Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Henrique - RJ on May 29, 2010, 06:44:22 PM

Title: The quality of the service of the analysts needs to be improved
Post by: Henrique - RJ on May 29, 2010, 06:44:22 PM
Hello

I've been drawing some conclusions why some very similar trojans are not detected by avast even if the signature of one of them has been included in the database.

I believe the quality of the service team of analysts is not the best. I have noticed that the detection of trojans bankers by Avira AntiVir is much better than avast. I wonder if it would be the choice by analysts of the line of code that does not accurately characterize the malware.

The names of malware identified by analysts avast are not accurate (example the name "Win32: Malware.gen" given the trojans bankers).

Am I correct ?

There is some expectation of improvement ?

Thanks very much.
Title: Re: The quality service analyst needs to be improved
Post by: Lisandro on May 29, 2010, 07:28:25 PM
I have noticed that the detection of trojans bankers by Avira AntiVir is much better than avast.
Common voice in our country.

There is some expectation of improvement ?
There is always hope :)
Title: Re: The quality service analyst needs to be improved
Post by: RejZoR on May 29, 2010, 07:29:33 PM
As far as naming is concerned, there is absolutelys no standard or rule how to name them. Companies could name them "Malware/Virus" or even just "Threat" and that's it. To 99% of ppl, names of the malware families don't mean a thing. If it's Banker or Virut, only one thing is in comon. They want it off their computer.
As for everything else you complained about, i cannot really comment that. Only ALWIL programmers/analysts can answer you to that...
Title: Re: The quality service analyst needs to be improved
Post by: DavidR on May 29, 2010, 07:45:55 PM
I feel the same way, the name isn't an issue, what is, is that it is detected as I mentioned in the other topic.

The win32:Malware-gen is a generic detection designed to catch multiple occurrences of a type of malware, so long as it makes the detection, the name given is totally unimportant as there is no standardisation/convention in malware naming.

You will see this when you do a virustotal check and you will see the many different aliases given in detections across the 42 different scanners.
Title: Re: The quality service analyst needs to be improved
Post by: Henrique - RJ on May 29, 2010, 07:50:51 PM
As far as naming is concerned, there is absolutelys no standard or rule how to name them. Companies could name them "Malware/Virus" or even just "Threat" and that's it. To 99% of ppl, names of the malware families don't mean a thing. If it's Banker or Virut, only one thing is in comon.

But the nomenclature is important to tell what type of malware is and what does.

There are cases where the name indicates a type of malware when in fact it is another kind.
Title: Re: The quality service analyst needs to be improved
Post by: Henrique - RJ on June 02, 2010, 11:15:13 PM
No response of the one malware analyst ?

I have two similar trojans to prove what I say.

This question seems very important.
Title: Re: The quality service analyst needs to be improved
Post by: Asyn on June 02, 2010, 11:24:55 PM
I have two similar trojans to prove what I say.

So, did you send them to avast yet..??
Meanwhile all AV companies (kind of) depend on users feedback..!!!
asyn
Title: Re: The quality service analyst needs to be improved
Post by: Henrique - RJ on June 02, 2010, 11:34:11 PM
So, did you send them to avast yet..??
Meanwhile all AV companies (kind of) depend on users feedback..!!!
asyn

Already sent have a few days.

One is already detected by avast not the other.
Title: Re: The quality service analyst needs to be improved
Post by: Asyn on June 02, 2010, 11:49:15 PM
Already sent have a few days.
One is already detected by avast not the other.

Great, thanks for submitting...!! :D
Let's hope the other one will also be detected soon...
asyn
Title: Re: The quality service analyst needs to be improved
Post by: Henrique - RJ on June 03, 2010, 12:01:05 AM
Great, thanks for submitting...!! :D
Let's hope the other one will also be detected soon...
asyn

Because the Trojans are similar since they must all be detected and not just a.

Therefore to say that the service quality of analysts needs to be improved.

This also occurs with AVG (Grisoft).

If there was quality in the analysis the cracker could create several trojans that all would be detected by the same signature.
Title: Re: The quality service analyst needs to be improved
Post by: Asyn on June 03, 2010, 12:11:37 AM
Because the Trojans are similar since they must all be detected and not just a.
Therefore to say that the service quality of analysts needs to be improved.
This also occurs with AVG (Grisoft).
If there was quality in the analysis the attacker could create several trojans that all would be detected by the same signature.

You should never rely on one security solution. Never ever..!!
A layered protection is the ultimate secret..!!! ;)
asyn
Title: Re: The quality service analyst needs to be improved
Post by: Henrique - RJ on June 03, 2010, 12:18:08 AM
You should never rely on one security solution. Never ever..!!
A layered protection is the ultimate secret..!!! ;)
asyn

I just want that avast is as good as Avira AntiVir in detection.
Title: Re: The quality service analyst needs to be improved
Post by: Asyn on June 03, 2010, 12:31:53 AM
I just want that avast is as good as Avira AntiVir in detection.

I don't care about Avira...!
If you want maximum detection rate use Emsisoft AM.
But I guess we (users of avast) all like it to be the best and imo it is the best AV, otherwise I (and many others) wouldn't use it..!! ;) Nevertheless, as already said, don't fully rely on it, protect your browser at first level and get a second opinion with an antimalware like Mbam or A²...
asyn
Title: Re: The quality of the service of the analysts needs to be improved
Post by: kubecj on June 04, 2010, 11:41:49 AM
1) Please check the photo, which comes from F-Secure's blog from CARO 2010 conference:

(http://www.f-secure.com/weblog/archives/v_caro.jpg)
From our internal testing it seems that in day 0, the best AV gives you maximally 60-70% protection by the signatures. This is not an excuse, this is an explanation why you may see what you see. I could as well show you many samples missed by antivirus X, in the very same way.

2) Nomenclature does not exist, and while you're getting 50 000 new samples a day, it's nonsense to spend time and resource with naming something which will be extinct tomorrow. Also, from our tests it sometimes seems like these names are assigned by random generator.  8)
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Lisandro on June 04, 2010, 02:31:43 PM
From our internal testing it seems that in day 0, the best AV gives you maximally 60-70% protection by the signatures. This is not an excuse, this is an explanation why you may see what you see. I could as well show you many samples missed by antivirus X, in the very same way.
So, how to be protected by day 0 attacks? Which is your suggestion side by side with avast?

naming something which will be extinct tomorrow
Solution for the 50.000 new malwares per day?
Title: Re: The quality of the service of the analysts needs to be improved
Post by: DavidR on June 04, 2010, 03:34:34 PM
Well the point being made is 'detection by signature' with a signature for every detection. So with the generic detection, win32:Malware-gen in this case it can detect hundreds/thousands of variants of malware.

Now that Nomenclature doesn't specifically identify 'banker' or other specific malware family name (as in the OPs concern) it just detects it as malware. The important thing is that it detects it and not the Nomenclature  given to the detection.

So the use of generic and heuristics to detect zero day/new variants is playing a greater part in detection as it is almost impossible to keep up with the volume of 50,000 new malware per day if you are going to try and give them all a specific Nomenclature or malware family name rather than win32:malware-gen, etc.

Title: Re: The quality of the service of the analysts needs to be improved
Post by: Lisandro on June 04, 2010, 03:46:45 PM
Well the point being made is 'detection by signature' with a signature for every detection. So with the generic detection, win32:Malware-gen in this case it can detect hundreds/thousands of variants of malware.
But we know that still not enough...

So the use of generic and heuristics to detect zero day/new variants is playing a greater part in detection
Yeah... But I would like to hear from Kubecj what is his solution...
Title: Re: The quality of the service of the analysts needs to be improved
Post by: igor on June 04, 2010, 03:49:54 PM
I believe Kubec just wanted to say that it's necessary to react quickly - and detect the stuff.
Thorough analysis and attempts to use a great name for the detection... isn't doable.
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Lisandro on June 04, 2010, 03:51:13 PM
I believe Kubec just wanted to say that it's necessary to react quickly - and detect the stuff.
Thorough analysis and attempts to use a great name for the detection... isn't doable.
Ok. What is the pathway to happiness in his opinion?
What do you use to protect your computer when you will play with fire? ;D
Title: Re: The quality of the service of the analysts needs to be improved
Post by: kubecj on June 04, 2010, 04:01:51 PM
If you want to go to suspicious sites, just prepare to be infected anyway and make the precautions as backups and not storing anything even moderately sensitive on your machine. And I specifically said by "signatures". But there are also generic protections and layered protections.

