Author Topic: CyberCapture  (Read 132729 times)

0 Members and 1 Guest are viewing this topic.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: CyberCapture
« Reply #90 on: July 06, 2016, 08:34:32 AM »
@Vlk
Again Avast! CC/DeepScreen missed a new file(VPN2.exe) from web. :( VT-https://virustotal.com/en/file/ca0ac979abdb6d0a863960ce5b1d021ab696c7ecd9022b38366183ff4e0e2254/analysis/1467734591/
BTW i am send this to viruslab via viruschest.

The first file didnt't even make it to CC. Did this one fall into CC?

Thanks,
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #91 on: July 06, 2016, 09:40:17 AM »
Every time you post an example I'm losing confidence in yet another tech from avast! more and more...
Have patience.Wait.I just notify Vlk about the situation.

And users should also just wait patiently to get infected... I know there are various configurations that may determine how program works, but to me, this looks like basic functionality of CC wasn't tested at all and the fact that there is no easy way of testing it from user side (not even detection, just if it even captures the binaries in scenarios where it should) makes it impossible for us to even help. And to be quite honest I'm not in the mood of setting up a VM, installing OS on it and fiddling with live malware. Besides, my sources only include sites like MDL which are signature or URL:Mal detected really fast anyway, making them obsolete for testing. The scope of detection was limited to downloaded files only and even that seems to be badly broken. Not cool. At all.
Visit my webpage Angry Sheep Blog

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #92 on: July 06, 2016, 10:22:08 AM »
@Vlk
Again Avast! CC/DeepScreen missed a new file(VPN2.exe) from web. :( VT-https://virustotal.com/en/file/ca0ac979abdb6d0a863960ce5b1d021ab696c7ecd9022b38366183ff4e0e2254/analysis/1467734591/
BTW i am send this to viruslab via viruschest.

The first file didnt't even make it to CC. Did this one fall into CC?

Thanks,
Vlk
No.It was activate the DeepScreen mode and give it OK to run.What is going on?User like me or anyone has no clue.No sign of Cyber Capture.
« Last Edit: July 06, 2016, 10:30:20 AM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #93 on: July 06, 2016, 10:40:10 AM »
Every time you post an example I'm losing confidence in yet another tech from avast! more and more...
Have patience.Wait.I just notify Vlk about the situation.

And users should also just wait patiently to get infected... I know there are various configurations that may determine how program works, but to me, this looks like basic functionality of CC wasn't tested at all and the fact that there is no easy way of testing it from user side (not even detection, just if it even captures the binaries in scenarios where it should) makes it impossible for us to even help. And to be quite honest I'm not in the mood of setting up a VM, installing OS on it and fiddling with live malware. Besides, my sources only include sites like MDL which are signature or URL:Mal detected really fast anyway, making them obsolete for testing. The scope of detection was limited to downloaded files only and even that seems to be badly broken. Not cool. At all.
I am testing with various types of viruses and ransomwares even VT:0 files but not even look single time CC to appear only DS.I am also disappointed with the result.Not a single file was cought by CC/DS.(0/9).FYI:I send all files to Avast!.Stop testing by now.
« Last Edit: July 06, 2016, 10:53:25 AM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #94 on: July 06, 2016, 11:10:18 AM »
Like I've said, their idea of only dealing with specific scope of infection vector is backfiring on them. Sure it's "80% of all infections" and "the load of CC servers" thing, but in all honesty, it seems like implementation is entirely broken as it is at the moment...
Visit my webpage Angry Sheep Blog

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: CyberCapture
« Reply #95 on: July 06, 2016, 01:40:35 PM »
Hi guys, sorry for my silly question, but do you have CC enabled in the settings? And what about the community checkbox? And what about webshield?

All these things are currently required to trigger the CC flow (webshield to spot the download and mark it as being downloaded from a specific url)

Thanks. 

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #96 on: July 06, 2016, 01:51:28 PM »
Hi guys, sorry for my silly question, but do you have CC enabled in the settings? And what about the community checkbox? And what about webshield?

All these things are currently required to trigger the CC flow (webshield to spot the download and mark it as being downloaded from a specific url)

Thanks.
It is really a silly question. :P :o you ask for it??? Anything else?
« Last Edit: July 06, 2016, 01:56:08 PM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: CyberCapture
« Reply #97 on: July 06, 2016, 02:01:18 PM »
AWESOME! You are excellently configured!

Would you mind sending the avastsvc.log file, we can check there if the sample was ment to go into CC, but the process failed somewhere during launching it - or if the backend mistakenly decided the file is actually clean. In the meantime, we will also check the backend logs.

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #98 on: July 06, 2016, 02:19:44 PM »
It is too big for attach around 3.66Mb.How to send it? I prefer Avast FTP server.Can i send it through this?
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: CyberCapture
« Reply #99 on: July 06, 2016, 02:45:56 PM »
Sure, ftp server is great. It should also compress very effectively, so zipped version will definitely be much smaller. Thanks a lot, we are working on it.

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #100 on: July 06, 2016, 02:51:14 PM »
Sure, ftp server is great. It should also compress very effectively, so zipped version will definitely be much smaller. Thanks a lot, we are working on it.
I send 7zip file with file name AvastSvc by Be Secure Password i PMed you.@lukor :)
Reply me if you find it or not.Thanks. ;)
« Last Edit: July 06, 2016, 02:53:37 PM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: CyberCapture
« Reply #101 on: July 06, 2016, 11:13:20 PM »
Be Secure, we've checked the backends, according to their logs we don't see the file as being downloaded from web (there is not URL field in the logs).
Of course, this can be some kind of an error in the processing. Could you, please, specify how you've downloaded the file? Was that a direct download (click on the url), or some other mechanismus (e.g. some downloader). What make of the browser did you use to download the file? Thanks a lot,
Lukas.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #102 on: July 06, 2016, 11:23:39 PM »
Ever thought limiting it to "downloads" only is a bad idea considering so many things can and does go wrong with it? Seeing how things just go past it makes me have basically no confidence in CyberCapture protecting me or people I recommend avast! to when it'll actually be needed...
Visit my webpage Angry Sheep Blog

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: CyberCapture
« Reply #103 on: July 06, 2016, 11:32:55 PM »
Thanks RejZoR for your comment. Seems rather in line with what you've been saying from the begining and on several places in this very thread. If I understand you correctly, you'd suggest to not limit CC to downloaded files only and expand the backends accordingly. Do you have any suggestions how to handle the case where the file it self requires dependencies to be run (such as .DLLs in the same folder) ? Would that be ok for you if CC will submit the whole folder - or would you consider that as a privacy issue?

Thanks.
Lukas.

BTW: Be Secure - I got the logs from you, thank you!

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #104 on: July 07, 2016, 04:03:58 AM »
Thanks RejZoR for your comment. Seems rather in line with what you've been saying from the begining and on several places in this very thread. If I understand you correctly, you'd suggest to not limit CC to downloaded files only and expand the backends accordingly. Do you have any suggestions how to handle the case where the file it self requires dependencies to be run (such as .DLLs in the same folder) ? Would that be ok for you if CC will submit the whole folder - or would you consider that as a privacy issue?

Thanks.
Lukas.

BTW: Be Secure - I got the logs from you, thank you!
Why would whole folder is needed?It makes things bad for users,only take susp files from(Web/USB/hdd/folders)and ask users do they want to submit it to cloud for analysis and then analyze it.It basically makes things clear to users.
« Last Edit: July 07, 2016, 05:35:10 AM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast