Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: hozewm on December 10, 2021, 07:22:14 AM
-
Same file , but avast engine in virustotal doesn't detect it.
https://www.virustotal.com/gui/file/5ee4d962d00340fe06ca92435cffbc95011c3420348ecbacb8723eb58b22db7d
https://virusscan.jotti.org/en-US/filescanjob/b9s0qewhob
-
And I also wondering what is the meaning of the X in the detection name.
-
And I also wondering what is the meaning of the X in the detection name.
variant letter
(CARO) Malware naming scheme, this is how it works
https://cyberwarzone.com/caro-malware-naming-scheme-this-is-how-it-works/
-
Jotti runs Linux version, VT runs Windows version. Might be problem there as engine itself should be the same.
-
after rescan the file, it seems now the engine on VT is also detected the sample now !
-
More fore those who want to read about malware naming ......
Malware Naming Hell
https://www.gdatasoftware.com/blog/2019/08/35146-taming-the-mess-of-av-detection-names
Malware family naming hell is our own fault
https://www.gdatasoftware.com/blog/malware-family-naming-hell
CARO http://www.caro.org/articles/naming.html
It is relatively tempting to want to name malicious code based on its date of activation, this can create confusing duplication of names. For instance, if we were to name every new virus with some word derived from its payload, like "March6", "January Friday 13th" or "CrashWindows" the fictional exchange illustrated below could become commonplace:
(A1 - Analyst1, works for the respectable AV company C1)
(A2 - Analyst2, works for the most respectable AV company C2)
(A3 - Analyst3, works for the (even more) respectable AV company C3)
A1: "Hey A2, have you seen that new beast, the 'Newyork' virus?"
A2: "You mean the one which fills all the files on disk with 'New York'?"
A1: "No, that's the 'NYFiller' virus, I mean the one which shows a message box with the text 'New York New York'"
A2: "Could be, I remember having seen two of them, one was a macro virus and the other one infecting Linux ELF files"
A1: "Hm, the 'Newyork' I was thinking of actually infects Windows PE files"
A2: "Ah, but I think I know what you mean, however, the one I've seen shows a message box stating 'New Orleans New Orleans'. We are calling it 'NewOrleans', of course."
A1: "Hm, that must be a new version of our 'NewYork' virus with a modified message. I think you should rename your 'NewOrleans' virus to something like 'NewYork(version:Orleans)'."
A2: "Hey, wait a minute, why not rename _your_ virus to 'NewOrleans(York)'?"
A3: "Hey guys, have you seen the new virus which fills all the files on disk with 'New Delhi'? We're calling it 'NewDelhi', of course."
A1: "Arghhh..."
A2: "Who designed this stupid payload-based naming scheme anyway...?"
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=78995af3-e961-46da-ad80-f6547bbce3b7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
-
It is relatively tempting to want to name malicious code based on its date of activation, this can create confusing duplication of names. For instance, if we were to name every new virus with some word derived from its payload, like "March6", "January Friday 13th" or "CrashWindows" the fictional exchange illustrated below could become commonplace:
(A1 - Analyst1, works for the respectable AV company C1)
(A2 - Analyst2, works for the most respectable AV company C2)
(A3 - Analyst3, works for the (even more) respectable AV company C3)
A1: "Hey A2, have you seen that new beast, the 'Newyork' virus?"
A2: "You mean the one which fills all the files on disk with 'New York'?"
A1: "No, that's the 'NYFiller' virus, I mean the one which shows a message box with the text 'New York New York'"
A2: "Could be, I remember having seen two of them, one was a macro virus and the other one infecting Linux ELF files"
A1: "Hm, the 'Newyork' I was thinking of actually infects Windows PE files"
A2: "Ah, but I think I know what you mean, however, the one I've seen shows a message box stating 'New Orleans New Orleans'. We are calling it 'NewOrleans', of course."
A1: "Hm, that must be a new version of our 'NewYork' virus with a modified message. I think you should rename your 'NewOrleans' virus to something like 'NewYork(version:Orleans)'."
A2: "Hey, wait a minute, why not rename _your_ virus to 'NewOrleans(York)'?"
A3: "Hey guys, have you seen the new virus which fills all the files on disk with 'New Delhi'? We're calling it 'NewDelhi', of course."
A1: "Arghhh..."
A2: "Who designed this stupid payload-based naming scheme anyway...?"
;D 8)
-
Another question , do avast automated system identify the malware type for those sample that don't require human to check ? (such as trojan or ransomeware and what if it is a trojan and ransome at same time ?)
