was just concerned and honest about the issues it had. Fine, then have your broken crap and praise it to death even though it's broken like a llama which fell off Mount Everest... But fanboys will be fanboys. I used to be avast! fanboy so to speak in the past, but no more. I am a fan, but not a fanboy. Because being fanboy is harmful, not productive.
Title: Re: CyberCapture
Post by: RejZoR on June 23, 2016, 09:06:26 PM
@Vlk

I have one more concern or question about CyberCapture, regarding AV-C and AV-TEST. Will their testing methodologies adapt to how your product works? I mean, if results are sometimes returned in 2 hours time, will they wait for a verdict and flag it as miss or hit based on that or how will they operate with it now? I mean, before it was very clear verdict with NG since it took just few seconds and tester could instantly see what happened. With CyberCapture, that changes drastically. And it would be nice to see realistic scores in tests based on how it actually operates.
Title: Re: CyberCapture
Post by: Be Secure on June 24, 2016, 02:53:40 AM
Don't feel bad for giving honest criticism. Constructive criticism, even if it looks harsh at first, only makes things better. Pretending everything is fine and praising things to death leads to stagnation. avast! has once again proven it has one of the best communities in the world. Not like for example product which starts with C and ends with O, where I got banned like 3 times on their forums because I was just concerned and honest about the issues it had. Fine, then have your broken crap and praise it to death even though it's broken like a llama which fell off Mount Everest... But fanboys will be fanboys. I used to be avast! fanboy so to speak in the past, but no more. I am a fan, but not a fanboy. Because being fanboy is harmful, not productive.
+100. :D
Title: Re: CyberCapture
Post by: Be Secure on June 24, 2016, 04:25:52 AM
@Vlk

I have one more concern or question about CyberCapture, regarding AV-C and AV-TEST. Will their testing methodologies adapt to how your product works? I mean, if results are sometimes returned in 2 hours time, will they wait for a verdict and flag it as miss or hit based on that or how will they operate with it now? I mean, before it was very clear verdict with NG since it took just few seconds and tester could instantly see what happened. With CyberCapture, that changes drastically. And it would be nice to see realistic scores in tests based on how it actually operates.
2 hour is too much for them and for us also.If it is between 15-20 minutes(Max 25) then it will be more realistic.For solution you can make more NG system environment in your lab it will divide the workload. :)
Title: Re: CyberCapture
Post by: TrueIndian on June 24, 2016, 05:30:44 AM
Well I am sure in time this feature will be a big part of avast! because of their huge user base it will be easy to detect new threats quickly.  :)

I want to see this feature applied to all infection vectors especially to usb,p2p,mail and unkown files resident on user machine if there are any.
Title: Re: CyberCapture
Post by: pbjkh6@gmail.com on June 24, 2016, 06:12:49 AM
@Vlk

I have one more concern or question about CyberCapture, regarding AV-C and AV-TEST. Will their testing methodologies adapt to how your product works? I mean, if results are sometimes returned in 2 hours time, will they wait for a verdict and flag it as miss or hit based on that or how will they operate with it now? I mean, before it was very clear verdict with NG since it took just few seconds and tester could instantly see what happened. With CyberCapture, that changes drastically. And it would be nice to see realistic scores in tests based on how it actually operates.
2 hour is too much for them and for us also.If it is between 15-20 minutes(Max 25) then it will be more realistic.For solution you can make more NG system environment in your lab it will divide the workload. :)
+1
Title: Re: CyberCapture
Post by: Para-Noid on June 25, 2016, 01:34:20 AM
CyberCapture vs. Free Business Edition...

If the free business edition provides USB protection then why can't CyberCapture do the same thing?"
Assuming the free business edition uses cloud technology to protect against USB infections.
Also, doesn't the free business edition use the cloud to scan individual files?
Title: Re: CyberCapture
Post by: Be Secure on June 25, 2016, 03:34:03 AM
CyberCapture was bypassed by Ransomware. :(Is there any info about Ransomware protection? I thought it(Ransomware) block by CyberCapture but wrong.
Title: Re: CyberCapture
Post by: Lisandro on June 25, 2016, 03:24:01 PM
CyberCapture was bypassed by Ransomware.
Evidence (link) please ;)
Title: Re: CyberCapture
Post by: Lisandro on June 25, 2016, 03:43:18 PM
And it would be nice to see realistic scores in tests based on how it actually operates.
+1 I would love to see results being published.

avast! has once again proven it has one of the best communities in the world.
And it's one of our major power. And we know that we need to change somehow "faster", "drastically".
We're listen to this need and will do our best to recover and keep this perception of "best community".
Title: Re: CyberCapture
Post by: Andrey,pro on June 25, 2016, 04:36:05 PM
Seems to me there is no need to upload every file.
Get the hash from a file.
Upload it to the avast server.
If it is unknown upload the file.
If it is known, there is no need to upload the file.
Seems to me much better for people with a low bandwidth and especially for those who have a data limit.
Hello,
yes, if we don't have the file (prevalence = 0) then we upload it to our servers. Other users with same hash don't upload the file.

Milos
Hello Milos,

One user from Russia reported it isn't the truth. After checking the file it was checked again the next time. For more inforrmation, please read this topic (in Russian): https://forum.avast.com/index.php?topic=187696.0

Update: I found that the first picture was from a FileRep and the Second - from CyberCapture.
Title: Re: CyberCapture
Post by: Be Secure on June 25, 2016, 04:42:35 PM
CyberCapture was bypassed by Ransomware.
Evidence (link) please ;)
Ok.I have some screenshot of that Ransomware that was block by ZAM.After that i send it to Viruslab.And now it is blocked as a malware-gen.

VT: https://www.virustotal.com/en/file/5a7fa97c7450e7404abc8fb910f99019193e30cf2c7303996c7d19efebfc650b/analysis/ (https://www.virustotal.com/en/file/5a7fa97c7450e7404abc8fb910f99019193e30cf2c7303996c7d19efebfc650b/analysis/)
Title: Re: CyberCapture
Post by: Lisandro on June 25, 2016, 05:58:28 PM
After that i send it to Viruslab. And now it is blocked as a malware-gen.
So, it did not pass CyberCapture.
Of course, CyberCapture needs to get the malware (file) to analyze it.
Having 230 million sensors spread all over the world, zero-second protection will be achieved when a file with prevalence 0 (unknown) reaches CyberCapture.
Title: Re: CyberCapture
Post by: RejZoR on June 25, 2016, 06:02:48 PM
It did fail. He sent it manually to virus lab. CyberCapture is suppose to lock the file from execution, send the sample to cloud, analyze it there and return the verdict. And verdict in this case was apparently "not malware". Or it didn't even trigger CyberCapture because it was executed from local drive and not as download, which ENTIRELY bypasses CyberCapture...
Title: Re: CyberCapture
Post by: Be Secure on June 25, 2016, 06:08:02 PM
It did fail. He sent it manually to virus lab. CyberCapture is suppose to lock the file from execution, send the sample to cloud, analyze it there and return the verdict. And verdict in this case was apparently "not malware". Or it didn't even trigger CyberCapture because it was executed from local drive and not as download, which ENTIRELY bypasses CyberCapture...
+1.Got my point. ;)
Title: Re: CyberCapture
Post by: Lisandro on June 25, 2016, 06:11:16 PM
CyberCapture is suppose to lock the file from execution, send the sample to cloud, analyze it there and return the verdict.
Which is the origin of the file? HTTPS scanning?

And verdict in this case was apparently "not malware".
The verdict is not instantaneous.

Or it didn't even trigger CyberCapture because it was executed from local drive and not as download, which ENTIRELY bypasses CyberCapture...
No, I really disagree technically. This is not bypass. The technology was not bypassed. It is just, by now, limited. Not every file triggers CyberCapture. And not triggering is NOT, technically, bypassing.
CyberCapture will evolve in next months and its limitations (the origin of the file) will be narrowed.
Title: Re: CyberCapture
Post by: RejZoR on June 25, 2016, 06:44:40 PM
Bypass, evasion, not being detected, same thing, end result is user being infected. At the end of the day, I frankly don't care how you call it.

I'd need Be Secure to confirm whether it triggered CyberCapture and the verdict was "CLEAN" or it didn't even trigger it...
Title: Re: CyberCapture
Post by: Dwarden on June 26, 2016, 02:19:49 AM
please also remember shared infections of LAN and similar it's not just removal drives, USBs, optical media and web urls and email ;)

seen some randomware latterly going thru LAN attack vectors
Title: Re: CyberCapture
Post by: Be Secure on June 26, 2016, 02:34:06 AM
Bypass, evasion, not being detected, same thing, end result is user being infected. At the end of the day, I frankly don't care how you call it.

I'd need Be Secure to confirm whether it triggered CyberCapture and the verdict was "CLEAN" or it didn't even trigger it...
It didn't even trigger CyberCapture.
Quote
CyberCapture will evolve in next months and its limitations (the origin of the file) will be narrowed.
Hope so. :)
Title: Re: CyberCapture
Post by: RejZoR on June 26, 2016, 06:59:02 AM
But how did you obtain the sample? Downloaded from web or executed locally after unpacking it from archive? I think that may be a problem because I don't think avast! tracks files this thoroughly to know what arrived from web and what is local. If EXE gets downloaded and is unknown it'll CyberCapture it. If it arrives in a locked archive, you unpack it manually later on and execute the content, CyberCapture won't do anything, despite archive originating from web, because it couldn't do anything with it at the time.

Also, does CyberCapture even work if user decides to only install File System Shield and no Web Shield? One would think CyberCapture depends on Web Shield. Not installing it renders CyberCapture useless even if you have it ticked in the settings. Or does it?
Title: Re: CyberCapture
Post by: Be Secure on June 26, 2016, 07:18:42 AM
how did you obtain the sample? Downloaded from web or executed locally after unpacking it from archive?
Yes.Downloaded from web then executed locally.I have another Virus link and i PMed you the link pls try it yourself on wondows 7,because windows10 does not support this.VT-https://www.virustotal.com/en/file/879fc214c53f27097fa0a975046ff3a2435f602c8f64f1030c412ad14a656105/analysis/ (https://www.virustotal.com/en/file/879fc214c53f27097fa0a975046ff3a2435f602c8f64f1030c412ad14a656105/analysis/)This will open CC but failed to block it.Say It clean.Send it to Viruslab.
Title: Re: CyberCapture
Post by: Be Secure on June 26, 2016, 07:25:08 AM
does CyberCapture even work if user decides to only install File System Shield and no Web Shield? One would think CyberCapture depends on Web Shield. Not installing it renders CyberCapture useless even if you have it ticked in the settings. Or does it?
Don't Know.Avast! Dev will answar this. :)
Title: Re: CyberCapture
Post by: Milos on June 27, 2016, 01:07:55 PM
how did you obtain the sample? Downloaded from web or executed locally after unpacking it from archive?
Yes.Downloaded from web then executed locally.I have another Virus link and i PMed you the link pls try it yourself on wondows 7,because windows10 does not support this.VT-https://www.virustotal.com/en/file/879fc214c53f27097fa0a975046ff3a2435f602c8f64f1030c412ad14a656105/analysis/ (https://www.virustotal.com/en/file/879fc214c53f27097fa0a975046ff3a2435f602c8f64f1030c412ad14a656105/analysis/)This will open CC but failed to block it.Say It clean.Send it to Viruslab.
Hello Be Secure,
what was the exact scenario you have tried? Can you describe step by step what did you do with the file, please?

Milos
Title: Re: CyberCapture
Post by: Be Secure on June 27, 2016, 01:22:11 PM
how did you obtain the sample? Downloaded from web or executed locally after unpacking it from archive?
Yes.Downloaded from web then executed locally.I have another Virus link and i PMed you the link pls try it yourself on wondows 7,because windows10 does not support this.VT-https://www.virustotal.com/en/file/879fc214c53f27097fa0a975046ff3a2435f602c8f64f1030c412ad14a656105/analysis/ (https://www.virustotal.com/en/file/879fc214c53f27097fa0a975046ff3a2435f602c8f64f1030c412ad14a656105/analysis/)This will open CC but failed to block it.Say It clean.Send it to Viruslab.
Hello Be Secure,
what was the exact scenario you have tried? Can you describe step by step what did you do with the file, please?

Milos
1.Download a virus file from web.
              2.executed it locally(Net was connected)and then the DeepScreen(Only word was changed.As you can see in pic.It was not even state that it was CC)apeared.
               3.After scan it state that file is clean not infected but it was a infected exe file.
In short-Downloaded from web then executed locally and failed to protect.
Title: Re: CyberCapture
Post by: Milos on June 27, 2016, 02:53:07 PM
Thanks for the info. We will investigate the issue.

Milos
Title: Re: CyberCapture
Post by: Be Secure on June 27, 2016, 02:58:25 PM
Thanks for the info. We will investigate the issue.

Milos
Pls let me know. :)
Title: Re: CyberCapture
Post by: Lisandro on June 28, 2016, 02:48:04 AM
Thanks for jumping Milos.
Title: Re: CyberCapture
Post by: Vlk on June 28, 2016, 04:03:21 AM
The team has analyzed this scenario and found some bugs in the CyberCapture backend that might've been responsible for this. Fixes are on the way. Thanks for bringing this up by the way -- and please, if you see more issues (any misses in detection etc.), make sure to share them with us. We're committed to making CyberCapture a kick-ass thing and y'all's help is essential in this.

Thanks!
Vlk
Title: Re: CyberCapture
Post by: Be Secure on June 28, 2016, 04:13:25 AM
The team has analyzed this scenario and found some bugs in the CyberCapture backend that might've been responsible for this. Fixes are on the way. Thanks for bringing this up by the way -- and please, if you see more issues (any misses in detection etc.), make sure to share them with us. We're committed to making CyberCapture a kick-ass thing and y'all's help is essential in this.

