Author Topic: CyberCapture  (Read 132732 times)

0 Members and 1 Guest are viewing this topic.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: CyberCapture
« Reply #15 on: June 22, 2016, 07:58:43 PM »
Hi guys,

Glad to see some excitement about CyberCapture here -- it indeed is quite an exciting piece of technology (really taking benefit of a bunch of things that we have been building for years) and we can't wait to see it in action -- that is, can't wait till the Nitro Update really starts rolling out to millions of users and our backend systems start getting some serious load with this. :-)

Anyway... I totally hear your concern, and would like to say one thing from the very beginning: there's absolutely no design limitation that would imply that CyberCapture can only work with http/https downloads. And in fact, we totally plan to extend its scope in the upcoming weeks and months. The beautiful thing about it is that the decision process takes place (again) in the cloud, so these things can actually be changed at any time.

The reason why we have limited it to http/https downloads for now is that this is the category of files that carries most infections, and at the same time, contains some additional metadata (e.g. the source URL) that allow us to minimize false positives and generally make faster and more accurate decisions. And it also allows us to slightly lower the number of files coming to the system, which is important to make sure our backend stuff can gradually handle the load (we're quite confident we have built them robustly, but it's always a good practice to roll such things out in stages).

Remember, CyberCapture has been in production for about 1 day now. Here's a proposal. Let's give it a bit of time, and make sure that it handles the http/https vector really well (which would already be quite an accomplishment, given that statistically, 85%+ of all malware comes through that channel). And in parallel, let us work on the other vectors.

Deal?

Thanks
Vlk
« Last Edit: June 22, 2016, 08:28:19 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
Re: CyberCapture
« Reply #16 on: June 22, 2016, 08:33:21 PM »
Hi guys,

Glad to see some excitement about CyberCapture here -- it indeed is quite an exciting piece of technology (really taking benefit of a bunch of things that we have been building for years) and we can't wait to see it in action -- that is, can't wait till the Nitro Update really starts rolling out to millions of users and our backend systems start getting some serious load with this. :-)

Anyway... I totally hear your concern, and would like to say one thing from the very beginning: there's absolutely no design limitation that would imply that CyberCapture can only work with http/https downloads. And in fact, we totally plan to extend its scope in the upcoming weeks and months. The beautiful thing about it is that the decision process takes place (again) in the cloud, so these things can actually be changed at any time.

The reason why we have for now limited it to http/https downloads is that this is the category of files that carries most infections, and at the same time, contains some additional metadata (e.g. the source URL) that allow us to minimize false positives and generally make faster and more accurate decisions. And it also allows us to slightly lower the number of files coming to the system, which is important to make sure our backend stuff can gradually handle the load (we're quite confident we have built them robustly, but it's always a good practice to roll such things out in stages).

Remember, CyberCapture has been in production for about 1 day now. Let's give it a bit of time, and make sure that it handles the http/https vector really well (which is already quite an accomplishment, given that statistically, 85%+ of all malware comes through that channel). And in parallel, let us work on the other vectors.

Deal?

Thanks
Vlk

That's a fair enough deal and that it will reach other vectors soon.

But it's important for you guys to realise by not including other vectors such as USB, you will be missing malware. Many users don't run a file straight from the Internet, they might save it to the USB and run it at another time too for example.

Thanks for your explanation Vlk. I hope it lives up to its expectations.
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #17 on: June 22, 2016, 09:11:06 PM »
Hi guys,

Glad to see some excitement about CyberCapture here -- it indeed is quite an exciting piece of technology (really taking benefit of a bunch of things that we have been building for years) and we can't wait to see it in action -- that is, can't wait till the Nitro Update really starts rolling out to millions of users and our backend systems start getting some serious load with this. :-)

Anyway... I totally hear your concern, and would like to say one thing from the very beginning: there's absolutely no design limitation that would imply that CyberCapture can only work with http/https downloads. And in fact, we totally plan to extend its scope in the upcoming weeks and months. The beautiful thing about it is that the decision process takes place (again) in the cloud, so these things can actually be changed at any time.

