Author Topic: Avast completetly ignoring Teslacrypt.  (Read 16257 times)

0 Members and 1 Guest are viewing this topic.

Offline jvidal

  • Sr. Member
  • ****
  • Posts: 325
Avast completetly ignoring Teslacrypt.
« on: December 24, 2015, 01:04:23 AM »
Hi!

These last few  months, I've stumbled upon several people affected by the teslacrypt family of ransomware viruses. All of them had Avast on their computers, which didn't detect it AT ALL.

What is going on? why isn't avast detecting this INCREDIBLY DANGEROUS virus?????

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Avast completetly ignoring Teslacrypt.
« Reply #1 on: December 24, 2015, 01:28:13 AM »
1]
It is not a virus but ransomware.

2]
avast does detect many variants of TeslaCrypt.

3]
There is not tool that detects all malware.

4]
Many people have pup detection disabled in avast.
TeslaCrypt is (amongst other ways) spread through pup's.

5]
Detection can only be added if avast (and other malware vendors/developers) have a sample of the malware.
Doctors can't develop a cure for a decease that the don't know the existents of. ;)

6]
I have to guess here, but those people are using a account with administrator rights for daily use.
That means that if malware gets on the system it has the same rights as the user.
NEVER use a account with administrator rights for daily use.

Security on/for a system starts with what the user knows/does, not with software.

Offline jvidal

  • Sr. Member
  • ****
  • Posts: 325
Re: Avast completetly ignoring Teslacrypt.
« Reply #2 on: December 24, 2015, 02:19:39 AM »
are you for real????

Not a virus????? yeah, right.

Avast hasn't detected ANY variant of teslacrypt, alphacrypt or cryptolocker/cryptowall so far.

I know it can't detect all malware, but at least it should detect some of it!!!

Maybe PUP is disabled by default, it still should detect ransomware viruses even if pup detection is not enabled. This is not a valid excuse.

Probably they use an admin-enabled accout, but they have their reasons. Limited accounts won't allow you to do a lot of necessary things.

Oh, and BTW, Avast flags the tesladecoder tool used to try and decrypt the files as a virus, but not the actual virus. Neat!


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Avast completetly ignoring Teslacrypt.
« Reply #3 on: December 24, 2015, 10:55:07 AM »
Yes, I am for real.
It is not a virus, but ransomware.

A virus is just one of the (many) types of malware.
Some others are : trojan, adware, scareware

avast sure has detected several variants of ransomware.
You can check the vps history what avast is detecting.
https://www.avast.com/virus-update-history
Keep in mind that different vendors often have different naming for the same malware.

Saying avast detects the TeslaCrypt encoder as malware isn't much helpful.
Which exact decoder do you mean ?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37586
  • Not a avast user
Re: Avast completetly ignoring Teslacrypt.
« Reply #4 on: December 24, 2015, 11:04:10 AM »
Quote
Not a virus????? yeah, right.
all virus are malware, but all malware are not virus. If it does not  self-replicate it is not a virus

quote VB100
Quote
In a stricter sense 'virus' applies only to self-replicating malware, and even more specifically only to code which infects other files on the local system


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Avast completetly ignoring Teslacrypt.
« Reply #5 on: December 24, 2015, 11:06:56 AM »
As addition.
A virus attaches itself to the end of a file, not changing the rest of the file.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37586
  • Not a avast user
Re: Avast completetly ignoring Teslacrypt.
« Reply #6 on: December 24, 2015, 11:12:29 AM »
As addition.
A virus attaches itself to the end of a file, not changing the rest of the file.
end/beginning depends on what version, there are also space filler variants (cavity injectors)


« Last Edit: December 24, 2015, 11:33:37 AM by Pondus »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37586
  • Not a avast user
Re: Avast completetly ignoring Teslacrypt.
« Reply #7 on: December 24, 2015, 11:23:18 AM »
Quote
Avast hasn't detected ANY variant of teslacrypt, alphacrypt or cryptolocker/cryptowall so far.
No   ::)   well a quick google search give this

Teslacrypt
https://www.virustotal.com/nb/file/21fd3ae9ad43d66dafb94aab22d985d44805df86912882476d840110ab1347f1/analysis/

Alphacrypt
https://www.virustotal.com/nb/file/7bdc23cc435305da225148b643fc5273a0bf4e227327e15309fe8d5d98c12c20/analysis/
https://www.virustotal.com/nb/file/10cefc780480238a0072c34b4d43571321db91eeb4fc36b1c8ceb5dd7d7aaab1/analysis/

