Author Topic: CyberCapture  (Read 132719 times)

0 Members and 1 Guest are viewing this topic.

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #105 on: July 07, 2016, 04:31:53 AM »
Be Secure, we've checked the backends, according to their logs we don't see the file as being downloaded from web (there is not URL field in the logs).
Of course, this can be some kind of an error in the processing. Could you, please, specify how you've downloaded the file? Was that a direct download (click on the url), or some other mechanismus (e.g. some downloader). What make of the browser did you use to download the file? Thanks a lot,
Lukas.
I used both direct download links and use IDM(Internet Download Manager),Google Chrome x64 stable version.
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline TrueIndian

  • Poster
  • *
  • Posts: 433
Re: CyberCapture
« Reply #106 on: July 07, 2016, 07:06:23 AM »
This feature is quite broken...lot of downloaded files are being missed...Is this bug something with download managers or browsers?


another report:
https://forum.avast.com/index.php?topic=187505.0
« Last Edit: July 07, 2016, 07:13:02 AM by True Ind »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #107 on: July 07, 2016, 07:32:42 AM »
Thanks RejZoR for your comment. Seems rather in line with what you've been saying from the begining and on several places in this very thread. If I understand you correctly, you'd suggest to not limit CC to downloaded files only and expand the backends accordingly. Do you have any suggestions how to handle the case where the file it self requires dependencies to be run (such as .DLLs in the same folder) ? Would that be ok for you if CC will submit the whole folder - or would you consider that as a privacy issue?

Thanks.
Lukas.

BTW: Be Secure - I got the logs from you, thank you!

Yeah, I think that way because of all the problems I've seen so far and because of the CyberCapture dependencies...
You have to have CyberCapture enabled, Web Shield installed (a lot of people leave just File System Shield) and the file has to arrive from a download. Just too many things that can go wrong along the way or be missing. Connecting CyberCapture to the File System Shield would make more sense.

As for DLL's, can avast determine DLL dependencies for EXE to run or would it just blindly upload all of them from that folder? If you limit the file collection to DLL's only, I think it should still be fine, but I don't think people would want their other data files to be uploaded. Besides, DLL's can often operate as injectors for legit apps which can be used by malware. So, that would be one of reasons why uploading them would make sense.

What I'm more worried with such extended scope of upload, people with limited bandwidth. I personally don't care as I have unmetered line, but not everyone has it like I do. Not sure how to make that functional without eating their whole monthly bandwidth...
Visit my webpage Angry Sheep Blog

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #108 on: July 07, 2016, 07:56:52 AM »
Thanks RejZoR for your comment. Seems rather in line with what you've been saying from the begining and on several places in this very thread. If I understand you correctly, you'd suggest to not limit CC to downloaded files only and expand the backends accordingly. Do you have any suggestions how to handle the case where the file it self requires dependencies to be run (such as .DLLs in the same folder) ? Would that be ok for you if CC will submit the whole folder - or would you consider that as a privacy issue?

Thanks.
Lukas.

BTW: Be Secure - I got the logs from you, thank you!

Yeah, I think that way because of all the problems I've seen so far and because of the CyberCapture dependencies...
You have to have CyberCapture enabled, Web Shield installed (a lot of people leave just File System Shield) and the file has to arrive from a download. Just too many things that can go wrong along the way or be missing. Connecting CyberCapture to the File System Shield would make more sense.

As for DLL's, can avast determine DLL dependencies for EXE to run or would it just blindly upload all of them from that folder? If you limit the file collection to DLL's only, I think it should still be fine, but I don't think people would want their other data files to be uploaded. Besides, DLL's can often operate as injectors for legit apps which can be used by malware. So, that would be one of reasons why uploading them would make sense.

What I'm more worried with such extended scope of upload, people with limited bandwidth. I personally don't care as I have unmetered line, but not everyone has it like I do. Not sure how to make that functional without eating their whole monthly bandwidth...
+1.Good point.@RejZoR :)
« Last Edit: July 07, 2016, 08:35:19 AM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #109 on: July 07, 2016, 01:51:10 PM »
Finally some good news!. :)wait for result.But file not lock at all,it still run. After long wait it say the file is clean but it is not. :(
« Last Edit: July 07, 2016, 03:29:50 PM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5564
  • Spartan Warrior
Re: CyberCapture
« Reply #110 on: July 07, 2016, 08:08:33 PM »
Finally some good news!. :)wait for result.But file not lock at all,it still run. After long wait it say the file is clean but it is not. :(
Otherwise known as a false negative.  With double file extension name such as this one, this should not be missed by any reputable a/v.  As RejZoR says, merging this new technology with File System Shield makes sense... as it should natively catch it.
Windows 10 Home 64-bit 22H2 Avast Premier Security version 24.1.6099 (build 24.1.88821.762)  UI version 1.0.797
 UI version 1.0.788.  Windows 11 Home 23H2 - Windows 11 Pro 23H2 Avast Premier Security version 24.2.6105 (build 24.1.8918.827) UI version 1.0.801

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #111 on: July 07, 2016, 09:45:43 PM »
I'm surprised their internal classification system doesn't push files like this to a SUSPICIOUS group by default. I mean, .pdf.exe extension is a textbook scam method to convince users into running it thinking it's just a PDF file.
Visit my webpage Angry Sheep Blog

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re: CyberCapture
« Reply #112 on: July 07, 2016, 11:19:04 PM »
I'm surprised their internal classification system doesn't push files like this to a SUSPICIOUS group by default. I mean, .pdf.exe extension is a textbook scam method to convince users into running it thinking it's just a PDF file.
There is a rule for double extensions, these files were always analyzed by DeepScreen.