Thanks!
Vlk
I will.But CyberCapture needs a separate Section in the forum to report any kind off BUGS and improvments news on CC.@Vlk
Title: Re: CyberCapture
Post by: Be Secure on June 28, 2016, 08:09:32 AM
Pls remove its limitations from(USB origin,VBS files,BAT)quickly.
Title: Re: CyberCapture
Post by: DavidR on June 28, 2016, 03:10:17 PM
Pls remove its limitations from(USB origin,VBS files,BAT)quickly.

I suggest we do what was said - by Vlk I believe - lets get the CyberCapture web downloads function sorted and bug free before adding additional entry point functionality.
Title: Re: CyberCapture
Post by: bob3160 on June 28, 2016, 03:13:06 PM
Pls remove its limitations from(USB origin,VBS files,BAT)quickly.

I suggest we do what was said - by Vlk I believe - lets get the CyberCapture web downloads function sorted and bug free before adding additional entry point functionality.
Considering that the internet is the source of the biggest danger, it needs to be tackled and concord first. Once that's done, then it's time to move on to the next largest
source of attack.
Title: Re: CyberCapture
Post by: Be Secure on June 28, 2016, 04:26:24 PM
Pls remove its limitations from(USB origin,VBS files,BAT)quickly.

I suggest we do what was said - by Vlk I believe - lets get the CyberCapture web downloads function sorted and bug free before adding additional entry point functionality.
Considering that the internet is the source of the biggest danger, it needs to be tackled and concord first. Once that's done, then it's time to move on to the next largest
source of attack.
Yes.But VBS files,BAT files are net base threats and have to be analyzed by CC. :)
Title: Re: CyberCapture
Post by: Be Secure on June 28, 2016, 04:29:17 PM
Can anyone from Avast! move this thread to sticky,but not locked it.It will be helpful for many. ;)
Title: Re: CyberCapture
Post by: bob3160 on June 28, 2016, 06:41:52 PM
Can anyone from Avast! move this thread to sticky,but not locked it.It will be helpful for many. ;)
Certainly not needed. As long as this topic is active it will always be easy to find.
When it's no longer active, it will disappear. :)
Title: Re: CyberCapture
Post by: DavidR on June 28, 2016, 07:12:19 PM
Can anyone from Avast! move this thread to sticky,but not locked it.It will be helpful for many. ;)
Certainly not needed. As long as this topic is active it will always be easy to find.
When it's no longer active, it will disappear. :)

Agreed, the forum has to have tight control over stickies, or we see before long half a page of stickies before we get to the current listing. Anyone having found it (and it shouldn't be that hard) can bookmark it, click notify or contribute to the topic and you will get an email on new posts.
Title: Re: CyberCapture
Post by: Be Secure on July 01, 2016, 12:36:33 PM
Again avast! CC not run on unknown threats which is downloaded from web and open it locally.This time not even start CC.Here is the V.T link:https://www.virustotal.com/en/file/d36854312a2d17e032ed7ac8a330e5622cfb84879ce4735022014e939e8c7d2f/analysis/1467368796/ (https://www.virustotal.com/en/file/d36854312a2d17e032ed7ac8a330e5622cfb84879ce4735022014e939e8c7d2f/analysis/1467368796/).This is a new sample(Few hour) sample.Very disappointed by CC. :( I am send it to viruslab via virus chest.
Title: Re: CyberCapture
Post by: RejZoR on July 01, 2016, 02:55:06 PM
This is what happens when you start limiting entry points. If avast! inspected EVERY unknown file regardless of how it arrives to the system, there would be no such issues. But instead, another half finished tech that again doesn't work and most likely never will. Why I'm not surprised...  ::)
Title: Re: CyberCapture
Post by: Be Secure on July 01, 2016, 03:00:57 PM
This is what happens when you start limiting entry points. If avast! inspected EVERY unknown file regardless of how it arrives to the system, there would be no such issues. But instead, another half finished tech that again doesn't work and most likely never will. Why I'm not surprised...  ::)
+1
Title: Re: CyberCapture
Post by: Lisandro on July 02, 2016, 01:04:52 AM
I understand your frustration RejZor (regarding to proactive detection of previous Avast versions and also the real-world tests).
But, this time, as you can see for Vlk's words (also the blog brings info regarding to this), everybody is doing their best to achieve the proactive (a.k.a. zero-second) protection.
Although, the zero-second protection won't be achieved in zero seconds. We're on the way  8)
Title: Re: CyberCapture
Post by: Rednose on July 02, 2016, 03:29:56 AM
@Vlk I have one more idea. Currently, when CyberCapture locks the file into custody, you can opt to run it without waiting for verdict. You could add "Run in Sandbox" as an option for Pro, Internet Security and Premier editions since they already employ sandbox tech. This way users can run the suspicious stuff risk free in an isolated environment (if the app will work in it of course since not all do) even before they get definitive answer from CyberCapture servers. This way you add additional layer of security when users decide to run it anyway.

Thanks, that sounds like something that could be implemented very easily.

Vlk

I support this idea : It should be implemented as soon as possible :)

Greetz, Red.
Title: Re: CyberCapture
Post by: RejZoR on July 04, 2016, 07:39:41 AM
@Vlk
How does CyberCapture track files that are from web? For example, does it only process files that are due for execution directly via download or will it also process EXE that arrived from web via password protected archive and user gets a password separately? I've seen things like this before. Meaning the EXE will then actually arrive to existence locally, because nowhere along the way to PC was avast! able to have even a look at it, let alone actually scan it. Or can it actually physically track the sequence of files what creates what and what needs to be scanned?
Title: Re: CyberCapture
Post by: Be Secure on July 04, 2016, 09:01:24 AM
@Vlk
Is it possible to run CyberCapture and Hardened mode all together in same time? Earlier Deepscreen not running when Hardened mode was enabled.Is it possible to run both in same time now?
Title: Re: CyberCapture
Post by: Be Secure on July 05, 2016, 06:08:11 PM
@Vlk
Again Avast! CC/DeepScreen missed a new file(VPN2.exe) from web. :( VT-https://virustotal.com/en/file/ca0ac979abdb6d0a863960ce5b1d021ab696c7ecd9022b38366183ff4e0e2254/analysis/1467734591/ (https://virustotal.com/en/file/ca0ac979abdb6d0a863960ce5b1d021ab696c7ecd9022b38366183ff4e0e2254/analysis/1467734591/)
BTW i am send this to viruslab via viruschest.
Title: Re: CyberCapture
Post by: RejZoR on July 05, 2016, 08:58:17 PM
Every time you post an example I'm losing confidence in yet another tech from avast! more and more...
Title: Re: CyberCapture
Post by: Alikhan on July 05, 2016, 09:54:23 PM
Every time you post an example I'm losing confidence in yet another tech from avast! more and more...

+1.

No statistics too.
Title: Re: CyberCapture
Post by: Be Secure on July 06, 2016, 02:28:56 AM
Every time you post an example I'm losing confidence in yet another tech from avast! more and more...
Have patience.Wait.I just notify Vlk about the situation.
Title: Re: CyberCapture
Post by: Lisandro on July 06, 2016, 04:12:24 AM
Have patience.Wait.I just notify Vlk about the situation.
Thanks. I've did the same.
Title: Re: CyberCapture
Post by: Vlk on July 06, 2016, 08:34:32 AM
@Vlk
Again Avast! CC/DeepScreen missed a new file(VPN2.exe) from web. :( VT-https://virustotal.com/en/file/ca0ac979abdb6d0a863960ce5b1d021ab696c7ecd9022b38366183ff4e0e2254/analysis/1467734591/ (https://virustotal.com/en/file/ca0ac979abdb6d0a863960ce5b1d021ab696c7ecd9022b38366183ff4e0e2254/analysis/1467734591/)
BTW i am send this to viruslab via viruschest.

The first file didnt't even make it to CC. Did this one fall into CC?

Thanks,
Vlk
Title: Re: CyberCapture
Post by: RejZoR on July 06, 2016, 09:40:17 AM
Every time you post an example I'm losing confidence in yet another tech from avast! more and more...
Have patience.Wait.I just notify Vlk about the situation.

And users should also just wait patiently to get infected... I know there are various configurations that may determine how program works, but to me, this looks like basic functionality of CC wasn't tested at all and the fact that there is no easy way of testing it from user side (not even detection, just if it even captures the binaries in scenarios where it should) makes it impossible for us to even help. And to be quite honest I'm not in the mood of setting up a VM, installing OS on it and fiddling with live malware. Besides, my sources only include sites like MDL which are signature or URL:Mal detected really fast anyway, making them obsolete for testing. The scope of detection was limited to downloaded files only and even that seems to be badly broken. Not cool. At all.
Title: Re: CyberCapture
Post by: Be Secure on July 06, 2016, 10:22:08 AM
@Vlk
Again Avast! CC/DeepScreen missed a new file(VPN2.exe) from web. :( VT-https://virustotal.com/en/file/ca0ac979abdb6d0a863960ce5b1d021ab696c7ecd9022b38366183ff4e0e2254/analysis/1467734591/ (https://virustotal.com/en/file/ca0ac979abdb6d0a863960ce5b1d021ab696c7ecd9022b38366183ff4e0e2254/analysis/1467734591/)
BTW i am send this to viruslab via viruschest.

The first file didnt't even make it to CC. Did this one fall into CC?

Thanks,
Vlk
No.It was activate the DeepScreen mode and give it OK to run.What is going on?User like me or anyone has no clue.No sign of Cyber Capture.
Title: Re: CyberCapture
Post by: Be Secure on July 06, 2016, 10:40:10 AM
Every time you post an example I'm losing confidence in yet another tech from avast! more and more...
Have patience.Wait.I just notify Vlk about the situation.

And users should also just wait patiently to get infected... I know there are various configurations that may determine how program works, but to me, this looks like basic functionality of CC wasn't tested at all and the fact that there is no easy way of testing it from user side (not even detection, just if it even captures the binaries in scenarios where it should) makes it impossible for us to even help. And to be quite honest I'm not in the mood of setting up a VM, installing OS on it and fiddling with live malware. Besides, my sources only include sites like MDL which are signature or URL:Mal detected really fast anyway, making them obsolete for testing. The scope of detection was limited to downloaded files only and even that seems to be badly broken. Not cool. At all.
I am testing with various types of viruses and ransomwares even VT:0 files but not even look single time CC to appear only DS.I am also disappointed with the result.Not a single file was cought by CC/DS.(0/9).FYI:I send all files to Avast!.Stop testing by now.
Title: Re: CyberCapture
Post by: RejZoR on July 06, 2016, 11:10:18 AM
Like I've said, their idea of only dealing with specific scope of infection vector is backfiring on them. Sure it's "80% of all infections" and "the load of CC servers" thing, but in all honesty, it seems like implementation is entirely broken as it is at the moment...
Title: Re: CyberCapture
Post by: lukor on July 06, 2016, 01:40:35 PM
Hi guys, sorry for my silly question, but do you have CC enabled in the settings? And what about the community checkbox? And what about webshield?

All these things are currently required to trigger the CC flow (webshield to spot the download and mark it as being downloaded from a specific url)

Thanks. 
Title: Re: CyberCapture
Post by: Be Secure on July 06, 2016, 01:51:28 PM
Hi guys, sorry for my silly question, but do you have CC enabled in the settings? And what about the community checkbox? And what about webshield?

All these things are currently required to trigger the CC flow (webshield to spot the download and mark it as being downloaded from a specific url)

Thanks.
It is really a silly question. :P :o you ask for it??? Anything else?
Title: Re: CyberCapture
Post by: lukor on July 06, 2016, 02:01:18 PM
AWESOME! You are excellently configured!

Would you mind sending the avastsvc.log file, we can check there if the sample was ment to go into CC, but the process failed somewhere during launching it - or if the backend mistakenly decided the file is actually clean. In the meantime, we will also check the backend logs.
Title: Re: CyberCapture
Post by: Be Secure on July 06, 2016, 02:19:44 PM
It is too big for attach around 3.66Mb.How to send it? I prefer Avast FTP server.Can i send it through this?
Title: Re: CyberCapture
Post by: lukor on July 06, 2016, 02:45:56 PM
Sure, ftp server is great. It should also compress very effectively, so zipped version will definitely be much smaller. Thanks a lot, we are working on it.
Title: Re: CyberCapture
Post by: Be Secure on July 06, 2016, 02:51:14 PM
Sure, ftp server is great. It should also compress very effectively, so zipped version will definitely be much smaller. Thanks a lot, we are working on it.
I send 7zip file with file name AvastSvc by Be Secure Password i PMed you.@lukor :)
Reply me if you find it or not.Thanks. ;)
Title: Re: CyberCapture
Post by: lukor on July 06, 2016, 11:13:20 PM
Be Secure, we've checked the backends, according to their logs we don't see the file as being downloaded from web (there is not URL field in the logs).
Of course, this can be some kind of an error in the processing. Could you, please, specify how you've downloaded the file? Was that a direct download (click on the url), or some other mechanismus (e.g. some downloader). What make of the browser did you use to download the file? Thanks a lot,
Lukas.
Title: Re: CyberCapture
Post by: RejZoR on July 06, 2016, 11:23:39 PM
Ever thought limiting it to "downloads" only is a bad idea considering so many things can and does go wrong with it? Seeing how things just go past it makes me have basically no confidence in CyberCapture protecting me or people I recommend avast! to when it'll actually be needed...
Title: Re: CyberCapture
Post by: lukor on July 06, 2016, 11:32:55 PM
Thanks RejZoR for your comment. Seems rather in line with what you've been saying from the begining and on several places in this very thread. If I understand you correctly, you'd suggest to not limit CC to downloaded files only and expand the backends accordingly. Do you have any suggestions how to handle the case where the file it self requires dependencies to be run (such as .DLLs in the same folder) ? Would that be ok for you if CC will submit the whole folder - or would you consider that as a privacy issue?

Thanks.
Lukas.

BTW: Be Secure - I got the logs from you, thank you!
Title: Re: CyberCapture
Post by: Be Secure on July 07, 2016, 04:03:58 AM
Thanks RejZoR for your comment. Seems rather in line with what you've been saying from the begining and on several places in this very thread. If I understand you correctly, you'd suggest to not limit CC to downloaded files only and expand the backends accordingly. Do you have any suggestions how to handle the case where the file it self requires dependencies to be run (such as .DLLs in the same folder) ? Would that be ok for you if CC will submit the whole folder - or would you consider that as a privacy issue?

Thanks.
Lukas.

BTW: Be Secure - I got the logs from you, thank you!
Why would whole folder is needed?It makes things bad for users,only take susp files from(Web/USB/hdd/folders)and ask users do they want to submit it to cloud for analysis and then analyze it.It basically makes things clear to users.
Title: Re: CyberCapture
Post by: Be Secure on July 07, 2016, 04:31:53 AM
Be Secure, we've checked the backends, according to their logs we don't see the file as being downloaded from web (there is not URL field in the logs).
Of course, this can be some kind of an error in the processing. Could you, please, specify how you've downloaded the file? Was that a direct download (click on the url), or some other mechanismus (e.g. some downloader). What make of the browser did you use to download the file? Thanks a lot,
Lukas.
I used both direct download links and use IDM(Internet Download Manager),Google Chrome x64 stable version.
Title: Re: CyberCapture
Post by: TrueIndian on July 07, 2016, 07:06:23 AM
This feature is quite broken...lot of downloaded files are being missed...Is this bug something with download managers or browsers?


another report:
https://forum.avast.com/index.php?topic=187505.0
Title: Re: CyberCapture
Post by: RejZoR on July 07, 2016, 07:32:42 AM
Thanks RejZoR for your comment. Seems rather in line with what you've been saying from the begining and on several places in this very thread. If I understand you correctly, you'd suggest to not limit CC to downloaded files only and expand the backends accordingly. Do you have any suggestions how to handle the case where the file it self requires dependencies to be run (such as .DLLs in the same folder) ? Would that be ok for you if CC will submit the whole folder - or would you consider that as a privacy issue?

Thanks.
Lukas.

BTW: Be Secure - I got the logs from you, thank you!

Yeah, I think that way because of all the problems I've seen so far and because of the CyberCapture dependencies...
You have to have CyberCapture enabled, Web Shield installed (a lot of people leave just File System Shield) and the file has to arrive from a download. Just too many things that can go wrong along the way or be missing. Connecting CyberCapture to the File System Shield would make more sense.

As for DLL's, can avast determine DLL dependencies for EXE to run or would it just blindly upload all of them from that folder? If you limit the file collection to DLL's only, I think it should still be fine, but I don't think people would want their other data files to be uploaded. Besides, DLL's can often operate as injectors for legit apps which can be used by malware. So, that would be one of reasons why uploading them would make sense.

What I'm more worried with such extended scope of upload, people with limited bandwidth. I personally don't care as I have unmetered line, but not everyone has it like I do. Not sure how to make that functional without eating their whole monthly bandwidth...
Title: Re: CyberCapture
Post by: Be Secure on July 07, 2016, 07:56:52 AM
Thanks RejZoR for your comment. Seems rather in line with what you've been saying from the begining and on several places in this very thread. If I understand you correctly, you'd suggest to not limit CC to downloaded files only and expand the backends accordingly. Do you have any suggestions how to handle the case where the file it self requires dependencies to be run (such as .DLLs in the same folder) ? Would that be ok for you if CC will submit the whole folder - or would you consider that as a privacy issue?

Thanks.
Lukas.

BTW: Be Secure - I got the logs from you, thank you!

Yeah, I think that way because of all the problems I've seen so far and because of the CyberCapture dependencies...
You have to have CyberCapture enabled, Web Shield installed (a lot of people leave just File System Shield) and the file has to arrive from a download. Just too many things that can go wrong along the way or be missing. Connecting CyberCapture to the File System Shield would make more sense.

As for DLL's, can avast determine DLL dependencies for EXE to run or would it just blindly upload all of them from that folder? If you limit the file collection to DLL's only, I think it should still be fine, but I don't think people would want their other data files to be uploaded. Besides, DLL's can often operate as injectors for legit apps which can be used by malware. So, that would be one of reasons why uploading them would make sense.

What I'm more worried with such extended scope of upload, people with limited bandwidth. I personally don't care as I have unmetered line, but not everyone has it like I do. Not sure how to make that functional without eating their whole monthly bandwidth...
+1.Good point.@RejZoR :)
Title: Re: CyberCapture
Post by: Be Secure on July 07, 2016, 01:51:10 PM
Finally some good news!. :)wait for result.But file not lock at all,it still run. After long wait it say the file is clean but it is not. :(
Title: Re: CyberCapture
Post by: mchain on July 07, 2016, 08:08:33 PM
Finally some good news!. :)wait for result.But file not lock at all,it still run. After long wait it say the file is clean but it is not. :(
Otherwise known as a false negative.  With double file extension name such as this one, this should not be missed by any reputable a/v.  As RejZoR says, merging this new technology with File System Shield makes sense... as it should natively catch it.
Title: Re: CyberCapture
Post by: RejZoR on July 07, 2016, 09:45:43 PM
I'm surprised their internal classification system doesn't push files like this to a SUSPICIOUS group by default. I mean, .pdf.exe extension is a textbook scam method to convince users into running it thinking it's just a PDF file.
Title: Re: CyberCapture
Post by: pk on July 07, 2016, 11:19:04 PM
I'm surprised their internal classification system doesn't push files like this to a SUSPICIOUS group by default. I mean, .pdf.exe extension is a textbook scam method to convince users into running it thinking it's just a PDF file.
There is a rule for double extensions, these files were always analyzed by DeepScreen.

Quote
As for DLL's, can avast determine DLL dependencies for EXE to run or would it just blindly upload all of them from that folder?
It is not so easy -- a lot of DLLs can be loaded dynamically and it depends on many factors if it happens, or not. The first version of CC works on installer/packages downloaded from Internet (assume all DLLs components are in the installer). We will definitely improve it in future.
Title: Re: CyberCapture
Post by: RejZoR on July 08, 2016, 12:22:37 AM
How often are dual extensions intentional? Especially such specific ones? Only legit one I'm aware is .paf.exe used by Portable Apps. But PAF isn't any common format. So it's fine. But seeing .PDF.EXE, that has ALWAYS been malicious. Is there even a point of analysis, it's 99,99% certain it's malware.
Title: Re: CyberCapture
Post by: Be Secure on July 08, 2016, 04:13:30 AM
How often are dual extensions intentional? Especially such specific ones? Only legit one I'm aware is .paf.exe used by Portable Apps. But PAF isn't any common format. So it's fine. But seeing .PDF.EXE, that has ALWAYS been malicious. Is there even a point of analysis, it's 99,99% certain it's malware.
+1.https://www.virustotal.com/en/file/7f46fd0233344d45057a1401d9593889e39340d85163126c9730fcf74949137d/analysis/1467944091/ (https://www.virustotal.com/en/file/7f46fd0233344d45057a1401d9593889e39340d85163126c9730fcf74949137d/analysis/1467944091/)
Title: Re: CyberCapture
Post by: TrueIndian on July 08, 2016, 07:18:14 AM
Any news as to why that file was classified as safe?! That is 100% bad...something is definately wrong on the backend  :o

Any news avast! team?
Title: Re: CyberCapture
Post by: eric@bits1.com on July 09, 2016, 02:01:28 AM
4.Is the sandbox and cybercapture now one and the same?? If not what's the difference?? Analysis on users machine and analysis on cloud is the only difference.

Sandbox (DeepScreen) is a part of CyberCapture. We use it both locally (on the user's computer -- to filter out the most obvious malware) and also on the backend (in a controlled environment, with full NG support and much more time to play with it).

Sorry for dumb question but is NG removed from latest Avast ?  I know alot of performance and other issues.....one of the items/features/options I shy-ed away from.
Thus, maybe extension to the question above.....how does DeepScreen, Cybercapture & NG relate ?
Title: Re: CyberCapture
Post by: Asyn on July 09, 2016, 09:14:21 AM
Sorry for dumb question but is NG removed from latest Avast ?
Yes, it has been moved to the cloud.
Title: Re: CyberCapture
Post by: NON on July 09, 2016, 09:39:24 AM
Any news as to why that file was classified as safe?! That is 100% bad...something is definately wrong on the backend  :o
Do you expect 100% detection from CyberCapture? I don't think it happen or exist, 100% is just an illusion IMHO.
"Improved" detection rate at most is, still, a good advance.

Of course I expect CC to be improved, but now, let's wait and see.
Title: Re: CyberCapture
Post by: TrueIndian on July 10, 2016, 07:03:55 AM
Sorry but that malware is very wide spread and a feature like CC shouldn't miss it....Its very well known varient and backend shouldn't be missing well known malware varients like rejz said this dual extension thing has been around for years and it shouldnt be missed where all other vendors have some heuristic detection in place for such files avast! seems to have no protection from a well known varient... atleast if its not a 100* detection  ::)

I am not saying get 100% score but atleast don't miss the real bad ones.This feature is heavily broken right now.It's missing everything I have thrown at it...even my kitchen sink was missed  :o
Title: Re: CyberCapture
Post by: eric@bits1.com on July 10, 2016, 02:14:59 PM
BRAND NEW VERSION: 12.1.2272

I am happy to announce new version of AVAST Antivirus (build number 12.1.2272), called NITRO Update.
It's for these products: Free Antivirus, Pro Antivirus, Internet Security and Premier.
This update is focused on improving the performance and detection capabilities.
We also stopped using the year in product name, as we will be releasing new versions in monthly cycles from now.

I am really happy to see the progress at Avast in the direction of making their product fast & effective....and listening to the folks on this Forum.
It is exciting to see....I know some items like CC has some development to make but love the direction.
Been in this tech world 30+ years and funny things I spot that show the "attitude" of a company.
See the excerpt above.....no more CY in product name.....seems like small thing ? ......it's not, trust me.  :D
This means they are less focused on the "marketereers" in their company and more features/functions.
Wasn't that long ago the push was to release to call it "NEW 20xx" only to have it a bug ridden release and fixes took 6 months to finally make it usable.
Nice work Avast.....looking forward to the future !!!!
Title: Re: CyberCapture
Post by: RejZoR on July 10, 2016, 03:08:02 PM
Any news as to why that file was classified as safe?! That is 100% bad...something is definately wrong on the backend  :o
Do you expect 100% detection from CyberCapture? I don't think it happen or exist, 100% is just an illusion IMHO.
"Improved" detection rate at most is, still, a good advance.

Of course I expect CC to be improved, but now, let's wait and see.

So far its detection rate has been 0% because the malware isn't even being picked up by CC. And when it is, it gives it a clean pass when it's clearly not "clean". I've been critical at NG because I couldn't ever see any real results from it as an end user. Same applies to CyberCapture. I'm not going to blindly defend it while it's producing no results. Why would you do that? Why not just be realistic and admit it's not doing well at all at the moment? Because it sure ain't.
Title: Re: CyberCapture
Post by: Lisandro on July 10, 2016, 07:05:38 PM
Love the direction.
Been in this tech world 30+ years and funny things I spot that show the "attitude" of a company.
Well said :)
Title: Re: CyberCapture
Post by: Asyn on July 11, 2016, 09:18:45 AM
Hi guys,

out of interest, did anyone ever get a detection with CC..!?
If yes, a screenshot would be appreciated. Thanks.
Title: Re: CyberCapture
Post by: bob3160 on July 11, 2016, 02:10:47 PM
Hi guys,

out of interest, did anyone ever get a detection with CC..!?
If yes, a screenshot would be appreciated. Thanks.
https://forum.avast.com/index.php?topic=187679.msg1323559#msg1323559
Title: Re: CyberCapture
Post by: Asyn on July 11, 2016, 02:14:13 PM
Hi guys,

out of interest, did anyone ever get a detection with CC..!?
If yes, a screenshot would be appreciated. Thanks.
https://forum.avast.com/index.php?topic=187679.msg1323559#msg1323559
Hi Bob, sorry, if my request wasn't clear.
I meant an actual detection, not an "everything is ok" message.
Title: Re: CyberCapture
Post by: NON on July 11, 2016, 03:05:37 PM
Any news as to why that file was classified as safe?! That is 100% bad...something is definately wrong on the backend  :o
Do you expect 100% detection from CyberCapture? I don't think it happen or exist, 100% is just an illusion IMHO.
"Improved" detection rate at most is, still, a good advance.

Of course I expect CC to be improved, but now, let's wait and see.

So far its detection rate has been 0% because the malware isn't even being picked up by CC. And when it is, it gives it a clean pass when it's clearly not "clean". I've been critical at NG because I couldn't ever see any real results from it as an end user. Same applies to CyberCapture. I'm not going to blindly defend it while it's producing no results. Why would you do that? Why not just be realistic and admit it's not doing well at all at the moment? Because it sure ain't.

Well, I think you tend to want a result too quickly.
If CC checks 100 malwares and fails for all, then, I also consider CC is a fail and needs some improve.
But if one of them get caught by CC, then, it certainly has some effects to improve avast detection, even though I expect more than 1/100.

And I consider "isn't picked up by CC" is another issue.
It does not measure the ability of CC, it just fails at its frontend. This means frontend seems to have some bugs and need to be fixed (or extended to other vectors), and after that we can finally see the results from CC.
I'm waiting for this fixes / extensions, decision will be made after that for me.
Title: Re: CyberCapture
Post by: DavidR on July 11, 2016, 03:29:48 PM
We don't know just how many files have been uploaded for analysis by CC and of those were considered malicious and or clean/suspect.

Now in early testing those considered clean may need to be manually analysed, to see that it hasn't got passed CC and if so, fine tuning of CC would be required.

One thing for sure is that these figures would at the very least be commercially sensitive so I can't see them being released publicly.

The only thing might be if we start to see some changes/improvements in the various AV test results. Can it be attributable to CC or even if said AV tests are even going to be able to have the CC functionality and can they wait to get results back if files are uploaded.
Title: Re: CyberCapture
Post by: RejZoR on July 11, 2016, 03:30:21 PM
Yeah, well, what good is a heavy fortified 1m thick wall to prevent invaders if it's not going all the way around? Mean stuff will just go around it. Again, as an end user, do you think I care if it's "just an issue with frontend"? This is giving false hope or expectations.