Cryptolocker
https://www.virustotal.com/nb/file/a2bc3059283d7cc7bc574ce32cb6b8bfd27e02ac3810a21bd3a9b84c17f18a72/analysis/

Cryptowall
https://www.virustotal.com/nb/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/
https://www.virustotal.com/nb/file/55e866cc8580e5f9f7f6560e478f3b37b3362e9f94e88439beef6026c86c80be/analysis/
https://www.virustotal.com/nb/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/


Quote
What is going on? why isn't avast detecting this INCREDIBLY DANGEROUS virus?
New changed versions are frequently released to avoid detection


Quote
Oh, and BTW, Avast flags the tesladecoder tool used to try and decrypt the files as a virus, but not the actual virus. Neat!
It is normal that tools used to clean malware are detected bc of how they behave, happens frequently with all the tools used by this forums malware removal team

https://www.virustotal.com/nb/file/84b86bd83929a9bda1d114a0df9361a8a51d38af27a60879fd405af4477263f3/analysis/1450954969/

« Last Edit: December 24, 2015, 12:04:52 PM by Pondus »

Offline viny-stras

  • Newbie
  • *
  • Posts: 1
Re: Avast completetly ignoring Teslacrypt.
« Reply #8 on: January 22, 2016, 04:22:39 PM »
Hello, I just have a friend with avast running and up to date (11.1.2245 with data base 160122-0) that have been infected by cryptowall 4.0 to day.

He have a backup done every week on an usb drive, so it should be ok to restore his file.

But now the question is to know if there is a way to have a good protection against this kind of malware ?
Because avast still running on his PC without seing or doing anything against cryptowall 4.0 :-(

It seems malwarebytes can see it, I will do a scan with it.
Hope you will be able to work on a protection again this type of malware.

Bests regards,

Vincent (from France)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37586
  • Not a avast user
Re: Avast completetly ignoring Teslacrypt.
« Reply #9 on: January 22, 2016, 04:27:49 PM »
Hello, I just have a friend with avast running and up to date (11.1.2245 with data base 160122-0) that have been infected by cryptowall 4.0 to day.

He have a backup done every week on an usb drive, so it should be ok to restore his file.

But now the question is to know if there is a way to have a good protection against this kind of malware ?
Because avast still running on his PC without seing or doing anything against cryptowall 4.0 :-(

It seems malwarebytes can see it, I will do a scan with it.
Hope you will be able to work on a protection again this type of malware.

Bests regards,

Vincent (from France)
Do you need assistanse from Malware removal team?   

if so, follow instructions here  https://forum.avast.com/index.php?topic=53253.0




Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2295
Re: Avast completetly ignoring Teslacrypt.
« Reply #10 on: January 26, 2016, 10:15:54 AM »
Hello,
samples that we have are already detected. Maybe this is some new variant, which is not covered by any our generic detection. We would like to have such samples to analyze.
Can you send us the malware samples to analyze why it was not detected? Create a ticket on https://support.avast.com/ and attach the samples, please.

Thank you,
Milos

Offline Lotan

  • Sr. Member
  • ****
  • Posts: 289
Re: Avast completetly ignoring Teslacrypt.
« Reply #11 on: February 15, 2016, 02:16:11 AM »
quick question. how do you avoid ransomware and prevent it to begin with? is it something hackers install directly to your pc through hacking or is it by clicking bad/infected links?

Offline bob3160

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 48612
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Avast completetly ignoring Teslacrypt.
« Reply #12 on: February 15, 2016, 09:56:25 AM »
quick question. how do you avoid ransomware and prevent it to begin with? is it something hackers install directly to your pc through hacking or is it by clicking bad/infected links?
https://www.foolishit.com/cryptoprevent-malware-prevention/
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline Lotan

  • Sr. Member
  • ****
  • Posts: 289
Re: Avast completetly ignoring Teslacrypt.
« Reply #13 on: February 15, 2016, 10:23:05 AM »
how do i know if cryptoprevent is working? as there doesnt seem to be any toolbar icon

Offline bob3160

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 48612
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Avast completetly ignoring Teslacrypt.
« Reply #14 on: February 15, 2016, 10:34:14 AM »
how do i know if cryptoprevent is working? as there doesnt seem to be any toolbar icon
This explains how it works and why you don't need any toolbars icons etc.
http://www.bleepingcomputer.com/forums/t/525028/cryptoprevent-does-it-work/page-2#entry3619786
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet