Beta version released - 12.4.2281

[DavidR]

CyberCapture is a default-deny with cloud submission and analysis, hardened mode is a whitelist/file reputation. What he is asking for is the Identity protection behavior blocker. Deepscreen is the one that most looks like this, it runs the program and checks what it does. But i feel that it is not good enough. For me it is not like a BB since it runs the program for a limited time and i guess the only function is to decloak obfuscated malware.

I would say his post isn't that clear.

When will we have a suspicious software monitor like AVG?

I have highlighted why I believed it to be software rather than system monitoring.

[cristianojgm]

CyberCapture is a default-deny with cloud submission and analysis, hardened mode is a whitelist/file reputation. What he is asking for is the Identity protection behavior blocker. Deepscreen is the one that most looks like this, it runs the program and checks what it does. But i feel that it is not good enough. For me it is not like a BB since it runs the program for a limited time and i guess the only function is to decloak obfuscated malware.

That's right!

[REDACTED]

I also wonder how AVG's Identity protecion module would be implemented in Avast, considering that it has already deepscreen and cybercapture for suspicious files 

[A. User]

I also wonder how AVG's Identity protecion module would be implemented in Avast, considering that it has already deepscreen and cybercapture for suspicious files 

Because you cannot rely only on Machine learning, heuristics and virus signatures. Behavior blocker is very much needed for proper protection and Avast does not have one. Never ever seen the HIPS show me a warning like Comodo's one or even like the Qihoo's one. Even Comodo has a behavior blocker.

[A. User]

@Garret, sorry, i misunderstood you and thought that you asked WHY it has to be implemented and not HOW. I've red your question just at a first look. 

[cristianojgm]

I've seen a lot of trojans go through the deepscreen. Cybercapture takes a long time for the file to be scanned in the cloud.
  Identity Module proteccion of AVG is an excellent reinforcement for avast in protection. In conjunction with Deepscreen and cybercapture would make avast one of the best against malware.

[A. User]

I've seen a lot of trojans go through the deepscreen. Cybercapture takes a long time for the file to be scanned in the cloud.
  Identity Module proteccion of AVG is an excellent reinforcement for avast in protection. In conjunction with Deepscreen and cybercapture would make avast one of the best against malware.

Avast has a lot of potential IMO. CyberCapture is a default-deny just like Comodo, and default-deny is the best protection which you can get. I have to say that while you say that while 3-4 hours look like a very long time for an analysis, please note that they are checking many files since default-deny means scanning much more files than only sending suspicious files for analysis. This is a very good speed for a first try. The true challenge is to keep up the current speed of analysis while expanding the vectors that activate CyberCapture since it's not really invoked all the times now like it should. In my opinion they should expand the vectors that activate Cybercapture and also allow the free users to run the files in temporary custody in the Sandbox. Here i mean just files submitted for CC analysis and not every file that they want, which will be kept for paid users like it is now. Adding Identity Protection is very good, but they should make a team and not sack the AVG analysts but make a special dedicated team to improve continuously Identity protection as an in-house technology (adapted LOL). Otherwise Avast really are getting very good at the statistical detection of malware.

[neverseen76]

@Garret, sorry, i misunderstood you and thought that you asked WHY it has to be implemented and not HOW. I've red your question just at a first look. 

Nevermind (It is always me. I just have another registred account) 

I would like to see IDP implemented in Avast too, because it is the best component of AVG, but don't understand how exactly they are going to mix it with Cybercapture. I mean: IDP checks the behaviour of a file and looks for some suspicious activity that it performs on the system, but in order to check it, IDP needs that file to run on the user's system. Cybercapture doesn't let the file run, it blocks it and send to Avast server for analysis. Maybe they will just add IDP to their cloud infrastructure?

[RejZoR]

Well, it's possible they'll use IDP's logic on CyberCapture. Meaning they'll still run the samples on remote servers, but with more extensive behavioral analysis.

[Alikhan]

Well, it's possible they'll use IDP's logic on CyberCapture. Meaning they'll still run the samples on remote servers, but with more extensive behavioral analysis.

They need to get CyberCapture to scan from more sources than the web and not only exe files too. CyberCapture is too limited atm.

[DavidR]

Well, it's possible they'll use IDP's logic on CyberCapture. Meaning they'll still run the samples on remote servers, but with more extensive behavioral analysis.

They need to get CyberCapture to scan from more sources than the web and not only exe files too. CyberCapture is too limited atm.

Avast have already stated that is their intention, but first they really have to get the existing selected source working to a higher degree before expanding it to other sources.

[RejZoR]

It's also possible they'll keep CyberCapture for online samples only and IDP for everything local or from USB drives. Plus, IDP's logic could allow them to track even local sources, allowing them to create more advanced tracking of the files and where they came from.

[bob3160]

https://blog.avast.com/an-in-depth-look-at-the-technology-behind-cybercapture

[RejZoR]

Yup, as I've suspected, CyberCapture isn't just behavioral analysis system, but involves a list of checks through which each sample goes during analysis. I mean, it's pointless to perform demanding real-time execution and behavior observation if one of the less demanding systems can already spot something as malware. I'm assuming behavior analysis always come at the very end if all the other checks don't raise an alarm already.

[A. User]

So from what i've seen in that article it means that IDP will be used in CyberCapture and Avast wants to go default-deny.


Two things that i have requested in the last year were AMSI and ELAM. It seems that Avast now uses AMSI, but not ELAM. Here is one more reason to import the already used ELAM in AVG to Avast: better service self-protection (plus the better anti-rootkit). What is the meaning of Secure Boot when there is no ELAM!? I know that there have been issues in flawed Microsoft Secure boot keys, but these can be patched in coordination with the OEMs and i am sure that Secure Boot is here to stay.