Author Topic: CyberCapture  (Read 81023 times)

0 Members and 1 Guest are viewing this topic.

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2234
CyberCapture
« on: June 22, 2016, 01:33:57 AM »
Could Avast give some information on this?

I understand that:

CyberCapture works on low prevalent files downloaded from web and then executed. But is it only files from the web and are there more conditions that need to be met???

CyberCapture is basically an inverted Secure Virtual Machine. It does same or even extended analysis, but on avast! servers. What type of analysis is done and are the detections good?


Since the file is uploaded to Avast servers - if a file is 15 MB then the full 15mb file is uploaded to Avast servers or just parts of it?


Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9328
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #1 on: June 22, 2016, 02:02:15 AM »
That part about files being downloaded from web only triggering CyberCapture is bizarre. What if file arrives via USB thumb drive? avast! will just ignore it because it's not from a web link? Unfortunately we never got answer to that from avast! team for some reason.
Visit my webpage Angry Sheep Blog

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2158
Re: CyberCapture
« Reply #2 on: June 22, 2016, 09:10:24 AM »
Hello,
files downloaded from web and executed and low prevalent. No other conditions to trigger CyberCapture.

We use our internal tools for analysis, NG, our scanner with detections which are not released, ...

Whole file is uploaded because it will be run in our NG.

Files from USB thumb will not trigger CyberCapture.

Milos

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31345
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: CyberCapture
« Reply #3 on: June 22, 2016, 09:20:09 AM »
Kinda sucks for people with a low bandwidth.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9328
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #4 on: June 22, 2016, 09:28:15 AM »
Hello,
files downloaded from web and executed and low prevalent. No other conditions to trigger CyberCapture.

We use our internal tools for analysis, NG, our scanner with detections which are not released, ...

Whole file is uploaded because it will be run in our NG.

Files from USB thumb will not trigger CyberCapture.

Milos

Sorry, but that's a bit dumb design. Whole point of proactive features is to keep all entry points covered. Only covering web downloads, even though most common is like wearing bullet proof helmet, but no bullet proof west... Makes as much sense...
Visit my webpage Angry Sheep Blog

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31345
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: CyberCapture
« Reply #5 on: June 22, 2016, 09:32:11 AM »
Quote
downloaded from web
Is ftp, p2p, mail attachments and such also covered ?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9328
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #6 on: June 22, 2016, 09:41:27 AM »
I don't understand logic behind their design at all. Wouldn't collection of as many unknown EXE files as possible make more sense? Then you throw them through a huge system of sorting and classification, not necessarily directly to NG on their servers. That's how you proactively combat unknown malware and protect all entry points later on without the need to focus on a single infection vector only...
Visit my webpage Angry Sheep Blog

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31345
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: CyberCapture
« Reply #7 on: June 22, 2016, 09:49:00 AM »
Seems to me there is no need to upload every file.
Get the hash from a file.
Upload it to the avast server.
If it is unknown upload the file.
If it is known, there is no need to upload the file.
Seems to me much better for people with a low bandwidth and especially for those who have a data limit.

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2158
Re: CyberCapture
« Reply #8 on: June 22, 2016, 12:46:04 PM »
Quote
downloaded from web
Is ftp, p2p, mail attachments and such also covered ?
Hello,
current implementation covers http(s) sources.

Milos

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2158
Re: CyberCapture
« Reply #9 on: June 22, 2016, 12:50:44 PM »
Seems to me there is no need to upload every file.
Get the hash from a file.
Upload it to the avast server.
If it is unknown upload the file.
If it is known, there is no need to upload the file.
Seems to me much better for people with a low bandwidth and especially for those who have a data limit.
Hello,
yes, if we don't have the file (prevalence = 0) then we upload it to our servers. Other users with same hash don't upload the file.

Milos

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9328
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #10 on: June 22, 2016, 12:55:50 PM »
Quote
downloaded from web
Is ftp, p2p, mail attachments and such also covered ?
Hello,
current implementation covers http(s) sources.

Milos

So, you're leaving out P2P, e-mails and USB sources entirely. Very bad policy. VERY BAD. And it's kinda becoming a tradition with avast!.  Awesome new feature released and then you start digging and you realize it's once again limited to a very specific narrow scope of potential malware. Why are you guys doing this all the freaking time?  :-\

It's almost hard to be enthusiastic anymore about new technology in avast! because I can already tell you this won't really have a noticeable impact on end user protection. It's again just a trend that keeps repeating and I very much want you guys to finally prove me wrong...
« Last Edit: June 22, 2016, 01:00:56 PM by RejZoR »
Visit my webpage Angry Sheep Blog

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: CyberCapture
« Reply #11 on: June 22, 2016, 01:50:25 PM »
I don't like this implementation...so only for downloaded files?? what if its already on the pc? or comes from a usb stick...this isn't comodo sanbox.Hell! even they have a setting to change that.

And why even implement this if it can't even cover e-mail and P2P....Come on! I am sure avast! team knows Locky and other threats are spreading from e-mail.  :P  Stop trying to make this Norton Download Insight I hate that :o

And what happened to the sandbox anaylsis? Can't they just link up the files that are sandboxed to their servers to analyze them.What's the catch for cybercapture?? doesn't do what the sandbox or ng used to do?? atleast we avast! used to sandbox unknown files...downloaded or not.
« Last Edit: June 22, 2016, 02:08:44 PM by True Ind »
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline Lord_Ami

  • Sr. Member
  • ****
  • Posts: 227
Re: CyberCapture
« Reply #12 on: June 22, 2016, 03:02:08 PM »
I believe it's limited to downloaded files only because there would be too many requests for every file on PC. 230+ million users...

I'd imagine they start small and see how the tech works in real world. Then they will expand it. Let's wait and see.

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2234
Re: CyberCapture
« Reply #13 on: June 22, 2016, 04:18:44 PM »
Hello,
current implementation covers http(s) sources.

Milos

I think this is ridiculous.

There are many other ways of getting infected such as via email, P2P, FTP and USBs - will avast just let those malware through.

Seriously, this is frustrating, you hear something positive and you're excited about it and then when more details emerge, it's the same old Avast.

A lot of malware testing done by AV vendors and people who test malware on virtual machines download the malware and put it on a USB to transfer to a virtual machine, that would simply mean that CyberCapture would be useless in those cases.

I seriously think the Avast team need to rethink this.
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9328
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #14 on: June 22, 2016, 07:47:22 PM »
It needs to be expanded to P2P, e-mail and removable drives. These are the most common infection vectors and sources of suspicious binaries.
Visit my webpage Angry Sheep Blog