CyberCapture

[RejZoR]

@Vlk , has CyberCapture policy changed recently? It just locked Crystal Security main EXE which was already installed and active when I've installed avast!. It picked up the Crystal Security EXE on system reboot. Waiting for verdict, but I found it interesting since it wasn't a download, it was EXE already on disk.

[Be Secure]

@Vlk , has CyberCapture policy changed recently? It just locked Crystal Security main EXE which was already installed and active when I've installed avast!. It picked up the Crystal Security EXE on system reboot. Waiting for verdict, but I found it interesting since it wasn't a download, it was EXE already on disk.

It is a FP.

[RejZoR]

It's not a FP. The verdict came clean afterwards by CC. What surprised me is that it was even processed by CyberCapture considering it was a local file and not a download from web!

[Asyn]

What surprised me is that it was even processed by CyberCapture considering it was a local file and not a download from web!

Hmmm, interesting, let's hope we get some input from the devs here soon.

[RejZoR]

I hate this damn radio silence from avast! team...

[bob3160]

I hate this damn radio silence from avast! team...

I'll feel the same way if no reply by tomorrow. I consider this a holiday since it's Sunday.

[RejZoR]

There was no reply to anything for days, not just during Sundays...

[bob3160]

There was no reply to anything for days, not just during Sundays...

Trying to be kind.

[Milos]

@Vlk , has CyberCapture policy changed recently? It just locked Crystal Security main EXE which was already installed and active when I've installed avast!. It picked up the Crystal Security EXE on system reboot. Waiting for verdict, but I found it interesting since it wasn't a download, it was EXE already on disk.

Hello RejZoR,
can you post sha256 of the file so we can find more info on our backends?

Thanks,
Milos

[RejZoR]

SHA-256:
10161446bd995d4ff6dcf5cf0b693dcab8b7e795d4805f7544be911de30b6d5b

Crystal Security.exe

[Milos]

Hello RejZoR,
we see that there is a http source: hxtp://www.crystalsecurity.eu/updates/crystal_security._xe and from the date we saw this sha256 for the first time, it looks that your file was updated recently.

Milos

[RejZoR]

It's possible I've re-downloaded a modified EXE to generate the has. But at the time I've got CyberCapture dialog, it was a 100% local file, because it was already on the disk when I installed avast!. Meaning avast! could only see it as local file.

Do you have any ability to search based on file name?

[Milos]

Yes, we have ability to search by file name.

Milos

[RejZoR]

I just find it strange that it was originally said as CyberCapture only processing files obtained from web. Which means the program has to detect its origin somehow (with Web Shield).

However, in my case, the file was local from start.

1. Windows Defender (No AV).
2. Installed "Crystal Security"
3. Installed avast!
4. avast! detected Cyber Security main EXE on next system reboot and processed it via CyberCapture. The verdict CLEAN arrived next morning as this was "locked" by CC in the evening.

Considering avast! was introduced to the system AFTER Crystal Security has already been installed, this means CyberCapture is now also processing local files, there was no other way for it to detect that EXE as "downloaded from web". That's what I'm wondering really. You guys always said it doesn't process local files, just downloads. Has that changed recently and no one mentioned it?

[Milos]

I think that the steps could be:

1. Windows Defender (No AV).
2. Installed "Crystal Security"
3. Installed avast!
4. "Crystal Security" updated itself (info about download from web was added "hxtp://www.crystalsecurity.eu/updates/crystal_security._xe")
5. avast! detected "Crystal Security" main EXE on next system reboot (is "Crystal Security" scheduled to run after boot?) and processed it via CyberCapture.

Milos