Author Topic: Avast do not disappoint me pls!  (Read 3811 times)

0 Members and 1 Guest are viewing this topic.

eltonzoto

  • Guest
Avast do not disappoint me pls!
« on: November 07, 2013, 07:12:03 PM »
Hi,

Today I was scanned my computer with HitmanPro to unsure my pc security. I was quite surprised, HitmanPro detected a trojan! :o I didn't delete that file for further investigation. So I tried to run a "folder-scan" with my Avast IS 2014, fully updated. But unfortunately, no reaction from Avast ( Deep Screen enabled, Hardened mode aggressive)!

Now, the weird thing! When I checked this file on Virus Total's site, it was listed as "Win32:Trojan-gen" by Avast! :D
https://www.virustotal.com/en/file/64e795e3002dae5ca9dc34c92a7cba76105819253cc10020943654bce0ecf711/analysis/1383844354/

So, the logic question is: Do I really trust on this new Avast 2014 or...?! :-\


thnx

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Avast do not disappoint me pls!
« Reply #1 on: November 07, 2013, 07:26:37 PM »
First virustotal is unable to run elements of avast that can be run on your system, namely DeepScreen and Hardened Mode) both of these may be able to look beyond simple signatures and a generic signature (Win32:Trojan-gen ) in the case of the VT results.

Passing DeepScreen and/or Hardened Mode (which does an avast cloud reputation check) validation could well be why there is no alert on the system.

This after all is something which is going to be modifying the HOSTS file, so may well be considered suspicious at the very least. Something that many may consider a PUP.

What you don't say is what hitman pro detected, file name and location (if other than hostsmon.exe and what malware name was given).

Personally I wouldn't use hitman pro, it can be very aggressive and has caused system problems in the past with deletion of important files. The short time that I tried it it only returned false positives and despite reporting them, some time later these still hadn't been corrected.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

eltonzoto

  • Guest
Re: Avast do not disappoint me pls!
« Reply #2 on: November 07, 2013, 11:22:09 PM »
The log file of HitmanPro is attached. The path is: C:\Windows\system32\drivers\setup\hosts\hostsmon.exe, and the name (based on GData) is Backdoor.Generic.104430.

As I mentioned, the stupid thing was, why Avast IS didn't detected this file, which was for many days inside my computer, and why on Virustotal the same file was listed normally as trojan, by Avast itself!

On the same dir. "\drivers\setup\hosts", there were other infected files which Avast IS was able to detected and quarantined without any problem.

Regarding Hitman Pro, I rarely use it. But IMO it's a useful tool, in those case when the primary defense fails to do its job. :) 

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Avast do not disappoint me pls!
« Reply #3 on: November 08, 2013, 01:30:02 AM »
Well the hitman pro detection is no more clear than that of avast on virustotal. It, gdata is also detecting a generic signature of the Bitdefender engine (one if its two). Though I don't know why it might detect on a standard on-demand scan on VT but not on the system.

I was thinking that this hostsmon.exe file was related to the HOSTS file monitor program (hostsman), but that may go by a different file name and possibly location. Unfortunately I don't use hostsman, so I can't confirm one way or another.

Are you using any form of hosts file manager on your system ?

This can get many security bases tools a bit twitchy when .exe files are located in a a sub-folder of the system32\drivers\ folder.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
Re: Avast do not disappoint me pls!
« Reply #4 on: November 08, 2013, 01:32:10 AM »
It would be interesting to see if that file were to be detected in v8... and not v9.
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

eltonzoto

  • Guest
Re: Avast do not disappoint me pls!
« Reply #5 on: November 08, 2013, 04:14:31 PM »
It would be interesting to see if that file were to be detected in v8... and not v9.
Old wine better than new wine! ;D

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
Re: Avast do not disappoint me pls!
« Reply #6 on: November 08, 2013, 04:17:22 PM »
It would be interesting to see if that file were to be detected in v8... and not v9.
Old wine better than new wine! ;D

Ya know, if you compare the amount of signatures which were "optimized".. it doesn't go well... The currect v9 has 2,616,512 signatures which was supposed to have removed old MS-DOS malware (useless) and catch the same amount of infections..
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Avast do not disappoint me pls!
« Reply #7 on: November 08, 2013, 05:02:20 PM »
It would be interesting to see if that file were to be detected in v8... and not v9.
Old wine better than new wine! ;D

Looking at your image and the process 7zip, indicates that this was inside an archive file, not it depends on what you were doing in relation to a scan with avast as archives aren't scanned by default as they are inert/dormant until extraction.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

eltonzoto

  • Guest
Re: Avast do not disappoint me pls!
« Reply #8 on: November 08, 2013, 05:51:53 PM »
Hi DavidR,

The real dir. was not inside the archive when I tested yesterday with Avast 2014.

But, the only way to test those files using another Avast, was to install VirtualBox. So, I archived that directory and sent it on virtual machine. That's the reason why appear 7Zip.

Btw, If you want to test these files, with your own antivirus, you are welcome. :)


thnx

eltonzoto

  • Guest
Re: Avast do not disappoint me pls!
« Reply #9 on: November 08, 2013, 05:58:36 PM »
It would be interesting to see if that file were to be detected in v8... and not v9.
Old wine better than new wine! ;D

Ya know, if you compare the amount of signatures which were "optimized".. it doesn't go well... The currect v9 has 2,616,512 signatures which was supposed to have removed old MS-DOS malware (useless) and catch the same amount of infections..
I'm afraid, they accidentally removed some non-MS-DOS malware using "optimized" process! Hope I'm wrong! :)