CyberCapture

[Alikhan]

Could Avast give some information on this?

I understand that:

CyberCapture works on low prevalent files downloaded from web and then executed. But is it only files from the web and are there more conditions that need to be met???

CyberCapture is basically an inverted Secure Virtual Machine. It does same or even extended analysis, but on avast! servers. What type of analysis is done and are the detections good?


Since the file is uploaded to Avast servers - if a file is 15 MB then the full 15mb file is uploaded to Avast servers or just parts of it?

[RejZoR]

That part about files being downloaded from web only triggering CyberCapture is bizarre. What if file arrives via USB thumb drive? avast! will just ignore it because it's not from a web link? Unfortunately we never got answer to that from avast! team for some reason.

[Milos]

Hello,
files downloaded from web and executed and low prevalent. No other conditions to trigger CyberCapture.

We use our internal tools for analysis, NG, our scanner with detections which are not released, ...

Whole file is uploaded because it will be run in our NG.

Files from USB thumb will not trigger CyberCapture.

Milos

[Eddy]

Kinda sucks for people with a low bandwidth.

[RejZoR]

Hello,
files downloaded from web and executed and low prevalent. No other conditions to trigger CyberCapture.

We use our internal tools for analysis, NG, our scanner with detections which are not released, ...

Whole file is uploaded because it will be run in our NG.

Files from USB thumb will not trigger CyberCapture.

Milos

Sorry, but that's a bit dumb design. Whole point of proactive features is to keep all entry points covered. Only covering web downloads, even though most common is like wearing bullet proof helmet, but no bullet proof west... Makes as much sense...

[Eddy]

downloaded from web

Is ftp, p2p, mail attachments and such also covered ?

[RejZoR]

I don't understand logic behind their design at all. Wouldn't collection of as many unknown EXE files as possible make more sense? Then you throw them through a huge system of sorting and classification, not necessarily directly to NG on their servers. That's how you proactively combat unknown malware and protect all entry points later on without the need to focus on a single infection vector only...

[Eddy]

Seems to me there is no need to upload every file.
Get the hash from a file.
Upload it to the avast server.
If it is unknown upload the file.
If it is known, there is no need to upload the file.
Seems to me much better for people with a low bandwidth and especially for those who have a data limit.

[Milos]

downloaded from web

Is ftp, p2p, mail attachments and such also covered ?

Hello,
current implementation covers http(s) sources.

Milos

[Milos]

Seems to me there is no need to upload every file.
Get the hash from a file.
Upload it to the avast server.
If it is unknown upload the file.
If it is known, there is no need to upload the file.
Seems to me much better for people with a low bandwidth and especially for those who have a data limit.

Hello,
yes, if we don't have the file (prevalence = 0) then we upload it to our servers. Other users with same hash don't upload the file.

Milos

[RejZoR]

downloaded from web

Is ftp, p2p, mail attachments and such also covered ?

Hello,
current implementation covers http(s) sources.

Milos

So, you're leaving out P2P, e-mails and USB sources entirely. Very bad policy. VERY BAD. And it's kinda becoming a tradition with avast!.  Awesome new feature released and then you start digging and you realize it's once again limited to a very specific narrow scope of potential malware. Why are you guys doing this all the freaking time? 

It's almost hard to be enthusiastic anymore about new technology in avast! because I can already tell you this won't really have a noticeable impact on end user protection. It's again just a trend that keeps repeating and I very much want you guys to finally prove me wrong...

[TrueIndian]

I don't like this implementation...so only for downloaded files?? what if its already on the pc? or comes from a usb stick...this isn't comodo sanbox.Hell! even they have a setting to change that.

And why even implement this if it can't even cover e-mail and P2P....Come on! I am sure avast! team knows Locky and other threats are spreading from e-mail.    Stop trying to make this Norton Download Insight I hate that

And what happened to the sandbox anaylsis? Can't they just link up the files that are sandboxed to their servers to analyze them.What's the catch for cybercapture?? doesn't do what the sandbox or ng used to do?? atleast we avast! used to sandbox unknown files...downloaded or not.

[Lord_Ami]

I believe it's limited to downloaded files only because there would be too many requests for every file on PC. 230+ million users...

I'd imagine they start small and see how the tech works in real world. Then they will expand it. Let's wait and see.

[Alikhan]

Hello,
current implementation covers http(s) sources.

Milos

I think this is ridiculous.

There are many other ways of getting infected such as via email, P2P, FTP and USBs - will avast just let those malware through.

Seriously, this is frustrating, you hear something positive and you're excited about it and then when more details emerge, it's the same old Avast.

A lot of malware testing done by AV vendors and people who test malware on virtual machines download the malware and put it on a USB to transfer to a virtual machine, that would simply mean that CyberCapture would be useless in those cases.

I seriously think the Avast team need to rethink this.

[RejZoR]

It needs to be expanded to P2P, e-mail and removable drives. These are the most common infection vectors and sources of suspicious binaries.