Author Topic: Drep Detection  (Read 27308 times)

0 Members and 1 Guest are viewing this topic.

Offline Shoaib4

  • Newbie
  • *
  • Posts: 4
Drep Detection
« on: December 18, 2014, 10:33:45 AM »
Drep detection whenver i download an executable from my own website http://whatsapphubstatus.com . It a clean software i made by own. but why this detection occuring? can any body tell me how to avoid it?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66907
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Win 8.1 [x64] - Avast PremSec 20.8.2429.Beta4 [UI.562] - CC 5.72 - EEK - FF ESR 78.3 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6712
  • Trust only what you test yourself!
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1131
Re: Drep Detection
« Reply #3 on: December 18, 2014, 04:28:10 PM »
Hi,
DomainRep is a new feature of Avast, so let me explain a bit. It blocks EXE files downloads if these conditions are *all* met:
1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
3. The file is not signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download. In other words, just wait until more people try to download the file, or digitally sign your files :-).
Honza

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83800
  • No support PMs thanks
Re: Drep Detection
« Reply #4 on: December 18, 2014, 05:10:42 PM »
Hi,
DomainRep is a new feature of Avast, so let me explain a bit. It blocks EXE files downloads if these conditions are *all* met:
1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
3. The file is not signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download. In other words, just wait until more people try to download the file, or digitally sign your files :-).
Honza

Isn't this a bit like the chicken and the egg (which came first) - how are you to download the file from the site if it hasn't met any of the conditions to build up a reputation of avast users.

The only way I can see this happening would be if the file was signed, otherwise the file and or domain name would remain blocked.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.598) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline abruptum

  • Super Poster
  • ***
  • Posts: 2111
Re: Drep Detection
« Reply #5 on: December 18, 2014, 05:49:55 PM »
Is it possible to turn off DomainRep ?

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: Drep Detection
« Reply #6 on: December 18, 2014, 05:55:57 PM »
That's a nice feature considering the fact that avast will allow a file when doesnt meet even 1 of those situations even it meets the other two.Hopefully,we will see this being worked on in a week or so.
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32702
  • malware fighter
Re: Drep Detection
« Reply #7 on: December 18, 2014, 06:27:08 PM »
Metascan is doing the same with an executale download pre-scan but with real scan results, avast classification is a bit like the french law method, scan verdict is malign until proven benign, as suspects are guilty until their innocence has been proven above doubt. FPs could cumulate, on the other hand unknown malign executales are caught before they can infest.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9346
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Drep Detection
« Reply #8 on: December 18, 2014, 07:47:28 PM »
Hi,
DomainRep is a new feature of Avast, so let me explain a bit. It blocks EXE files downloads if these conditions are *all* met:
1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
3. The file is not signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download. In other words, just wait until more people try to download the file, or digitally sign your files :-).
Honza

Isn't this a bit like the chicken and the egg (which came first) - how are you to download the file from the site if it hasn't met any of the conditions to build up a reputation of avast users.

The only way I can see this happening would be if the file was signed, otherwise the file and or domain name would remain blocked.

I'm wondering the same thing actually...
Visit my webpage Angry Sheep Blog

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2779
  • Volunteer
Re: Drep Detection
« Reply #9 on: December 18, 2014, 08:59:26 PM »
Hi,
DomainRep is a new feature of Avast, so let me explain a bit. It blocks EXE files downloads if these conditions are *all* met:
1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
3. The file is not signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download. In other words, just wait until more people try to download the file, or digitally sign your files :-).
Honza

OK. So, what does this mean for sites like portal.nbed.nb.ca (My School Domain) in which Students can transfer files? The idea behind this sounds Fantastic, but there ought to be measures in place (Hopefully) in which I can manually add certain sites (Like that one) to a Whitelist?
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83800
  • No support PMs thanks
Re: Drep Detection
« Reply #10 on: December 18, 2014, 11:37:10 PM »
<snip quote>

OK. So, what does this mean for sites like portal.nbed.nb.ca (My School Domain) in which Students can transfer files? The idea behind this sounds Fantastic, but there ought to be measures in place (Hopefully) in which I can manually add certain sites (Like that one) to a Whitelist?

Essentially the school domain is more likely to be recognised as in point 2. so the remainder should fall into place as only one condition needs to be met to allow the download to take place.

I don't know if in placing the school domain in the URL exclusions would achieve that, not scanned.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.598) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2779
  • Volunteer
Re: Drep Detection
« Reply #11 on: December 19, 2014, 12:56:29 AM »
David, the thing is. That is how I transfer my Projects (Coding Projects) like EXE and .SLN files. There needs to be a way, in which I can have Avast! not auto scan and flag those items.

In case you're curious to why I do not use USB's at school. The security there sucks. There is nothing active short of Windows Firewall and Microsoft Security Essentials. (And since MCShield usually flags EXE and VB related files, I'd have to disable any security there).

Even aside from that.... Our local Technicians at school know jackcrap about how to remove an infection (Which is, slightly frustrating)....

1) The file, wouldn't be recognized by Avast!. (Even as it is now, most of the time they are still "flagged" by something, whether it be Hardened Mode, The Evo-Gen detections of something else)
2) The portal isn't very known. Most teachers don't even know about it, let alone to students.
3) None of my files are digitally signed.
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83800
  • No support PMs thanks
Re: Drep Detection
« Reply #12 on: December 19, 2014, 01:22:01 AM »
Lets put it this way, if this function is already in place as appears to be the case given this topic - then simply try downloading some of the files you have up there and see.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.598) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2779
  • Volunteer
Re: Drep Detection
« Reply #13 on: December 19, 2014, 01:45:03 AM »
Something must be satisfying avast!, because it's not currently complaining. (Although Chrome does).

*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66907
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Drep Detection
« Reply #14 on: December 19, 2014, 04:38:19 AM »
Hi,
DomainRep is a new feature of Avast, so let me explain a bit. It blocks EXE files downloads if these conditions are *all* met:
1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
3. The file is not signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download. In other words, just wait until more people try to download the file, or digitally sign your files :-).
Honza

Isn't this a bit like the chicken and the egg (which came first) - how are you to download the file from the site if it hasn't met any of the conditions to build up a reputation of avast users.

The only way I can see this happening would be if the file was signed, otherwise the file and or domain name would remain blocked.

I'm wondering the same thing actually...
Same here. Also, can/should this be reported as FP (if proven clean) or not..??
Win 8.1 [x64] - Avast PremSec 20.8.2429.Beta4 [UI.562] - CC 5.72 - EEK - FF ESR 78.3 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0