And do avast automated system auto unzip the zip file ?
-
-> https://www.avast.com/technology/ai-and-machine-learning
-
I mean classify the type of new malware , not detect the new malware .
-
More fore those who want to read about malware naming ......
Malware Naming Hell
https://www.gdatasoftware.com/blog/2019/08/35146-taming-the-mess-of-av-detection-names
Malware family naming hell is our own fault
https://www.gdatasoftware.com/blog/malware-family-naming-hell
CARO http://www.caro.org/articles/naming.html
<snip>
Isn't this a bit of a joke, doesn't GData use two other companies virus engine/database ?
Even then there really is no way there is ever going to be standardisation in malware naming when the method of detection is in many cases are different.
When you are talking of heuristic, generic, artificial, machine learning methods of detection when one signature detects multiple variants of the same/similar malware.
As Asyn's link shows.
-> https://www.avast.com/technology/ai-and-machine-learning
So I rather doubt that Avast is alone in this development it would make it near impossible for any standardisation on malware naming.
-
so , can anyone tell avast team to add a option to disable the local sandbox analysis ? since it is pretty useless , and will allow the malware run on the user computer.
https://forum.avast.com/index.php?topic=273698.0
or they can make the analysis longer (such as 1 minute or 30 seconds so it can actually detect malicious software)
-
You can adjust/disable it in the settings.
-
if i disable it , will avast detect the sample as suspicious ?
-
-> https://support.avast.com/en-ww/article/150/
-
Another question , do avast automated system identify the malware type for those sample that don't require human to check ? (such as trojan or ransomeware and what if it is a trojan and ransome at same time ?)
And do avast automated system auto unzip the zip file ?
All malware samples are analyzed by auto systems because of the enormus amount of files they recive
Ransomware is a trojan
-
Isn't this a bit of a joke, doesn't GData use two other companies virus engine/database ?
Joke ? What do you mean?
-
Another question , do avast automated system identify the malware type for those sample that don't require human to check ? (such as trojan or ransomeware and what if it is a trojan and ransome at same time ?)
And do avast automated system auto unzip the zip file ?
All malware samples are analyzed by auto systems because of the enormus amount of files they recive
Ransomware is a trojan
ok thanks , but if the auto system missed a sample and it was not send the avast team , then how to let them review it ?
-
-> https://support.avast.com/en-ww/article/150/
the reason i say they should add the option is because do a sample need to send to avast when the sandbox can't indefinite is a sample malicious or clean , however because the analysis time is too short , the sandbox will be easily bypass by malware.
-
Another question , do avast automated system identify the malware type for those sample that don't require human to check ? (such as trojan or ransomeware and what if it is a trojan and ransome at same time ?)
And do avast automated system auto unzip the zip file ?
All malware samples are analyzed by auto systems because of the enormus amount of files they recive
Ransomware is a trojan
ok thanks , but if the auto system missed a sample and it was not send the avast team , then how to let them review it ?
All samples uploaded to virustotal are shared among all VT members
-
Another question , do avast automated system identify the malware type for those sample that don't require human to check ? (such as trojan or ransomeware and what if it is a trojan and ransome at same time ?)
And do avast automated system auto unzip the zip file ?
All malware samples are analyzed by auto systems because of the enormus amount of files they recive
Ransomware is a trojan
ok thanks , but if the auto system missed a sample and it was not send the avast team , then how to let them review it ?
All samples uploaded to virustotal are shared among all VT members
but will they even analysis it ? or they just put all the things in sandbox ?
-
Another question , do avast automated system identify the malware type for those sample that don't require human to check ? (such as trojan or ransomeware and what if it is a trojan and ransome at same time ?)
And do avast automated system auto unzip the zip file ?
All malware samples are analyzed by auto systems because of the enormus amount of files they recive
Ransomware is a trojan
ok thanks , but if the auto system missed a sample and it was not send the avast team , then how to let them review it ?
All samples uploaded to virustotal are shared among all VT members
but will they even analysis it ? or they just put all the things in sandbox ?
and also some malware will need to do some action to active it.
-
...however because the analysis time is too short , the sandbox will be easily bypass by malware.
-> https://www.avast.com/bug-bounty
-
...however because the analysis time is too short , the sandbox will be easily bypass by malware.
-> https://www.avast.com/bug-bounty
is this even a bug ? i think it is just bad designed.
-
...however because the analysis time is too short , the sandbox will be easily bypass by malware.
-> https://www.avast.com/bug-bounty
is this even a bug ? i think it is just bad designed.