Imagine car manufacturer stating the car you just bought has 20 airbags. But would you feel safe knowing there is a 95% chance none of them would go off when you'd need them to? That's how CC feels like at the moment. We know it's awesome tech and all, but will it really protect me when it'll be needed? I very much doubt that to be quite frank...
Title: Re: CyberCapture
Post by: Alikhan on July 11, 2016, 07:10:18 PM
And I consider "isn't picked up by CC" is another issue.
It does not measure the ability of CC, it just fails at its frontend. This means frontend seems to have some bugs and need to be fixed (or extended to other vectors), and after that we can finally see the results from CC.
I'm waiting for this fixes / extensions, decision will be made after that for me.

+1.

I still think there are some bugs which stop CC from coming into action.

Once this is resolved, we will be able to get a picture of its detection rates.
Title: Re: CyberCapture
Post by: Be Secure on July 12, 2016, 01:15:17 PM
And I consider "isn't picked up by CC" is another issue.
It does not measure the ability of CC, it just fails at its frontend. This means frontend seems to have some bugs and need to be fixed (or extended to other vectors), and after that we can finally see the results from CC.
I'm waiting for this fixes / extensions, decision will be made after that for me.

+1.

I still think there are some bugs which stop CC from coming into action.

Once this is resolved, we will be able to get a picture of its detection rates.
Right.It has BUGS and not well tested before pushing the update. :)
Title: Re: CyberCapture
Post by: eric@bits1.com on July 12, 2016, 02:01:03 PM
With CC being "Malware" detection can you still use/compatible MBAM Pro & MBAE also running ?
Obviously, MBAM Pro / MBAE work great with prior versions of Avast for A/V.

Thx !
Title: Re: CyberCapture
Post by: bob3160 on July 12, 2016, 02:09:00 PM
With CC being "Malware" detection can you still use/compatible MBAM Pro & MBAE also running ?
Obviously, MBAM Pro / MBAE work great with prior versions of Avast for A/V.

Thx !
MBAM and MBEA have already proven that they work. CC has yest to prove itself.
I personally don't plan on making any changes with what's running to keep me safe.
Title: Re: CyberCapture
Post by: Be Secure on July 14, 2016, 09:22:19 AM
Any news on CC? :(
Title: Re: CyberCapture
Post by: bob3160 on July 14, 2016, 12:46:05 PM
Any news on CC? :(
I'm sure that if there were, it would have been posted. :)
Title: Re: CyberCapture
Post by: RejZoR on July 16, 2016, 12:12:06 AM
@Vlk , has CyberCapture policy changed recently? It just locked Crystal Security main EXE which was already installed and active when I've installed avast!. It picked up the Crystal Security EXE on system reboot. Waiting for verdict, but I found it interesting since it wasn't a download, it was EXE already on disk.
Title: Re: CyberCapture
Post by: Be Secure on July 16, 2016, 04:34:34 AM
@Vlk , has CyberCapture policy changed recently? It just locked Crystal Security main EXE which was already installed and active when I've installed avast!. It picked up the Crystal Security EXE on system reboot. Waiting for verdict, but I found it interesting since it wasn't a download, it was EXE already on disk.
It is a FP.
Title: Re: CyberCapture
Post by: RejZoR on July 16, 2016, 08:40:03 AM
It's not a FP. The verdict came clean afterwards by CC. What surprised me is that it was even processed by CyberCapture considering it was a local file and not a download from web!
Title: Re: CyberCapture
Post by: Asyn on July 16, 2016, 08:51:09 AM
What surprised me is that it was even processed by CyberCapture considering it was a local file and not a download from web!
Hmmm, interesting, let's hope we get some input from the devs here soon.
Title: Re: CyberCapture
Post by: RejZoR on July 17, 2016, 08:10:01 PM
I hate this damn radio silence from avast! team...
Title: Re: CyberCapture
Post by: bob3160 on July 17, 2016, 08:12:06 PM
I hate this damn radio silence from avast! team...
I'll feel the same way if no reply by tomorrow. I consider this a holiday since it's Sunday. :)
Title: Re: CyberCapture
Post by: RejZoR on July 17, 2016, 08:16:16 PM
There was no reply to anything for days, not just during Sundays...
Title: Re: CyberCapture
Post by: bob3160 on July 17, 2016, 10:10:15 PM
There was no reply to anything for days, not just during Sundays...
Trying to be kind. :)
Title: Re: CyberCapture
Post by: Milos on July 18, 2016, 02:15:04 PM
@Vlk , has CyberCapture policy changed recently? It just locked Crystal Security main EXE which was already installed and active when I've installed avast!. It picked up the Crystal Security EXE on system reboot. Waiting for verdict, but I found it interesting since it wasn't a download, it was EXE already on disk.
Hello RejZoR,
can you post sha256 of the file so we can find more info on our backends?

Thanks,
Milos
Title: Re: CyberCapture
Post by: RejZoR on July 18, 2016, 03:18:21 PM
SHA-256:
10161446bd995d4ff6dcf5cf0b693dcab8b7e795d4805f7544be911de30b6d5b

Crystal Security.exe
Title: Re: CyberCapture
Post by: Milos on July 18, 2016, 05:36:32 PM
Hello RejZoR,
we see that there is a http source: hxtp://www.crystalsecurity.eu/updates/crystal_security._xe and from the date we saw this sha256 for the first time, it looks that your file was updated recently.

Milos
Title: Re: CyberCapture
Post by: RejZoR on July 18, 2016, 06:31:06 PM
It's possible I've re-downloaded a modified EXE to generate the has. But at the time I've got CyberCapture dialog, it was a 100% local file, because it was already on the disk when I installed avast!. Meaning avast! could only see it as local file.

Do you have any ability to search based on file name?
Title: Re: CyberCapture
Post by: Milos on July 19, 2016, 09:31:04 AM
Yes, we have ability to search by file name.

Milos
Title: Re: CyberCapture
Post by: RejZoR on July 19, 2016, 09:41:40 AM
I just find it strange that it was originally said as CyberCapture only processing files obtained from web. Which means the program has to detect its origin somehow (with Web Shield).

However, in my case, the file was local from start.

1. Windows Defender (No AV).
2. Installed "Crystal Security"
3. Installed avast!
4. avast! detected Cyber Security main EXE on next system reboot and processed it via CyberCapture. The verdict CLEAN arrived next morning as this was "locked" by CC in the evening.

Considering avast! was introduced to the system AFTER Crystal Security has already been installed, this means CyberCapture is now also processing local files, there was no other way for it to detect that EXE as "downloaded from web". That's what I'm wondering really. You guys always said it doesn't process local files, just downloads. Has that changed recently and no one mentioned it?
Title: Re: CyberCapture
Post by: Milos on July 19, 2016, 09:48:52 AM
I think that the steps could be:

1. Windows Defender (No AV).
2. Installed "Crystal Security"
3. Installed avast!
4. "Crystal Security" updated itself (info about download from web was added "hxtp://www.crystalsecurity.eu/updates/crystal_security._xe")
5. avast! detected "Crystal Security" main EXE on next system reboot (is "Crystal Security" scheduled to run after boot?) and processed it via CyberCapture.

Milos
Title: Re: CyberCapture
Post by: RejZoR on July 19, 2016, 09:57:02 AM
Why would it download a new "update" for something that is already a latest version downloaded 5 minutes ago? Also, I'm pretty sure Crystal Security would notify me about it. I just find it a bit strange, although preferred. I'd love to see avast! treat all new unknown files as something worth being processed by CyberCapture, not just downloads.
Title: Re: CyberCapture
Post by: Milos on July 19, 2016, 10:23:19 AM
Yes, it's planned to process all new undetected files by CC. But now we need to verify results made by CC and tweak it for the best results before we process there more files.

Milos
Title: Re: CyberCapture
Post by: eric@bits1.com on July 19, 2016, 03:40:36 PM
With CC being "Malware" detection can you still use/compatible MBAM Pro & MBAE also running ?
Obviously, MBAM Pro / MBAE work great with prior versions of Avast for A/V.

Thx !
MBAM and MBEA have already proven that they work. CC has yest to prove itself.
I personally don't plan on making any changes with what's running to keep me safe.

....I agree with you on not taking anything away...........but....
.....sorry...I wasn't clear in my question.
Can you have MBAM Pro & MBAE running active while CC is checked/on within Avast ?
....ie, is there any conflicts with CC & MBAM Pro/MBAE ?
Title: Re: CyberCapture
Post by: bob3160 on July 19, 2016, 04:57:37 PM
With CC being "Malware" detection can you still use/compatible MBAM Pro & MBAE also running ?
Obviously, MBAM Pro / MBAE work great with prior versions of Avast for A/V.

Thx !
MBAM and MBEA have already proven that they work. CC has yest to prove itself.
I personally don't plan on making any changes with what's running to keep me safe.
I don't follow your logic. Avast checks on CC to see if it's outdated. It doesn't run it's cleanup program.
....I agree with you on not taking anything away...........but....
.....sorry...I wasn't clear in my question.
Can you have MBAM Pro & MBAE running active while CC is checked/on within Avast ?
....ie, is there any conflicts with CC & MBAM Pro/MBAE ?
Title: Re: CyberCapture
Post by: eric@bits1.com on July 19, 2016, 06:18:05 PM
With CC being "Malware" detection can you still use/compatible MBAM Pro & MBAE also running ?
Obviously, MBAM Pro / MBAE work great with prior versions of Avast for A/V.

Thx !
MBAM and MBEA have already proven that they work. CC has yest to prove itself.
I personally don't plan on making any changes with what's running to keep me safe.
I don't follow your logic. Avast checks on CC to see if it's outdated. It doesn't run it's cleanup program.
....I agree with you on not taking anything away...........but....
.....sorry...I wasn't clear in my question.
Can you have MBAM Pro & MBAE running active while CC is checked/on within Avast ?
....ie, is there any conflicts with CC & MBAM Pro/MBAE ?

I'm lost..........sorry.

I have latest Avast installed which has CC "checked" / enabled.
I also have MBAM Pro running....."active protection" ON
I also have MBAE running....."active protection" ON.
What I am asking is does CyberCapture (CC) conflict any way with the MalwareBytes "active" protection ?
....or do I need to disable CC now until it matures and then decide to remove MBAM/MBAE ?
Title: Re: CyberCapture
Post by: DavidR on July 19, 2016, 06:42:41 PM
@ thekochs
I think it would be hard for anyone to give you a definitive answer, given that we users know so little about CyberCapture.
Title: Re: CyberCapture
Post by: bob3160 on July 19, 2016, 06:59:40 PM
Sorry, thought you were talking about Ccleaner not Cyber Capture. :)
Too many initials that can be takes for other things.
Title: Re: CyberCapture
Post by: eric@bits1.com on July 20, 2016, 05:06:04 AM
Sorry, thought you were talking about Ccleaner not Cyber Capture. :)
Too many initials that can be takes for other things.

That it too funny.....   ;D
When reading this thread and seeing "CC" I kept thinking CCleaner too and would have to remind myself we are talking CyberCapture.
OK.....so since so many of us are CCleaner uses may we call CyberCapture "CCap" going forward ?  ;)
Title: Re: CyberCapture
Post by: eric@bits1.com on July 20, 2016, 05:09:18 AM
@ thekochs
I think it would be hard for anyone to give you a definitive answer, given that we users know so little about CyberCapture.

I figured that but was hoping the "way" C-Cap works and how MBAM Pro works, that the Avast folks would chime in.
I know there is gray area here but I'm guessing that it would not be good for a conflict to happen.
Take me for example, since I don't know "if" there is a conflict, and as @bob3160 perfectly explains.....not going to get rid of something that works for something unknown....then I have no choice but to disable this feature in Avast.  Problem is would think Avast would want folks using it to build their backend, etc.
Anyway, maybe Avast folks will chime in.
Title: Re: CyberCapture
Post by: Be Secure on July 22, 2016, 06:39:10 PM
I download a file it is a 100% virus and CC catch it when try to open it manually,wait for result. ;)
Title: Re: CyberCapture
Post by: Lisandro on July 22, 2016, 08:12:57 PM
Thanks Be Secure.
Maybe posting a virustotal report will help us guess  ;)
Title: Re: CyberCapture
Post by: Asyn on July 22, 2016, 08:29:57 PM
Maybe posting a virustotal report will help us guess  ;)
Agreed, the name alone won't help.
Title: Re: CyberCapture
Post by: DavidR on July 22, 2016, 08:50:32 PM
Maybe posting a virustotal report will help us guess  ;)
Agreed, the name alone won't help.

Only doing a search on virus total for the sha2 hash might reveal something.

But given the context of it being a unique # hash number for it to be uploaded for CyberCapture scanning I just wonder if anyone else might pick it up with a conventional on-demand scan (that virus total does).
Title: Re: CyberCapture
Post by: Be Secure on July 23, 2016, 03:18:20 AM
Here is the good news guys. 8)
Ok.V.T Link:https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/ (https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/)

But need more improvement on CC on Detection and timeing.It get about 2 hours to view the result.It is too much for anyone.
Title: Re: CyberCapture
Post by: Asyn on July 23, 2016, 05:51:10 AM
Here is the good news guys. 8)
Nice, thanks for the screenshot. :)
Title: Re: CyberCapture
Post by: Be Secure on July 23, 2016, 06:04:09 AM
Here is the good news guys. 8)
Nice, thanks for the screenshot. :)
No problem. ;)
Title: Re: CyberCapture
Post by: TrueIndian on July 23, 2016, 08:44:36 AM
cool words used by avast! there....I will be very happy if they turn out to be that good as those cool words sound.  :)

I wish they can get better with time.  :)

Hope this feature expands to cover other areas.
Title: Re: CyberCapture
Post by: RejZoR on July 23, 2016, 10:57:58 AM
Here is the good news guys. 8)
Ok.V.T Link:https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/ (https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/)

But need more improvement on CC on Detection and timeing.It get about 2 hours to view the result.It is too much for anyone.