Quote
As for DLL's, can avast determine DLL dependencies for EXE to run or would it just blindly upload all of them from that folder?
It is not so easy -- a lot of DLLs can be loaded dynamically and it depends on many factors if it happens, or not. The first version of CC works on installer/packages downloaded from Internet (assume all DLLs components are in the installer). We will definitely improve it in future.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture
« Reply #113 on: July 08, 2016, 12:22:37 AM »
How often are dual extensions intentional? Especially such specific ones? Only legit one I'm aware is .paf.exe used by Portable Apps. But PAF isn't any common format. So it's fine. But seeing .PDF.EXE, that has ALWAYS been malicious. Is there even a point of analysis, it's 99,99% certain it's malware.
Visit my webpage Angry Sheep Blog

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: CyberCapture
« Reply #114 on: July 08, 2016, 04:13:30 AM »
How often are dual extensions intentional? Especially such specific ones? Only legit one I'm aware is .paf.exe used by Portable Apps. But PAF isn't any common format. So it's fine. But seeing .PDF.EXE, that has ALWAYS been malicious. Is there even a point of analysis, it's 99,99% certain it's malware.
+1.https://www.virustotal.com/en/file/7f46fd0233344d45057a1401d9593889e39340d85163126c9730fcf74949137d/analysis/1467944091/
« Last Edit: July 08, 2016, 04:16:11 AM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline TrueIndian

  • Poster
  • *
  • Posts: 433
Re: CyberCapture
« Reply #115 on: July 08, 2016, 07:18:14 AM »
Any news as to why that file was classified as safe?! That is 100% bad...something is definately wrong on the backend  :o

Any news avast! team?
« Last Edit: July 08, 2016, 07:23:31 AM by True Ind »

REDACTED

  • Guest
Re: CyberCapture
« Reply #116 on: July 09, 2016, 02:01:28 AM »
4.Is the sandbox and cybercapture now one and the same?? If not what's the difference?? Analysis on users machine and analysis on cloud is the only difference.

Sandbox (DeepScreen) is a part of CyberCapture. We use it both locally (on the user's computer -- to filter out the most obvious malware) and also on the backend (in a controlled environment, with full NG support and much more time to play with it).

Sorry for dumb question but is NG removed from latest Avast ?  I know alot of performance and other issues.....one of the items/features/options I shy-ed away from.
Thus, maybe extension to the question above.....how does DeepScreen, Cybercapture & NG relate ?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: CyberCapture
« Reply #117 on: July 09, 2016, 09:14:21 AM »
Sorry for dumb question but is NG removed from latest Avast ?
Yes, it has been moved to the cloud.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5475
  • Whatever will be, will be.
Re: CyberCapture
« Reply #118 on: July 09, 2016, 09:39:24 AM »
Any news as to why that file was classified as safe?! That is 100% bad...something is definately wrong on the backend  :o
Do you expect 100% detection from CyberCapture? I don't think it happen or exist, 100% is just an illusion IMHO.
"Improved" detection rate at most is, still, a good advance.

Of course I expect CC to be improved, but now, let's wait and see.
Desktop: Win10 Pro 22H2 64bit / Core i5-7400 3.0GHz / 32GB RAM / Avast 23 Premium Beta(Icarus) / Comodo Firewall
Notebook: Win10 Pro 22H2 64bit / Core i5-3340M 2.7GHz / 12GB RAM / Avast 23 Free / Windows Firewall Control
Server: Win11 Pro 23H2 64bit / Core i3-4010U 1.7GHz / 12GB RAM / Avast One 23 Essential

Avast の設定について解説しています。よろしければご覧ください。

Offline TrueIndian

  • Poster
  • *
  • Posts: 433
Re: CyberCapture
« Reply #119 on: July 10, 2016, 07:03:55 AM »
Sorry but that malware is very wide spread and a feature like CC shouldn't miss it....Its very well known varient and backend shouldn't be missing well known malware varients like rejz said this dual extension thing has been around for years and it shouldnt be missed where all other vendors have some heuristic detection in place for such files avast! seems to have no protection from a well known varient... atleast if its not a 100* detection  ::)

I am not saying get 100% score but atleast don't miss the real bad ones.This feature is heavily broken right now.It's missing everything I have thrown at it...even my kitchen sink was missed  :o
« Last Edit: July 10, 2016, 07:07:54 AM by True Ind »