See the typical chained scenario of today:
Porn site -> malicious js -> malicious pdf -> malicious downloader -> malicious binaries.

Don't go to such porn site.
Don't use vulnerable apps.
Have antivirus with layered protection.

And then - who cares if avast! does not detect one of the downloaded malicious binaries, when the porn site is blocked and we detect the js and pdf?

It's very hard to evaluate the real-world performance of an AV solution when we don't (and I suspect we can't) test the whole chain and prove if the user is protected. The tests on VT and such don't prove anything, but the ability of the engine to detect it by the signature.
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Lisandro on June 04, 2010, 04:37:36 PM
Layered protections.
Have antivirus with layered protection.
For instance?
What would you use side by side with avast?

And then - who cares if avast! does not detect one of the downloaded malicious binaries, when the porn site is blocked and we detect the js and pdf?
You're fully right.

The tests on VT and such don't prove anything, but the ability of the engine to detect it by the signature.
+1
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Asyn on June 04, 2010, 04:44:35 PM
Layered protections.
Have antivirus with layered protection.
For instance?
What would you use side by side with avast?

Don't ask him this kind of question - I guess he likes his job...! ;)
asyn
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Lisandro on June 04, 2010, 05:13:17 PM
Don't ask him this kind of question - I guess he likes his job...! ;)
You've got the point.
I want to know to where should avast go to... HIPS?

The tests on VT and such don't prove anything, but the ability of the engine to detect it by the signature.
Well... thinking better... what if you download from P2P and avast does not detect the sample...
You get the malware binary into your machine already... There is no chain... It's already there. Then checking with VT will shown avast is not doing the best job...
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Henrique - RJ on June 04, 2010, 06:34:04 PM
You are running away from commitment to quality.

Why avast is the only av that abuses of generic names ?

50 000 malwares per day is for all the world and not ave to one.

Why Avira is better in detection of than Avast ?

Why I trust most in a scan done by Avira ?

Why Avira is better placed in the tests of AV-Comparatives ?

I've attached three similar trojans (brazilian bankers) like this post that are called by Avira "TR/Crypt.CFI.Gen".

Avast detects only two (now) as "Win32: Trojan-gen" giving a different signature to each while Avira gives the same signature to all three.

Already see that Avira detects all avast does not (waiting ...).

Sirs ... this gave me work.

http://rapidshare.com/files/395240464/virus.zip.html (PASSWORD: virus)
Title: Re: The quality of the service of the analysts needs to be improved
Post by: kubecj on June 04, 2010, 06:55:06 PM
You are running away from commitment to quality.
nope.

Quote
Why avast is the only av that abuses of generic names ?
It's not. All avs have such signatures. I for example like Norton's "Trojan Horse".

Quote
50 000 malwares per day is for all the world and not ave to one.
I don't understand.

Quote
Why Avira is better in detection of than Avast ?
Avira's engine probably detects more binaries. That's true. And?

Quote
Why I trust most in a scan done by Avira ?
I don't know, it's your choice.

Quote
Why Avira is better placed in the tests of AV-Comparatives ?
Because they have more signatures on binaries. That's true. And?

Quote
I've attached three similar trojans (brazilian bankers) like this post that are called by Avira "TR/Crypt.CFI.Gen".
Avast detects only two (now) as "Win32: Trojan-gen" giving a different signature to each while Avira gives the same signature to all three.