I'd like to see more of this. I also wonder if they have done anything on Dyna-gen we talked about months and years ago. Now they have the analysis system under their full control, one would expect faster evolving of protection rules within CyberCapture. I'm talking weekly or even daily adaptations of the detection rules opposed to updates every few months. I mean, they get tons of data feed into their systems, surely it could become more accurate and aggressive with every sample received!
Title: Re: CyberCapture
Post by: Staticguy on July 23, 2016, 11:21:09 AM
Thought might want to share this video with all of you  :)

https://www.youtube.com/watch?v=AeSspEMIneM
Title: Re: CyberCapture
Post by: Lisandro on July 23, 2016, 02:18:01 PM
I mean, they get tons of data feed into their systems, surely it could become more accurate and aggressive with every sample received!
Fully agree. It will be good to see results being published.
Title: Re: CyberCapture
Post by: NON on July 23, 2016, 03:48:10 PM
Here is the good news guys. 8)
Ok.V.T Link:https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/ (https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/)

Nice, publicized first catch of the CyberCapture. 8)
Title: Re: CyberCapture
Post by: eric@bits1.com on July 23, 2016, 04:56:37 PM
But need more improvement on CC on Detection and timing.It get about 2 hours to view the result.It is too much for anyone.

Agreed.....but think Avast folks will think it is worth user time.....but as we know people are impatient.
I really am glad to see Avast has moved/removed NG and put CC in the cloud.....very correct strategy.
With this I can imagine growing pains.

On the "time" issue I would suggest.....having no idea how CC works.....that maybe there is some initial test/database for false positive that gives immediate feedback.
Some communication helps patience.........example.........CC says....
"Quarantined....submitting sample"......then in less than minute
"Item has passed initial test and safe"....or "Item has failed initial test and is being sent to deep analysis....this will take time.....item will remain Quarantined".
Then if user ignores and tries to re-run then CC checks if process is already going for that file and notifies them of this and warns them of proceeding.
During all this perhaps a icon in System Tray that "spins" (maybe a orange Avast globe with CC in it) that when you mouse over gives you percent done....which is estimate coming back from cloud.
Kind of like combo of current Avast icon plus battery icon that tells percent / time.
Anyway, as Avast works the backend to improve and catch more types of items I think the front end UI needs to be thought about more.
....just my two cents.
Title: Re: CyberCapture
Post by: Lisandro on July 23, 2016, 06:27:42 PM
Here is the good news guys. 8)
Ok.V.T Link:https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/ (https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/)

Nice, publicized first catch of the CyberCapture. 8)
Hmmm... Can't see Avast detecting anything... On contrary, a lot of other antivirus are catching it... Is this the correct link?
Title: Re: CyberCapture
Post by: Asyn on July 23, 2016, 06:49:31 PM
Here is the good news guys. 8)
Ok.V.T Link:https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/ (https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/)
Nice, publicized first catch of the CyberCapture. 8)
Hmmm... Can't see Avast detecting anything... On contrary, a lot of other antivirus are catching it... Is this the correct link?
Check the screenshot in reply #163. ;)
Title: Re: CyberCapture
Post by: DavidR on July 23, 2016, 07:22:55 PM
Here is the good news guys. 8)
Ok.V.T Link:https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/ (https://virustotal.com/en/file/a66534468d6473724ffee36d6fe3187bf4c23470a04ab7a6f6252e16673b5b1b/analysis/1469237085/)

Nice, publicized first catch of the CyberCapture. 8)
Hmmm... Can't see Avast detecting anything... On contrary, a lot of other antivirus are catching it... Is this the correct link?

I thing the point of this is that in VT avast doesn't detect it, but that CyberCapture did.
Title: Re: CyberCapture
Post by: Lisandro on July 24, 2016, 02:45:28 AM
Oh, I see. Sorry me.  :-[
But, anyway, is that malware that new? A lot of other AV are caching it  ::)
Title: Re: CyberCapture
Post by: Be Secure on July 24, 2016, 02:54:47 AM
Oh, I see. Sorry me.  :-[
But, anyway, is that malware that new? A lot of other AV are caching it  ::)
Yes.First submission 2016-07-22 14:33:37 UTC ( 1 day, 10 hours ago )
Title: Re: CyberCapture
Post by: DavidR on July 24, 2016, 03:24:00 PM
Oh, I see. Sorry me.  :-[
But, anyway, is that malware that new? A lot of other AV are caching it  ::)

That doesn't matter so much, if avast had never seen that sha2 # before, then it would be checked by the CyberCapture. Regardless of how many other AVs had seen it and had it in their detections.
Title: Re: CyberCapture
Post by: Lisandro on July 24, 2016, 07:26:57 PM
That doesn't matter so much.
I disagree.
Title: Re: CyberCapture
Post by: bob3160 on July 24, 2016, 07:28:36 PM
That doesn't matter so much.
I disagree.
Why ??? ??? ???
Title: Re: CyberCapture
Post by: Lisandro on July 24, 2016, 07:30:08 PM
That doesn't matter so much.
I disagree.
Why ??? ??? ???
Won't worth posting if every post of mine is contradicted. I will just say it's my personal opinion based in the CC technology.
Title: Re: CyberCapture
Post by: RejZoR on July 24, 2016, 09:11:24 PM
Lets be honest, it's because you're being too defensive because you're "avast team". Users don't care about buzzwords and fancy promises. They want results. It's that simple.

When avast! will detect pretty much every malware you throw at it, then I'll be defensive, but until that happens, sorry. No.
Title: Re: CyberCapture
Post by: DavidR on July 24, 2016, 09:34:01 PM
That doesn't matter so much.
I disagree.

Well I suggest you read my complete post and not quote in part, as it is completely out of context. The fact that avast hasn't seen it before doesn't mean other AVs haven't seen it and added it to their virus databases. Hence the results in the VT link.

What I have said is true and explains why avast, CC scan picked it up "it hadn't seen it before."
Title: Re: CyberCapture
Post by: Lisandro on July 25, 2016, 02:59:04 AM
1. I quote in parts because I do not agree in that part.
2. I'm not in Avast defense. I was answering (and questioning) technically. If CC technology is also called zero-second detection, how tons of other AV that supposedly do not have this technology already detect that sample? And this is the meaning of my posted phrase there. In the answer, seems I'm a stupid or non-technical minded.
3. The only fact you're on defensive and questioning, does not mean we're (other Avast users and team) are biased.
Title: Re: CyberCapture
Post by: Be Secure on July 25, 2016, 10:05:33 AM
Lets be honest, it's because you're being too defensive because you're "avast team". Users don't care about buzzwords and fancy promises. They want results. It's that simple.

When avast! will detect pretty much every malware you throw at it, then I'll be defensive, but until that happens, sorry. No.
+100.
Title: Re: CyberCapture
Post by: Lisandro on July 25, 2016, 01:01:32 PM
Users don't care about buzzwords and fancy promises. They want results. It's that simple.

When avast! will detect pretty much every malware you throw at it.
+100.
+1000.
Title: Re: CyberCapture
Post by: Be Secure on July 25, 2016, 02:27:25 PM
Avast! team should change the blog post name:CyberCapture: Protection against zero-second attacks
CyberCapture is not detects zero-second attacks and give realtime results for now,it is missed some well known malwares.
Title: Re: CyberCapture
Post by: DavidR on July 25, 2016, 04:26:28 PM
1. I quote in parts because I do not agree in that part.
2. I'm not in Avast defense. I was answering (and questioning) technically. If CC technology is also called zero-second detection, how tons of other AV that supposedly do not have this technology already detect that sample? And this is the meaning of my posted phrase there. In the answer, seems I'm a stupid or non-technical minded.
3. The only fact you're on defensive and questioning, does not mean we're (other Avast users and team) are biased.

1. well you only quoted part of a sentence, in isolation it is meaningless as the explanation is to do with why you see avast not detecting on VT, but that avast CC has detected it.

2. If you read my reply in the context of what I quoted from your post it should be obvious that I'm not defending or attacking anyone. Just trying to explain how this situation might occur.

3. As I said it isn't a defence of anything other than an explanation of others are detecting something avast doesn't. The fact being that the avast CC did detect it, something which can't be tested live on VT. Only after subsequent CC detections would avast possibly include a signature for that malware, then and only then would you see a detection on VT.

EDIT: Typo.
Title: Re: CyberCapture
Post by: Be Secure on July 29, 2016, 08:01:02 AM
Can Anyone explain the new settings for CyberCapture? ???
Title: Re: CyberCapture
Post by: RejZoR on July 29, 2016, 12:05:58 PM
Asked twice and never got an answer. Communication with avast! team is really bad these last few months...
Title: Re: CyberCapture
Post by: Be Secure on July 29, 2016, 02:36:59 PM
HEY Avast! team here is a feedback from Malwaretips:https://malwaretips.com/threads/avast-12-2-2276.61789/#post-527625 (https://malwaretips.com/threads/avast-12-2-2276.61789/#post-527625) The Always block suspicious files from Cyber Capture doesn't work that well.

This is a small feedback after testing a few hours in Windows 7 (64Bit) using VirtualBox on Ubuntu 16.04.1 LTS (64Bit)
Title: Re: CyberCapture
Post by: lukor on July 29, 2016, 02:37:04 PM
Hello guys,
We have made a small change in the Cyber Capture flow. On the first Cyber Capture dialog, that informs the user about the fact, that the file is rare and need to be analyzed on the backend, we have removed the "Run anyway" button. We've received some complains from users and testers, that this is too dangerous, and in case it really is a virus may be a security risk for the user.

In the current version, the original "Run anyway" button is replaced with the "I trust this file" link, which still keeps the file inside Cyber Capture analysis, and also sends this users opinion back to our servers. It may be then taken into the account and make the analysis faster.

While be believe, this new workflow is more secure, we do understand that many of you are power users and want to be in charge. For this purpose we have added the new option into settings - it controls whether the "Run anyway" option is available or not.

Some of you have also suggested the file to be executed in Sandbox only - we are still working with this idea. I quite like it, but it has some technical issues as well - what should we do when the downloaded file is an installer, the installation may fail, or appear to succeed but things will not work as expected -- e.g. no integration with the system will ever be visible. This seems to be somewhat challenging when presented to less advanced users, but we are still working with this idea.

Hope this helps. Lukas.

Title: Re: CyberCapture
Post by: lukor on July 29, 2016, 02:43:26 PM
Asked twice and never got an answer. Communication with avast! team is really bad these last few months...

RejZor, and sorry for not replying earlier, you've posted your first question in the middle of the night (11.26PM - 13.7 hrs ago), I was still awake and we had a chat about that with Petr Chytil, but my wife really hates when I type in bed, so I left the reply till the day light. Your other inquiry about that was 2.18 hrs ago, while I understand it is already some time, it took me a more than 10 minutes to type the reply - so in general I guess we could count that as bellow 2 hrs. Is that really that horrible?

Lukas.
Title: Re: CyberCapture
Post by: Rednose on July 29, 2016, 02:48:09 PM
but my wife really hates when I type in bed

LOL ;D ;D ;D

Greetz, Red.
Title: Re: CyberCapture
Post by: Be Secure on July 29, 2016, 02:51:19 PM
So Clarify this one "Allow me to run Susp files" the paid users are using it in Sandbox but what about free users?
you say that "we are still working with this idea."Pls keep free users also in mind.They don't have Sandbox.Have a great day.
Title: Re: CyberCapture
Post by: Gopher John on July 29, 2016, 02:52:21 PM
Peace at home makes it easier to concentrate on what's necessary at work. ;)
Title: Re: CyberCapture
Post by: lukor on July 29, 2016, 03:00:03 PM
So Clarify this one "Allow me to run Susp files" the paid users are using it in Sandbox but what about free users?
you say that "we are still working with this idea."Pls keep free users also in mind.They don't have Sandbox.Have a great day.

Sorry, thats not correct. "Allow me to run Suspicious files" brings you back the "run anyway" option and the file is run without sandbox when you enable that in settings and click on that in the CyberCapture dialog. We might change it to "run anyway inside Sandbox" in the future - but this is not yet decided and ready.
Title: Re: CyberCapture
Post by: Be Secure on July 29, 2016, 03:05:14 PM
So Clarify this one "Allow me to run Susp files" the paid users are using it in Sandbox but what about free users?
you say that "we are still working with this idea."Pls keep free users also in mind.They don't have Sandbox.Have a great day.

Sorry, thats not correct. "Allow me to run Suspicious files" brings you back the "run anyway" option and the file is run without sandbox when you enable that in settings and click on that in the CyberCapture dialog. We might change it to "run anyway inside Sandbox" in the future - but this is not yet decided and ready.
Thanks.It would be nice if Help(i) is include in next version for both.It makes more clear.
Title: Re: CyberCapture
Post by: bob3160 on July 29, 2016, 03:09:33 PM
So Clarify this one "Allow me to run Susp files" the paid users are using it in Sandbox but what about free users?
you say that "we are still working with this idea."Pls keep free users also in mind.They don't have Sandbox.Have a great day.

Sorry, thats not correct. "Allow me to run Suspicious files" brings you back the "run anyway" option and the file is run without sandbox when you enable that in settings and click on that in the CyberCapture dialog. We might change it to "run anyway inside Sandbox" in the future - but this is not yet decided and ready.
Why isn't there an option like "Allow me to decide" which would happen after a warning comes up ???
Right now it looks like either "block and scan" or "bypass altogether" are the only two options.
Title: Re: CyberCapture
Post by: Be Secure on July 29, 2016, 03:11:56 PM
So Clarify this one "Allow me to run Susp files" the paid users are using it in Sandbox but what about free users?
you say that "we are still working with this idea."Pls keep free users also in mind.They don't have Sandbox.Have a great day.