Depends if you can prove what you said. ;)
-
Isn't this a bit of a joke, doesn't GData use two other companies virus engine/database ?
Joke ? What do you mean?
Sorry it is irony ;)
As in they are hardly in control over their own virus naming conventions if they are using the services of two other AVs (at least the did, I don't know if that is still correct). A long time ago Avast was one of these AVs.
-
Another question , do avast automated system identify the malware type for those sample that don't require human to check ? (such as trojan or ransomeware and what if it is a trojan and ransome at same time ?)
And do avast automated system auto unzip the zip file ?
All malware samples are analyzed by auto systems because of the enormus amount of files they recive
Ransomware is a trojan
ok thanks , but if the auto system missed a sample and it was not send the avast team , then how to let them review it ?
All samples uploaded to virustotal are shared among all VT members
but will they even analysis it ? or they just put all the things in sandbox ?
only if the file need special attention
you can also send files direct to avast lab
https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438
-
Isn't this a bit of a joke, doesn't GData use two other companies virus engine/database ?
Joke ? What do you mean?
Sorry it is irony ;)
As in they are hardly in control over their own virus naming conventions if they are using the services of two other AVs (at least the did, I don't know if that is still correct). A long time ago Avast was one of these AVs.
If they use another vendors AV engine then the owner of that engine is the one that create signature and name
Eksample here
https://www.virustotal.com/gui/file/922bc561fe72498410d5c835715b6f7ca622d8ec96fb018ded9ec346724645ab
all those with name Trojan.GenericKD.47609888 is using Bitdefender engine
Emsisoft has a (B) after the name, meaning they use more then one engine and it was engine B that detected it
-
Isn't this a bit of a joke, doesn't GData use two other companies virus engine/database ?
Joke ? What do you mean?
Sorry it is irony ;)
As in they are hardly in control over their own virus naming conventions if they are using the services of two other AVs (at least the did, I don't know if that is still correct). A long time ago Avast was one of these AVs.
If they use another vendors AV engine then the owner of that engine is the one that create signature and name
<snip>
Which is exactly the irony I'm talking about, the difficulty of multiple (not just two) AV companies with different methods of detection and naming conventions to have common/the same malware names.
What is the likelihood of Engine A and B having the same malware name (if the both detected it) and that's just two AV signature databases.
-
Isn't this a bit of a joke, doesn't GData use two other companies virus engine/database ?
Joke ? What do you mean?
Sorry it is irony ;)
As in they are hardly in control over their own virus naming conventions if they are using the services of two other AVs (at least the did, I don't know if that is still correct). A long time ago Avast was one of these AVs.
If they use another vendors AV engine then the owner of that engine is the one that create signature and name
<snip>
Which is exactly the irony I'm talking about, the difficulty of multiple (not just two) AV companies with different methods of detection and naming conventions to have common/the same malware names.
What is the likelihood of Engine A and B having the same malware name (if the both detected it) and that's just two AV signature databases.
those AV that use multi engines (usually two) only show detection from one, have never seen anyone display more then one detection
-
<snip quotes>
Which is exactly the irony I'm talking about, the difficulty of multiple (not just two) AV companies with different methods of detection and naming conventions to have common/the same malware names.
What is the likelihood of Engine A and B having the same malware name (if the both detected it) and that's just two AV signature databases.
those AV that use multi engines (usually two) only show detection from one, have never seen anyone display more then one detection
That is neither here nor there, the point is they differ in the same way as virtually all other individual AV companies virus databases and the likelihood of all somehow having the same malware name or naming convention is I fear extremely unlikely. There is possibly more chance of you or I winning the lottery (and I don't play the lottery).
My point revolves around your links about malware naming in Reply #5
Quote from extracts
"Malware names are not clear. Neither the terms related to them have a common understanding, nor the names themselves. There is no common standard. There is no institution, database or organization that has an exhaustive list of malware names and their definition."
and
"The first attempt to make malware naming consistent was in 1991, when a committee at CARO created A New Virus Naming Convention. This was a time where all or almost all existing malware was also a virus. The naming scheme has influenced today's detection names. Most AV vendors use the same or similar components that CARO suggested but often with their own terminology and ordering."
Whilst this article wasn't written in 1991 - Much has changed since 1991, in both numbers of malware variants and the way AV companies detecting them, so trying to apply a common standard is virtually impossible. hell just look at the numbers of virus signatures there are in just the avast virus signatures database '27,401,696'.
Assuming that other AV companies virus signature databases are of similar sizes, try having a commonalty/naming convention and you should see how futile this would be when the volume of viruses/malware is constantly increasing.