The reason why we have limited it to http/https downloads for now is that this is the category of files that carries most infections, and at the same time, contains some additional metadata (e.g. the source URL) that allow us to minimize false positives and generally make faster and more accurate decisions. And it also allows us to slightly lower the number of files coming to the system, which is important to make sure our backend stuff can gradually handle the load (we're quite confident we have built them robustly, but it's always a good practice to roll such things out in stages).

Remember, CyberCapture has been in production for about 1 day now. Here's a proposal. Let's give it a bit of time, and make sure that it handles the http/https vector really well (which would already be quite an accomplishment, given that statistically, 85%+ of all malware comes through that channel). And in parallel, let us work on the other vectors.

Deal?

Thanks
Vlk

I know it's a long shot, but would be nice if you could provide CyberCapture webpage with some statistics how service is operating, what's the malware hit ratio and other interesting statistics about it.  So we can kinda see how many received files are marked as malicious, how many were found clean, what countries have most new detected malware through the system and all that.

Since introduction of faster evolving program with monthly updates and relocation of a lot of things to cloud, I hope CyberCapture will evolve into actually powerful feature and not yet another cool tech that never really made proper results to the end users.
Visit my webpage Angry Sheep Blog

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: CyberCapture
« Reply #18 on: June 22, 2016, 09:14:37 PM »
How about a site where you can check files if they are unknown to it, marked safe, malicious or undefined?

So that also Avast can be informed of malwares that are mised by it to keep improving it or other was save the analysis data of each file thats marked clean or undecided and check it manually to keep improving it :)
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #19 on: June 22, 2016, 09:19:10 PM »
I think it's better to keep it program only so malware writers have a really hard time creating malware because they can't just check through webpage, but they'd have to actually test on a functioning program that would be able to feed captured data to the cloud and track all their malware writing process. That's the huge benefit of cloud, malware writers can't ever be sure how system will react to their attempts to bypass it.
Visit my webpage Angry Sheep Blog

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: CyberCapture
« Reply #20 on: June 22, 2016, 09:21:16 PM »
I would like to know what it does (if anything at all) with web-based email as that is http(s).

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6677
  • volunteer
Re: CyberCapture
« Reply #21 on: June 22, 2016, 09:23:45 PM »
Hello,
files downloaded from web and executed and low prevalent. No other conditions to trigger CyberCapture.
Milos

What does the function Filerep,almost one the characteristics, not referring detections since they are still necessary? I see no advantage of this resource remain.
« Last Edit: June 22, 2016, 09:33:42 PM by jefferson sant »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CyberCapture
« Reply #22 on: June 22, 2016, 09:30:53 PM »
Other users with same hash don't upload the file.
I suppose hash is done in the server site.
Hash is known as intensive action for big archives.
Won't is slow down https browsing?
Is there a archive size limit?
How would you know if prevalence =0 without hashing every single file in the HTTPS traffic?
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CyberCapture
« Reply #23 on: June 22, 2016, 09:34:52 PM »
Anyway... I totally hear your concern, and would like to say one thing from the very beginning: there's absolutely no design limitation that would imply that CyberCapture can only work with http/https downloads. And in fact, we totally plan to extend its scope in the upcoming weeks and months. The beautiful thing about it is that the decision process takes place (again) in the cloud, so these things can actually be changed at any time.
How would hashing be done in an USB file if it is not done in our computers (client size)?
Remember, CyberCapture has been in production for about 1 day now. Here's a proposal. Let's give it a bit of time, and make sure that it handles the http/https vector really well (which would already be quite an accomplishment, given that statistically, 85%+ of all malware comes through that channel). And in parallel, let us work on the other vectors.
Deal?
Thanks
Vlk
Ok. Please, publish and hype the results... Oh, make sure the competence does not copy the technology (that soon) ;D
The best things in life are free.

Offline TrueIndian

  • Poster
  • *
  • Posts: 433
Re: CyberCapture
« Reply #24 on: June 23, 2016, 07:55:52 AM »
Well I think that's a deal.Questions I have:

1.What is this Nitro update feature.How is it going to be any different than the streaming updates? This is more confusing.

2.I agree that cybercapture is a strong feature.But then the same thing was being done by IQ community sensors but with a delay.So is this thing any different than that.Or the IQ community is now being put to use after years of usage.

3.Any limitations to the file size that cybercapture may upload to your servers??