Crypt.CFI.gen is quite similar to our Trojan-Gen. Says nothing about similarity of the samples.
I can find you hundreds of samples XXX antivirus does not detect in matter of seconds.
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Lisandro on June 04, 2010, 07:24:08 PM
kubecj, and my answers?
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Henrique - RJ on June 04, 2010, 07:28:26 PM
Why Avira's engine probably detects more binaries ?

We need to improve !
Title: Re: The quality of the service of the analysts needs to be improved
Post by: kubecj on June 04, 2010, 07:34:24 PM
They detect less JS and PDFs, they need to improve!  ;)
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Henrique - RJ on June 04, 2010, 07:44:44 PM
Many users of avast are having their machines infected (by trojans bankers via e-mail and pen drive) every day here in Brazil because of this deficiency in the detection of binaries.
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Lisandro on June 04, 2010, 08:24:11 PM
kubecj, and my answers?
???
Send me an IM if you don't want to make your personal "solutions" public ;)
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Maxx_original on June 04, 2010, 10:00:51 PM
Henrique, i'll tell you something what you probably don't want to hear - we simply can't fully satisfy all of our users (even when we're constantly trying to achieve that).. i'm aware of the problem with banker trojans in Brazil (sometimes i think it is the only malware type ever seen in Brazil), but - similarly to the rogue scene - there are tons of new samples every day and they're difficult to detect proactively or even generically.. same name used by Avira for your three samples does not imply they're binary similar/equivalent (and that's what matters when we're talking about similarity from the detection point of view) and it even does not imply that the samples were precisely analysed and put together based on the analysis results.. anyway, we would apreciate your advices (which URLs are used to collect stolen data, if you have some hints regarding this, which places on user machines are mostly occupied by the most videspread bankers etc).. ;)
Title: Re: The quality of the service of the analysts needs to be improved
Post by: YoKenny on June 04, 2010, 10:53:11 PM
@ Maxx_original

Who said You can please some of the people some of the time all of the people some of the time some of the people all of the time but you can never please all of the people all of the time?
http://wiki.answers.com/Q/Who_said_You_can_please_some_of_the_people_some_of_the_time_all_of_the_people_some_of_the_time_some_of_the_people_all_of_the_time_but_you_can_never_please_all_of_the_people_all_of_the_time
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Henrique - RJ on June 04, 2010, 11:20:09 PM
... same name used by Avira for your three samples does not imply they're binary similar/equivalent (and that's what matters when we're talking about similarity from the detection point of view) and it even does not imply that the samples were precisely analysed and put together based on the analysis results..

The trojans hosted on Rapidshare have the same name, same size, same icon, obtained from the same link and you say you that are not similar ?

Please review the trojans.

You need to improve the analysis made by automatic systems (sandbox ?).


... anyway, we would apreciate your advices (which URLs are used to collect stolen data, if you have some hints regarding this, which places on user machines are mostly occupied by the most videspread bankers etc).. ;)

I did not understand.
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Henrique - RJ on June 08, 2010, 08:36:23 PM
Proactive / retrospective test

(on-demand detection of virus / malware)

February / May 2010

www.av-comparitives.org

ProActive detection of new malware:

1.   Trustport, Panda           63%
2.   G DATA                       61%
3.   Kaspersky, Microsoft     59%
4.   AVIRA                         53%
5.   ESET NOD32, F-Secure  52%
6.   BitDefender, K7, eScan  50%
7.   Symantec                   43%
8.   McAfee                       38%
9.   AVG                           34%
10. Sophos                        32%   
11. Avast                         29%

http://www.av-comparatives.org/images/stories/test/ondret/avc_report26.pdf

Title: Re: The quality of the service of the analysts needs to be improved
Post by: Gargamel360 on June 08, 2010, 08:48:58 PM
I realize you are just trying to enforce your point, but that has been posted already
http://forum.avast.com/index.php?topic=60554.0 (http://forum.avast.com/index.php?topic=60554.0)
Title: Re: The quality of the service of the analysts needs to be improved
Post by: Henrique - RJ on June 08, 2010, 09:01:06 PM
Where is the center of analysis, research and development of the Alwil ?

Avast will once again lose market share if not better.