Sorry, thats not correct. "Allow me to run Suspicious files" brings you back the "run anyway" option and the file is run without sandbox when you enable that in settings and click on that in the CyberCapture dialog. We might change it to "run anyway inside Sandbox" in the future - but this is not yet decided and ready.
Why isn't there an option like "Allow me to decide" which would happen after a warning comes up ???
+1 :)
Title: Re: CyberCapture
Post by: lukor on July 29, 2016, 03:17:14 PM
Why isn't there an option like "Allow me to decide" which would happen after a warning comes up ???
Right now it looks like either "block and scan" or "bypass altogether" are the only two options.

Hmm, I like that - this seems like a better text into the settings dialog.
Title: Re: CyberCapture
Post by: bob3160 on July 29, 2016, 03:20:02 PM
Why isn't there an option like "Allow me to decide" which would happen after a warning comes up ???
Right now it looks like either "block and scan" or "bypass altogether" are the only two options.

Hmm, I like that - this seems like a better text into the settings dialog.
Me too. :)
Title: Re: CyberCapture
Post by: Lisandro on July 29, 2016, 07:59:54 PM
It would be nice if Help(i) is include in next version for both.It makes more clear.
I fully agree with this.
Title: Re: CyberCapture
Post by: RejZoR on July 30, 2016, 09:19:06 PM
Hello guys,
We have made a small change in the Cyber Capture flow. On the first Cyber Capture dialog, that informs the user about the fact, that the file is rare and need to be analyzed on the backend, we have removed the "Run anyway" button. We've received some complains from users and testers, that this is too dangerous, and in case it really is a virus may be a security risk for the user.

In the current version, the original "Run anyway" button is replaced with the "I trust this file" link, which still keeps the file inside Cyber Capture analysis, and also sends this users opinion back to our servers. It may be then taken into the account and make the analysis faster.

While be believe, this new workflow is more secure, we do understand that many of you are power users and want to be in charge. For this purpose we have added the new option into settings - it controls whether the "Run anyway" option is available or not.

Some of you have also suggested the file to be executed in Sandbox only - we are still working with this idea. I quite like it, but it has some technical issues as well - what should we do when the downloaded file is an installer, the installation may fail, or appear to succeed but things will not work as expected -- e.g. no integration with the system will ever be visible. This seems to be somewhat challenging when presented to less advanced users, but we are still working with this idea.

Hope this helps. Lukas.

So, if I understand this right, you now strictly have to wait for the CyberCapture verdict? You can only give sort of an opinion on it if you click the "I trust this file".

Oh, now I get it. Default CC setup is now block until verdict is received without "Run anyway" option. But you can switch it back to original design if you enable that under CC settings. Got it.

What is the average time for CC file analysis? Would be nice if user could see an average analysis time in CC dialog, so you know when to roughly expect the verdict. It's a bit annoying not knowing whether it'll take 5 minutes, half an hour, 1 hour or 3 hours.
Title: Re: CyberCapture
Post by: Lisandro on July 30, 2016, 11:24:01 PM
What is the average time for CC file analysis? Would be nice if user could see an average analysis time in CC dialog, so you know when to roughly expect the verdict. It's a bit annoying not knowing whether it'll take 5 minutes, half an hour, 1 hour or 3 hours.
I agree. The most info (regarding it is approximate) will be useful.
Also, maybe, an info when the verdict come back, not only "releasing" the file in silent.
Title: Re: CyberCapture
Post by: RejZoR on July 30, 2016, 11:36:50 PM
Actually, you do get a popup that file scanned by CyberCapture was clean (or bad). It's no silent, user gets notified about it.
Title: Re: CyberCapture
Post by: Lisandro on July 31, 2016, 12:59:28 AM
Actually, you do get a popup that file scanned by CyberCapture was clean (or bad). It's no silent, user gets notified about it.
Thanks. Didn't know that.
Title: Re: CyberCapture
Post by: jefferson sant on August 02, 2016, 01:51:56 AM
I receive emails with attachments jar files, avast has not detected but submitted to virus lab through the vĂ­rus chest and detections were created the other day.Maybe this could be included in a future release.
another question I performed executed directly from USB, of course now Cyber Capture reports that this file is clean.Does avast wrong or seem to be a too many false positive.
The sample is old

https://www.virustotal.com/en/file/e30b0337bdc36bdebe568c948ef65815c9489a0db4811cf2670fe080efbc746e/analysis/1470093915/
Title: Re: CyberCapture
Post by: Milos on August 02, 2016, 09:54:04 AM
Hello jefferson sant,
the file looks to be clean -- some intro to a game.

Milos
Title: Re: CyberCapture
Post by: Skakara on August 02, 2016, 11:23:10 AM
Actually, you do get a popup that file scanned by CyberCapture was clean (or bad). It's no silent, user gets notified about it.

But let me guess, the popup is the kind of that hides itself after short time? Like most of Avast popups do.

IMO this is a bad design flaw, people are not always in front of their computers although the computers are running. Important popups should not automatically hide after a short time. I would mimic a "windows 10 notification center" on this matter. That way important messages from avast would not be lost if a person is away from the computer for some time. Also giving users the choice (setting) to select which messages would be shown in the "avast notification center" (would slide open when clicking the avast systray icon (and the avast icon would notify/indicate when new messages are available)).
Title: Re: CyberCapture
Post by: DavidR on August 02, 2016, 03:53:05 PM
Actually, you do get a popup that file scanned by CyberCapture was clean (or bad). It's no silent, user gets notified about it.

But let me guess, the popup is the kind of that hides itself after short time? Like most of Avast popups do.
<snip>

There is nothing to stop you changing the default settings for popups, setting the duration to 0 (no limit) for the appropriate popup (Alert Popups).

You can also right click the avast tray icon and if you have a current popup message (not restarted avast or system) and select 'Show last popup message.'
Title: Re: CyberCapture
Post by: Skakara on August 02, 2016, 04:31:52 PM
There is nothing to stop you changing the default settings for popups, setting the duration to 0 (no limit) for the appropriate popup (Alert Popups).

Are you sure that works like you say? (0 = no limit?)

Because if I go and change the values of those popups, using 0 or over 180 values, the number(s) turn(s) to red. That, indicates to me that the value is not proper for these settings.
Title: Re: CyberCapture
Post by: axzxc1236@gmail.com on August 02, 2016, 04:47:55 PM
Two questions about CC:
1.Are files uploaded through secure connection?
2.How many files do you get through this feature everyday?
Title: Re: CyberCapture
Post by: DavidR on August 02, 2016, 05:07:35 PM
There is nothing to stop you changing the default settings for popups, setting the duration to 0 (no limit) for the appropriate popup (Alert Popups).

Are you sure that works like you say? (0 = no limit?)

Because if I go and change the values of those popups, using 0 or over 180 values, the number(s) turn(s) to red. That, indicates to me that the value is not proper for these settings.

Well it certainly used to be as many thought that by setting it at zero it would stop it from popping up. At the time avast mentioned that 0 was unlimited. I don't know if avast have changed that thinking.

There are some other setting in avast that 0 = unlimited, if you look (scroll down) in that image example I posted you will see the Virus Chest settings and the Max size has a note (0 means no limit).
Title: Re: CyberCapture
Post by: Skakara on August 02, 2016, 05:36:32 PM
There is nothing to stop you changing the default settings for popups, setting the duration to 0 (no limit) for the appropriate popup (Alert Popups).

Are you sure that works like you say? (0 = no limit?)

Because if I go and change the values of those popups, using 0 or over 180 values, the number(s) turn(s) to red. That, indicates to me that the value is not proper for these settings.

Well it certainly used to be as many thought that by setting it at zero it would stop it from popping up. At the time avast mentioned that 0 was unlimited. I don't know if avast have changed that thinking.

There are some other setting in avast that 0 = unlimited, if you look (scroll down) in that image example I posted you will see the Virus Chest settings and the Max size has a note (0 means no limit).

But that setting clearly has the "0 means no limit" text unlike popup settings, and it doesn't turn red when set to 0. And if you add numbers to that value, eventually the number turns red (as well as the text box itself).

So I don't think that popups can be set to 0 (no limit).

It would be nice to get an "official" answer to this. Because if CyberCapture "clean" popups are hidden too after short amount of time, then it's IMO bad.

Is my "information/notification center" idea bad?
Title: Re: CyberCapture
Post by: MartinZ on August 02, 2016, 05:56:35 PM
Two questions about CC:
1.Are files uploaded through secure connection?
2.How many files do you get through this feature everyday?

Hi.

ad 1) yes it's encrypted via our specific protocol
ad 2) couple of thousands a day
Title: Re: CyberCapture
Post by: RejZoR on August 02, 2016, 08:48:58 PM
There is nothing to stop you changing the default settings for popups, setting the duration to 0 (no limit) for the appropriate popup (Alert Popups).

Are you sure that works like you say? (0 = no limit?)

Because if I go and change the values of those popups, using 0 or over 180 values, the number(s) turn(s) to red. That, indicates to me that the value is not proper for these settings.

Well it certainly used to be as many thought that by setting it at zero it would stop it from popping up. At the time avast mentioned that 0 was unlimited. I don't know if avast have changed that thinking.

There are some other setting in avast that 0 = unlimited, if you look (scroll down) in that image example I posted you will see the Virus Chest settings and the Max size has a note (0 means no limit).

But that setting clearly has the "0 means no limit" text unlike popup settings, and it doesn't turn red when set to 0. And if you add numbers to that value, eventually the number turns red (as well as the text box itself).

So I don't think that popups can be set to 0 (no limit).

It would be nice to get an "official" answer to this. Because if CyberCapture "clean" popups are hidden too after short amount of time, then it's IMO bad.

Is my "information/notification center" idea bad?

From my experience, they seem to stay on screen forever until you confirm them. Which makes sense since it takes long time to get a response, you don't want them to go away while your computer is idling and you're not nearby...
Title: Re: CyberCapture
Post by: jefferson sant on August 02, 2016, 10:11:03 PM
Hello jefferson sant,
the file looks to be clean -- some intro to a game.
Milos

Thank you Milos
Good hard to see the alert CyberCapture, as it features when the source is unknown is the file is submitted for analysis, it is more visible the Deepscreen the analysis of suspicious files,seen message that does not find any problem of that a detection.

The bug that needs to be fixed this

https://forum.avast.com/index.php?topic=185086.msg1304496#msg1304496
Title: Re: CyberCapture
Post by: petersaints@gmail.com on August 18, 2016, 02:33:00 AM
Hi guys,

I wanted to know if CC is still dependent on the file coming from an HTTP(S) connection captured by the Web Shield, or if it already supports the submission and analysis of files already present on the file system?

I'm just asking because I don't usually use the Web Shield.
Title: Re: CyberCapture
Post by: bob3160 on August 18, 2016, 12:44:18 PM
Hi guys,

I wanted to know if CC is still dependent on the file coming from an HTTP(S) connection captured by the Web Shield, or if it already supports the submission and analysis of files already present on the file system?

I'm just asking because I don't usually use the Web Shield.
IMHO, the only time someone would not use the WebShield is if the system is totally off line.
Title: Re: CyberCapture
Post by: petersaints@gmail.com on August 18, 2016, 07:18:48 PM
I actually have a few reasons not to use the WebShield (in no particular order):

I'll edit the list if something else comes to my mind. And I do know that this is somewhat off-topic, but given that CyberCapture seems to work with ONLY with the WebShield, I think that it's relevant to show the avast! team that there are valid reasons not to use the WebShield, and for the users that choose to do so this new CyberCapture technology is simply useless :(.

Also, just as a disclaimer, I'm currently NOT using Avast. I'm using Windows Defender on Windows 10 since the Anniversary Update. Not that I had any specific problem with Avast and the update. But I had a few other problems with drivers and one of the things I tried while troubleshooting was getting rid of Avast. So, for the last few weeks, I just kept Windows Defender running. I've yet to have any problems. In fact, I RARELY get any detection with ANY antivirus I use (I play it safe and I'm able to avoid most threats). Still, I somewhat feel that I would feel more at peace if I'd use a security product from a specialized vendor, such as Avast.

That was why I've been looking to get Avast back installed, but while I was thinking about it I decided to learn more about the Nitro Update and that was when I also learned about CyberCapture. I found this topic when I was searching about how did it work and I was kind of disappointed to find out that it wouldn't work for me since I usually only use the File System Shield. Therefore, the Nitro Update has actually decreased my theoretical level of protection, since before it I at least had DeepScreen with Avast NG enabled, but that was replaced with CyberCapture which only works with files that come from the web as detected by the WebShield. So, I've been considering just keeping Windows Defender for the time being. It seems "good enough", simple, unobtrusive and light (Avast now claims to be lighter than Windows Defender, but I'm a bit skeptical... maybe as light as, but surely not substantially lighter).
Title: Re: CyberCapture
Post by: bob3160 on August 18, 2016, 09:49:37 PM
It's your computer and your choice. :)
Title: Re: CyberCapture
Post by: Be Secure on September 09, 2016, 04:52:49 AM
Hey! Avast! CC missed malware give it clean to go. :'( not even crack it.
V.T-https://virustotal.com/en/file/0041803ca03064dab74fab83928d3983da7be7e2a4ca13847c562ec6861e8a08/analysis/1473389458/ (https://virustotal.com/en/file/0041803ca03064dab74fab83928d3983da7be7e2a4ca13847c562ec6861e8a08/analysis/1473389458/)
Title: Re: CyberCapture
Post by: Milos on September 09, 2016, 09:32:35 AM
Hello,
this is DeepScreen window, which runs before CyberCapture. From our backed we do not see that sample was downloaded (CyberCapture without URL condition is in development).

Milos
Title: Re: CyberCapture
Post by: Be Secure on September 09, 2016, 11:19:10 AM
Hello,
this is DeepScreen window, which runs before CyberCapture. From our backed we do not see that sample was downloaded (CyberCapture without URL condition is in development).

Milos
Thanks for the info.But why DeepScreen not block this threat..?

FYI:I send this sample to viruslab via viruschest. :)
Title: Re: CyberCapture
Post by: Milos on September 09, 2016, 12:00:33 PM
Hello,
the sample did not do anything malicious in time of run in DeepScreen.