4.Is the sandbox and cybercapture now one and the same?? If not what's the difference?? Analysis on users machine and analysis on cloud is the only difference.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: CyberCapture
« Reply #25 on: June 23, 2016, 01:28:47 PM »
I know it's a long shot, but would be nice if you could provide CyberCapture webpage with some statistics how service is operating, what's the malware hit ratio and other interesting statistics about it.  So we can kinda see how many received files are marked as malicious, how many were found clean, what countries have most new detected malware through the system and all that.

Good idea. It would be kind of cool. And similarly, on an individual file level (so that YOU, as the contributor, could check the status of your files in real time).

I would like to know what it does (if anything at all) with web-based email as that is http(s).

This scenario is already covered.

I suppose hash is done in the server site.
Hash is known as intensive action for big archives.
Won't is slow down https browsing?
Is there a archive size limit?
How would you know if prevalence =0 without hashing every single file in the HTTPS traffic?

Hashes are always done on client side, of course. That's the whole point -- so that we don't need to update files that we already have / know about.
I wouldn't be concerned about any slow downs caused by the calculation of the hash. In fact, in our implementation, we compute the hash "on the fly", as the file is being downloaded. I.e. every time a chunk of data is fetched from the network, we update the hash, so there's no need to calculate the whole hash when the donwload completes; we already have it by then.

There's no file size limit per se.

1.What is this Nitro update feature.How is it going to be any different than the streaming updates? This is more confusing.

Nitro is a name we have given to the latest version of Avast (not a name of a feature), to emphasize the effort we have spent on making it faster and leaner. Internally, for us it also means some other changes and I will be communicating these in the forum soon... I think you will like it.

2.I agree that cybercapture is a strong feature.But then the same thing was being done by IQ community sensors but with a delay.So is this thing any different than that.Or the IQ community is now being put to use after years of usage.

There's a number of differences. The one most important from the protection point of view is its synchronous nature. I.e. we actually don't allow the captured file to run until a definitive decision is made. CyberCapture also helped us here in the Threat Labs to streamline a number of processes and get better at detecting stuff.

3.Any limitations to the file size that cybercapture may upload to your servers??

See above, no.

4.Is the sandbox and cybercapture now one and the same?? If not what's the difference?? Analysis on users machine and analysis on cloud is the only difference.

Sandbox (DeepScreen) is a part of CyberCapture. We use it both locally (on the user's computer -- to filter out the most obvious malware) and also on the backend (in a controlled environment, with full NG support and much more time to play with it).

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #26 on: June 23, 2016, 01:48:46 PM »
It still can't block JS malwares.
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: CyberCapture
« Reply #27 on: June 23, 2016, 01:56:27 PM »
It still can't block JS malwares.

By JS, you mean JavaScript, right?

CyberCapture is a technology designed to block binary malware, correct. We have different technologies (particularly in the Web shield) that focus on JavaScript, but CyberCapture is not one of them. With that said, it's worth adding that in the vast majority of cases, even if you hit a Javascript piece of malware, the payload is then downloaded in binary form and can therefore be successfully blocked by CyberCapture.

Thanks,
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #28 on: June 23, 2016, 02:00:13 PM »
It still can't block JS malwares.

By JS, you mean JavaScript, right?

CyberCapture is a technology designed to block binary malware, correct. We have different technologies (particularly in the Web shield) that focus on JavaScript, but CyberCapture is not one of them. With that said, it's worth adding that in the vast majority of cases, even if you hit a Javascript piece of malware, the payload is then downloaded in binary form and can therefore be successfully blocked by CyberCapture.

Thanks,
Vlk
Yes!.Thanks for the info.You and your team is great and doing great work...so go on. :D ;D
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: CyberCapture
« Reply #29 on: June 23, 2016, 02:05:23 PM »
I know it's a long shot, but would be nice if you could provide CyberCapture webpage with some statistics how service is operating, what's the malware hit ratio and other interesting statistics about it.  So we can kinda see how many received files are marked as malicious, how many were found clean, what countries have most new detected malware through the system and all that.

Good idea. It would be kind of cool. And similarly, on an individual file level (so that YOU, as the contributor, could check the status of your files in real time).
Sounds interesting. Does "Good idea" mean we'll see it rather soon..? ;)
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0