Milos
Title: Re: CyberCapture
Post by: Be Secure on September 09, 2016, 12:03:50 PM
Hello,
the sample did not do anything malicious in time of run in DeepScreen.

Milos
But it should be blocked as Evogen[susp]. ??? :P
Title: Re: CyberCapture
Post by: jefferson sant on September 12, 2016, 02:05:05 AM
I found this file by a single search result.The file has 91,3MB
There are 2 infections in this file.

The Zemana found attached

https://www.virustotal.com/en/file/24f0ef28bcc00d8eb2a2e3881a0a050eec0adbbc6b6a2f4c4b420fb50abd15d7/analysis/1473630666/

I did some tests on this and I just found the Malware.

WINWORD.EXE not detected by Avast.It is also not detected by Zemana.

https://www.virustotal.com/en/file/66ad25b71653e0f985abf64f37daa1dea5b3b585b80c40e30a9913ea7a3c6a77/analysis/1473630804/

CyberCapture would have to deal with file of this size. The analysis of the running time is sufficient to take action and determine if this file is malicious ?
Title: Re: CyberCapture
Post by: A. User on September 12, 2016, 01:19:40 PM
So nice to see this technology. I've posted about it on the Comodo forums and haha, i didn't expected such a reply. Melih (their CEO) basically told me - oh are they going default deny? Because we have patents on Default Deny! Seems he didn't knew about CyberCapture before i have him the link to the blog post. Seems strange to me. LINK for CLICKING (https://forums.comodo.com/beta-corner-cis/comodo-internet-security-cis-v10005144-beta-t116138.0.html;msg841396#msg841396) :D
Title: Re: CyberCapture
Post by: gconesagarcia@gmail.com on September 12, 2016, 10:09:58 PM
Quote from:  link=topic=187679.msg1337672#msg1337672 date=1473679180
So nice to see this technology. I've posted about it on the Comodo forums and haha, i didn't expected such a reply. Melih (their CEO) basically told me - oh are they going default deny? Because we have patents on Default Deny! Seems he didn't knew about CyberCapture before i have him the link to the blog post. Seems strange to me. LINK for CLICKING (https://forums.comodo.com/beta-corner-cis/comodo-internet-security-cis-v10005144-beta-t116138.0.html;msg841396#msg841396) :D

I don't know if they have patents, but they are the perfect troll company.

 
Title: Re: CyberCapture
Post by: gconesagarcia@gmail.com on September 12, 2016, 10:13:51 PM
What is the advantage of running webshield, should't the system shield do the same thing more or less?
Does cibercapture work without the webshield installed?


Two questions about CC:
1.Are files uploaded through secure connection?
2.How many files do you get through this feature everyday?

Hi.

ad 1) yes it's encrypted via our specific protocol
ad 2) couple of thousands a day

Couple of thousands a day? taking into account your user based isn't this number ridiculously low? it shouldn't be hard to setup servers tens of thousands of files per day
Title: Re: CyberCapture
Post by: Alikhan on September 12, 2016, 10:18:36 PM
What is the advantage of running webshield, should't the system shield do the same thing more or less?
Does cibercapture work without the webshield installed?


Two questions about CC:
1.Are files uploaded through secure connection?
2.How many files do you get through this feature everyday?

Hi.

ad 1) yes it's encrypted via our specific protocol
ad 2) couple of thousands a day

Couple of thousands a day? taking into account your user based isn't this number ridiculously low? it shouldn't be hard to setup servers tens of thousands of files per day

At this moment of time CyberCapture only targets .exe files which have been downloaded via http(s).

In order for CyberCapture to work the Web Shield MUST be installed with Participate in Avast community enabled (which is by default).

You also need to understand that CyberCapture targets new or unknown files - in the future CyberCapture will trigger on other sources.

So if the file is already uploaded identified by hash, it won't be uploaded again.
Title: Re: CyberCapture
Post by: Pondus on September 12, 2016, 10:20:04 PM
@jefferson sant   this seems like a false positive

First submission 2009-07-15 00:10:12 UTC ( 7 years, 2 months ago )

Title: Re: CyberCapture
Post by: jefferson sant on September 12, 2016, 10:27:10 PM
@jefferson sant   this seems like a false positive

First submission 2009-07-15 00:10:12 UTC ( 7 years, 2 months ago )

Thanks.I have also reviewed some now with Hitman Pro
and have detected Malware.
Title: Re: CyberCapture
Post by: gconesagarcia@gmail.com on September 13, 2016, 09:28:59 AM
What is the advantage of running webshield, should't the system shield do the same thing more or less?
Does cibercapture work without the webshield installed?


Two questions about CC:
1.Are files uploaded through secure connection?
2.How many files do you get through this feature everyday?

Hi.

ad 1) yes it's encrypted via our specific protocol
ad 2) couple of thousands a day

Couple of thousands a day? taking into account your user based isn't this number ridiculously low? it shouldn't be hard to setup servers tens of thousands of files per day

At this moment of time CyberCapture only targets .exe files which have been downloaded via http(s).

In order for CyberCapture to work the Web Shield MUST be installed with Participate in Avast community enabled (which is by default).

You also need to understand that CyberCapture targets new or unknown files - in the future CyberCapture will trigger on other sources.

So if the file is already uploaded identified by hash, it won't be uploaded again.

If I disable Avast community I can keep enable Cybercapture, are you sure is required? if is true then is a bug since avast doesn't alert you about this relation and people may think that they are using CC while they are not.

Still for me the volume of files is extremely low taking into account the volume manage by other companies only in new malware (not any suspicious file like CC should get). There are always other sources but still CC should be getting much more since it's a good source of 0 day malware.
http://www.securityweek.com/daily-new-malware-count-drops-15000-kaspersky
http://www.redsocks.nl/blog-2/malware-statistics-march-2016/
http://www.pandasecurity.com/mediacenter/press-releases/panda-security-detects-over-225000-new-malware-strains-per-day-in-the-first-quarter-of-the-year/
Title: Re: CyberCapture
Post by: Asyn on September 13, 2016, 10:08:30 AM
Quote from:  link=topic=187679.msg1337672#msg1337672 date=1473679180
So nice to see this technology. I've posted about it on the Comodo forums and haha, i didn't expected such a reply. Melih (their CEO) basically told me - oh are they going default deny? Because we have patents on Default Deny! Seems he didn't knew about CyberCapture before i have him the link to the blog post. Seems strange to me. LINK for CLICKING (https://forums.comodo.com/beta-corner-cis/comodo-internet-security-cis-v10005144-beta-t116138.0.html;msg841396#msg841396) :D
Sorry, but your link doesn't work for me.
Either the topic got removed or it's located in a closed section.

OT: Seems Comodo forum uses an outdated version of SMF. :o
Title: Re: CyberCapture
Post by: Asyn on September 13, 2016, 10:41:08 AM
If I disable Avast community I can keep enable Cybercapture, are you sure is required?
Yes, afaik.
Title: Re: CyberCapture
Post by: A. User on September 13, 2016, 01:23:49 PM
Quote from:  link=topic=187679.msg1337672#msg1337672 date=1473679180
So nice to see this technology. I've posted about it on the Comodo forums and haha, i didn't expected such a reply. Melih (their CEO) basically told me - oh are they going default deny? Because we have patents on Default Deny! Seems he didn't knew about CyberCapture before i have him the link to the blog post. Seems strange to me. LINK for CLICKING (https://forums.comodo.com/beta-corner-cis/comodo-internet-security-cis-v10005144-beta-t116138.0.html;msg841396#msg841396) :D
Sorry, but your link doesn't work for me.
Either the topic got removed or it's located in a closed section.

OT: Seems Comodo forum uses an outdated version of SMF. :o
You have to register on their forums to be able to see it.  ::)
Title: Re: CyberCapture
Post by: Eddy on September 13, 2016, 01:37:19 PM
Quote
Still for me the volume of files is extremely low taking into account the volume manage by other companies only in new malware (not any suspicious file like CC should get).
The volume isn't low at all.
CyberCapture currently only checks .exe files

avast has a huge database with hash's
Files are only submitted/checked if they are unknown.
The fewer files are submitted, the more avast already know.
Note that it is the amount of files that is low, not the amount of hash's.
Title: Re: CyberCapture
Post by: bob3160 on September 13, 2016, 03:12:37 PM
Quote from:  link=topic=187679.msg1337672#msg1337672 date=1473679180
So nice to see this technology. I've posted about it on the Comodo forums and haha, i didn't expected such a reply. Melih (their CEO) basically told me - oh are they going default deny? Because we have patents on Default Deny! Seems he didn't knew about CyberCapture before i have him the link to the blog post. Seems strange to me. LINK for CLICKING (https://forums.comodo.com/beta-corner-cis/comodo-internet-security-cis-v10005144-beta-t116138.0.html;msg841396#msg841396) :D
You can expect almost anything from Melih. :)
Title: Re: CyberCapture
Post by: Asyn on September 14, 2016, 08:29:15 AM
Quote from:  link=topic=187679.msg1337873#msg1337873 date=1473765829
Quote from:  link=topic=187679.msg1337672#msg1337672 date=1473679180
So nice to see this technology. I've posted about it on the Comodo forums and haha, i didn't expected such a reply. Melih (their CEO) basically told me - oh are they going default deny? Because we have patents on Default Deny! Seems he didn't knew about CyberCapture before i have him the link to the blog post. Seems strange to me. LINK for CLICKING (https://forums.comodo.com/beta-corner-cis/comodo-internet-security-cis-v10005144-beta-t116138.0.html;msg841396#msg841396) :D
Sorry, but your link doesn't work for me.
Either the topic got removed or it's located in a closed section.

OT: Seems Comodo forum uses an outdated version of SMF. :o
You have to register on their forums to be able to see it.  ::)
Thanks, but I won't register just for that. Could maybe someone repost it please..!?
Title: Re: CyberCapture
Post by: A. User on September 14, 2016, 09:58:00 AM
Sure, i'll make some screenshots and post the link.
Title: Re: CyberCapture
Post by: Asyn on September 14, 2016, 09:58:44 AM
Quote from:  link=topic=187679.msg1338048#msg1338048 date=1473839880
Sure, i'll make some screenshots and post the link.
OK, thanks in advance.
Title: Re: CyberCapture
Post by: A. User on September 14, 2016, 11:04:42 AM
Quote from:  link=topic=187679.msg1338048#msg1338048 date=1473839880
Sure, i'll make some screenshots and post the link.
OK, thanks in advance.

CLICK IT! (http://imgur.com/a/s0jYs)
Title: Re: CyberCapture
Post by: Asyn on September 14, 2016, 11:08:45 AM
Thanks..!! :)
Title: Re: CyberCapture
Post by: Be Secure on September 25, 2016, 03:50:39 AM
Avast! failed again!!!But good news is that avast! HIPS doing good job. :D
Title: Re: CyberCapture
Post by: RejZoR on September 25, 2016, 08:27:18 AM
Are you using default HIPS settings?
Title: Re: CyberCapture
Post by: Be Secure on September 25, 2016, 06:44:54 PM
Are you using default HIPS settings?
No.Set on High. :)
Title: Re: CyberCapture
Post by: Rednose on September 26, 2016, 11:44:16 PM
Hi Be Secure :)

I am curious what your experiences are, with the HIPS settings on High ?
To be honnest : I was not happy with it during Beta testing, so I changed it back to the default setting.

Greetz, Red.
Title: Re: CyberCapture
Post by: DavidR on September 27, 2016, 12:26:09 AM
Hi Be Secure :)

I am curious what your experiences are, with the HIPS settings on High ?
To be honest : I was not happy with it during Beta testing, so I changed it back to the default setting.

Greetz, Red.

To be honest, I found the HIPS on the highest setting to be more of an hindrance. It really does depend on your computer use and your browsing/security habits. Dialling it back to the second level is less intrusive on my normal computer use.

Title: Re: CyberCapture
Post by: mchain on September 27, 2016, 02:17:47 AM
I've got HIPS set to normal, no issues.  But practicing safe surfing habits plus layered extensions and add-ons help more than running HIPS at highest setting.  HIPS cannot block everything.  Depends on what the user is using their system for: Normal Internet or malware investigations, what is the appropriate setting.
Title: Re: CyberCapture
Post by: Be Secure on September 27, 2016, 03:42:06 AM
Hi Be Secure :)

I am curious what your experiences are, with the HIPS settings on High ?
To be honnest : I was not happy with it during Beta testing, so I changed it back to the default setting.

Greetz, Red.
My experiences are not too good nor bad but it should be on high by default.It lacks rules and by default setting it is useless.Avast! should work on it(HIPS)and CC together. :)
Title: Re: CyberCapture
Post by: Rednose on September 27, 2016, 11:14:23 PM
Personally I think CyberCapture in combination with the Sandbox ( to run an unknown - and not-analysed executable in ) is a better option.
But that will be only available for paid users, and has some technical difficulties / limitations.

Greetz, Red.
Title: Re: CyberCapture
Post by: Rednose on September 28, 2016, 12:32:15 AM
Thinking about it ...

What about making the Sandbox available for Avast Free users as well, with the only possibility to run an unknown - and not-analysed executable in it ?
Just a suggestion :)

Greetz, Red.
Title: Re: CyberCapture
Post by: DavidR on September 28, 2016, 01:09:28 AM
Thinking about it ...

What about making the Sandbox available for Avast Free users as well, with the only possibility to run an unknown - and not-analysed executable in it ?
Just a suggestion :)

Isn't that the whole point of the CyberCapture function, unknown, e.g. first time the executable been seen and no hash# on the CyberCapture cloud database. It gets uploaded to be scanned so it isn't using local resources to scan it.
Title: Re: CyberCapture
Post by: Rednose on September 28, 2016, 01:24:16 AM
Yes David,

But what if you don't want to wait for the verdict from CyberCapture, and just want run the executable immediately ?

@Vlk I have one more idea. Currently, when CyberCapture locks the file into custody, you can opt to run it without waiting for verdict. You could add "Run in Sandbox" as an option for Pro, Internet Security and Premier editions since they already employ sandbox tech. This way users can run the suspicious stuff risk free in an isolated environment (if the app will work in it of course since not all do) even before they get definitive answer from CyberCapture servers. This way you add additional layer of security when users decide to run it anyway.

Thanks, that sounds like something that could be implemented very easily.

Vlk

My suggestion only goes a little further than RejZoR's.

Greetz, Red.
Title: Re: CyberCapture
Post by: Be Secure on November 15, 2016, 03:59:50 AM
It is bad very bad.avast CyberCapture is failed once again. :-[
Did not block any thing.New EXE files are not blocked as well as the .scr file.
Title: Re: CyberCapture
Post by: Be Secure on November 15, 2016, 04:02:56 AM
More failed results. :(
Title: Re: CyberCapture
Post by: NON on November 15, 2016, 11:56:34 AM
@Be Secure
These are DeepScreen, not CyberCapture.
If these exe files meet the criteria of CC and failed to start it, then it may be a bug. But IMHO it is another thing than CC's capability.

ALso, you may know this message from Vlk:

(snip)
The combined engine is not yet present in the beta you're testing, but it WILL be till the end of the year (i.e. in the next ~6 weeks). After that happens, I would like to ask everyone to do a retest and see how we're coping... Until then, please let's discuss the non-detection features of the new Avast.
(snip)
Title: Re: CyberCapture
Post by: RejZoR on November 15, 2016, 12:12:00 PM
To me it seems like CyberCapture doesn't even work consistently and invokes DeepScreen instead...
Title: Re: CyberCapture
Post by: Be Secure on November 15, 2016, 12:34:20 PM
Quote
The combined engine is not yet present in the beta you're testing, but it WILL be till the end of the year (i.e. in the next ~6 weeks). After that happens, I would like to ask everyone to do a retest and see how we're coping... Until then, please let's discuss the non-detection features of the new Avast.
But i am not runing new beta avast at all.Yes they meet all the criteria of CC and failed to start it.
I don't think there is a bug.It is not working as it should.Whole CC is break.Files(Samples) are downloaded from Internet.
Title: Re: CyberCapture
Post by: Alikhan on November 15, 2016, 08:54:44 PM
This isn't looking positive anymore.

Most of the time CyberCapture isn't even triggered and DeepScreen doesn't really detect anything.
Title: Re: CyberCapture
Post by: RejZoR on November 15, 2016, 09:34:48 PM
@Be Secure
These are DeepScreen, not CyberCapture.
If these exe files meet the criteria of CC and failed to start it, then it may be a bug. But IMHO it is another thing than CC's capability.

ALso, you may know this message from Vlk:

(snip)
The combined engine is not yet present in the beta you're testing, but it WILL be till the end of the year (i.e. in the next ~6 weeks). After that happens, I would like to ask everyone to do a retest and see how we're coping... Until then, please let's discuss the non-detection features of the new Avast.
(snip)

Does this mean current stable avast! version will receive combined engine as well? Or only the new 2017 version?
Title: Re: CyberCapture
Post by: Milos on November 16, 2016, 08:06:34 AM
Hello Be Secure,
please post sha256s or VT links of non-detected samples with date and time of test and we can investigate why they did not went to CyberCapture or why they were not detected.

Thanks,
Milos
Title: Re: CyberCapture
Post by: Be Secure on November 16, 2016, 10:08:24 AM
Thanks and sorry but it is now blocked by avast  and i have no sha256s or VT links(Test time report).Date and time of test-Yesterday at 03:20:50 AM.
via static scan it is now blocked all.
Title: Re: CyberCapture
Post by: Milos on November 16, 2016, 10:22:03 AM
Hello,
do you still have the samples?

Milos
Title: Re: CyberCapture
Post by: Be Secure on November 16, 2016, 11:41:32 AM
Hello,
do you still have the samples?

Milos
Yes.But why?
Title: Re: CyberCapture
Post by: Milos on November 16, 2016, 11:48:09 AM
Hello,
do you still have the samples?

Milos
Yes.But why?
To compute sha256s from the samples.

Milos
Title: Re: CyberCapture
Post by: Be Secure on November 16, 2016, 11:57:00 AM
Hello,
do you still have the samples?

Milos
Yes.But why?
To compute sha256s from the samples.

Milos
OK.
https://www.virustotal.com/en/file/ba264b6fd7795fdea336364082491c7aba457cbf2edabf6c44df0562e34810ba/analysis/1479176757/
https://www.virustotal.com/en/file/76d207956c86f6680ec0e5378c865b971bfca9bd5a5bcb975acd6952d8d6985d/analysis/1479176766/
https://www.virustotal.com/en/file/4416a098f5f9398dc8eae5080dec6b9d6883ba949a584527123b28b85fbf80da/analysis/1479176775/
https://www.virustotal.com/en/file/cec8a554a7fc7d9855aad99fc8940077bd11321d0a1e60a053f7b87cd6f91b44/analysis/1479176783/
https://www.virustotal.com/en/file/eaf050f18370866cc7e33a56076d709814059022c366e5ef754dabade1c7de14/analysis/1479176793/
https://www.virustotal.com/en/file/31c4a69a4e151ef5a94c43a86ce0d9819d72cbbc749346a632028ddd580c26a1/analysis/1479176801/
https://www.virustotal.com/en/file/b51db3ebee257083b1a2082bebdc535712005cf9b64be86d5ce280d35ea8cec4/analysis/1479176809/
Title: Re: CyberCapture
Post by: Milos on November 16, 2016, 12:31:15 PM
Thanks for the VT links.

Milos
Title: Re: CyberCapture
Post by: Be Secure on November 16, 2016, 12:35:47 PM
Pls make sure avast CC is a kick-ass kind of thing in next avast+avg product not a limited protection like now.
Title: Re: CyberCapture
Post by: bob3160 on November 16, 2016, 02:06:51 PM
Pls make sure avast CC is a kick-ass kind of thing in next avast+avg product not a limited protection like now.
What the heck are you talking about ???
Title: Re: CyberCapture
Post by: Be Secure on November 16, 2016, 02:24:34 PM
Pls make sure avast CC is a kick-ass kind of thing in next avast+avg product not a limited protection like now.
What the heck are you talking about ???
Sorry for my bad english.I trying to say that make sure avast CC is fully functional in future.
Title: Re: CyberCapture
Post by: Be Secure on November 21, 2016, 02:27:41 AM
Again and again. ???
V.T- 8/56 mstsystem.exe
https://www.virustotal.com/en/file/579c71f9b393fb9359198710a4d2d5d996ead8f2d57579bf900a942841f12b0f/analysis/1479690434/
send it to virus lab.
V.T-15 / 56 
https://www.virustotal.com/en/file/579c71f9b393fb9359198710a4d2d5d996ead8f2d57579bf900a942841f12b0f/analysis/1479712308/ (Now).
Title: Re: CyberCapture
Post by: DavidR on November 21, 2016, 03:12:49 PM
Again and again. ???<snip>

Again and again, what ?
Surely both of these screen shots relate to the avast DeepScreen scan.

If you are trying to say that CyberCapture didn't pick it up then you should say that
Title: Re: CyberCapture
Post by: Be Secure on November 21, 2016, 03:24:27 PM
Again and again. ???<snip>

Again and again, what ?
Surely both of these screen shots relate to the avast DeepScreen scan.

If you are trying to say that CyberCapture didn't pick it up then you should say that
yes.
Title: Re: CyberCapture
Post by: DavidR on November 21, 2016, 03:25:25 PM
Again and again. ???<snip>

Again and again, what ?
Surely both of these screen shots relate to the avast DeepScreen scan.

If you are trying to say that CyberCapture didn't pick it up then you should say that
yes.


Well I think we all know now that is definitely work in progress.
Title: Re: CyberCapture
Post by: davide.epifani@alice.it on November 21, 2016, 05:37:32 PM
I just hope it won't remain work in progress forever as it happened to other previous features like the behaviour shield, hips and deepscreen  :P
Title: Re: CyberCapture
Post by: A. User on November 21, 2016, 05:45:42 PM
And what i hope is that Avast implement Early Launch Antimalware from AVG. I see that they already use AMSI. In the future i would like to see Avast taking every single possibility that the OS provides to increase protection implemented. :)
Title: Re: CyberCapture
Post by: testuserxperia@gmail.com on July 07, 2017, 02:34:34 PM
Just wanted to ask if there are any plans  to make CyberCaptue work for unknown files saved locally or transferred  via  any external drive

I asked because according to the reply from Milos (reply# 151) at https://forum.avast.com/index.php?topic=187679.150, it is planned
Title: Re: CyberCapture
Post by: Eddy on July 07, 2017, 02:48:37 PM
Not much use to post in a 8 month old dead thread.
A lot already have been changed. (see the release notes)
Title: Re: CyberCapture
Post by: testuserxperia@gmail.com on July 07, 2017, 03:06:04 PM
It says that the version 12.1.2272 has better detection of unknown and unique files via Avast's cloud technology, and there's no other info 
Title: Re: CyberCapture
Post by: bob3160 on July 07, 2017, 03:16:19 PM
It says that the version 12.1.2272 has better detection of unknown and unique files via Avast's cloud technology, and there's no other info
The current version is 17.5.232
https://forum.avast.com/index.php?topic=183543.0
Title: Re: CyberCapture
Post by: testuserxperia@gmail.com on July 07, 2017, 03:26:04 PM
The current version is 17.5.232
https://forum.avast.com/index.php?topic=183543.0
I was asked to  refer the release notes for  the answer to my query but as per the  release notes, the only references made to CyberCapture are with the version that I specified             
Title: Re: CyberCapture
Post by: Eddy on July 07, 2017, 03:39:08 PM
There are not just the release notes, there are also the avast blogs and other pages on the website.
Title: Re: CyberCapture
Post by: testuserxperia@gmail.com on July 07, 2017, 03:41:45 PM
There are not just the release notes, there are also the avast blogs and other pages on the website.
I understand but you specifically asked me to view the release notes. So where exactly would  one know about  the new capabilities of CyberCapture?                 
Title: Re: CyberCapture
Post by: Eddy on July 07, 2017, 03:47:49 PM
I haven't asked you anything at all.
Title: Re: CyberCapture
Post by: testuserxperia@gmail.com on July 07, 2017, 03:52:08 PM
Not much use to post in a 8 month old dead thread.
A lot already have been changed. (see the release notes)
I've colored the  part of your reply that you are denying now
Title: Re: CyberCapture
Post by: Eddy on July 07, 2017, 03:59:20 PM
No you did not.
I only said that you can read many changes in the release notes.
I never asked you to read them nor did I asked you anything else.
Title: Re: CyberCapture
Post by: testuserxperia@gmail.com on July 07, 2017, 04:00:43 PM
No you did not.
I only said that you can read many changes in the release notes.
I never asked you to read them nor did I asked you anything else.
May I know which part of that reply of yours suggests "can"?
Title: Re: CyberCapture
Post by: testuserxperia@gmail.com on July 07, 2017, 04:03:16 PM
Look, let's not make this complicated. I just want to know if CyberCapture's capabilities have been extended. If you're not sure, please say that you're not sure
Title: Re: CyberCapture
Post by: bob3160 on July 07, 2017, 04:09:12 PM
Look, let's not make this complicated. I just want to know if CyberCapture's capabilities have been extended. If you're not sure, please say that you're not sure
As stated, don't resurrect an old topic.
Start a new one.


Title: Re: CyberCapture
Post by: testuserxperia@gmail.com on July 07, 2017, 04:11:53 PM
As stated, don't resurrect an old topic.
Start a new one.
Isn't the topic relevant to this thread?
Title: Re: CyberCapture
Post by: testuserxperia@gmail.com on July 07, 2017, 04:16:35 PM
If you still like me to, I will start a new thread then
Title: Re: CyberCapture
Post by: DavidR on July 07, 2017, 05:08:07 PM
As stated, don't resurrect an old topic.
Start a new one.
Isn't the topic relevant to this thread?

It may well be relevant, but only to the version that it was created under as much will/could have changed. It is already a massive topic, breathing new life into it (bringing it to the top of the chronological order), this only serves to confuse as people probably aren't going to read the whole massive topic, just the recent posts.
Title: Re: CyberCapture
Post by: testuserxperia@gmail.com on July 07, 2017, 06:05:51 PM
It may well be relevant, but only to the version that it was created under as much will/could have changed. It is already a massive topic, breathing new life into it (bringing it to the top of the chronological order), this only serves to confuse as people probably aren't going to read the whole massive topic, just the recent posts.
I understand and have started a new thread.
Title: Re: CyberCapture
Post by: Be Secure on July 27, 2017, 10:33:00 AM
Avast needs to be more active on development of CyberCapture because the option on the settings:Allow me to decide is a flop. :(
Pls remove this option.
Title: Re: CyberCapture
Post by: RejZoR on July 27, 2017, 10:39:58 AM
Avast needs to be more active on development of CyberCapture because the option on the settings:Allow me to decide is a flop. :(
Pls remove this option.

Just because individual users have the power to decide, that doesn't mean files don't get processed in the CyberCapture systems.
Title: Re: CyberCapture
Post by: Be Secure on August 04, 2017, 03:36:29 PM
I download a file it is a 100% virus.Avast DeepScreen failed to block it.It trigger DS but give it a clean mark.Again avast DS/CyberCapture failed.

V.T.https://www.virustotal.com/en/file/6798b3278ae926b0145ee342ee9840d0b2e6ba11ff995c2bc84d3c6eb3e55ff4/analysis/1501853580/

First submission 2017-08-04 09:14:14 UTC ( 4 hours, 19 minutes ago )

SHA256:   6798b3278ae926b0145ee342ee9840d0b2e6ba11ff995c2bc84d3c6eb3e55ff4
Detection ratio:   11 / 64
Note:Send this sample via https://www.avast.com/report-malicious-file.php (https://www.avast.com/report-malicious-file.php).
Thanks. :)