Author Topic: CyberCapture needs to cover more infection vectors  (Read 2790 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9408
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
CyberCapture needs to cover more infection vectors
« on: December 25, 2016, 09:47:14 PM »
As things stand now, CyberCapture only covers suspicious files downloaded from web through a browser.

It should also cover:
- downloads from IM software
- downloads from P2P software
- downloads from e-mail apps (attachments)
- external devices like USB drives

Web, in terms of browser isn't the only source from where users get files of questionable "quality". And while I know submission of every unknown file on local disk is problematic (because it would mean every new program would be sent for analysis after you compile it). But it just feels like CyberCapture potential is being wasted since it's hardly ever even gets a chance to process files that come from otherwise questionable places.
Visit my webpage Angry Sheep Blog

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
Re: CyberCapture needs to cover more infection vectors
« Reply #1 on: December 25, 2016, 10:33:13 PM »
I've been saying that since it's been released...

I assume it must be fine tuned for the web now..
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3740
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: CyberCapture needs to cover more infection vectors
« Reply #2 on: December 26, 2016, 01:01:31 AM »
CyberCapture should cover everything what is unknown e.g. not whitelisted ( hardened mode aggressive ) or blacklisted ( antivirus ).

Greetz, Red.
OS: Win 10 / iOS 17 / Debian 12 / Tails 6
Real Time: Avast Premium Security
On Demand: Malwarebytes
VPN: NordVPN ( NordLynx ) with Threat Protection ( Lite )

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9408
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture needs to cover more infection vectors
« Reply #3 on: December 26, 2016, 01:06:42 AM »
Would be nice, but I'm not sure they can handle the influx of all the unknown files people have on their computers... Though, this would be one way of building the most extensive whitelist ever.
Visit my webpage Angry Sheep Blog

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3740
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: CyberCapture needs to cover more infection vectors
« Reply #4 on: December 26, 2016, 01:20:21 AM »
Yes, I realise that :)

But as not everyone is always online, a form of HIPS and/or behaviour blocker is important as well.
And I think we are on the same line on this as well.

Greetz, Red.

« Last Edit: December 26, 2016, 01:25:34 AM by Rednose »
OS: Win 10 / iOS 17 / Debian 12 / Tails 6
Real Time: Avast Premium Security
On Demand: Malwarebytes
VPN: NordVPN ( NordLynx ) with Threat Protection ( Lite )

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89354
  • No support PMs thanks
Re: CyberCapture needs to cover more infection vectors
« Reply #5 on: December 26, 2016, 01:29:20 AM »
When DeepScreen (and possibly Hardened Mode) first came on the scene I can recall it pinging lots of 'old' but legit files even winword.exe and excel.exe executables. Just checked my Settings > General > Exclusions > CyberCapture and both executables are in there now that DeepScreen isn't in those settings.

So I believe this could pick up on some old files (but legit) not yet in its database because they are so old.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3740
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: CyberCapture needs to cover more infection vectors
« Reply #6 on: December 26, 2016, 01:47:04 AM »
David :)

I don't think you should exclude old legit files in CyberCapture, but better exclude them in Hardened mode as you use that.
CyberCapture exclusions are most and for all meant for programmers and software developers, who don't want to be bothered with it.

Greetz, Red.
« Last Edit: December 26, 2016, 01:59:06 AM by Rednose »
OS: Win 10 / iOS 17 / Debian 12 / Tails 6
Real Time: Avast Premium Security
On Demand: Malwarebytes
VPN: NordVPN ( NordLynx ) with Threat Protection ( Lite )

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9408
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: CyberCapture needs to cover more infection vectors
« Reply #7 on: December 26, 2016, 09:49:42 AM »
When DeepScreen (and possibly Hardened Mode) first came on the scene I can recall it pinging lots of 'old' but legit files even winword.exe and excel.exe executables. Just checked my Settings > General > Exclusions > CyberCapture and both executables are in there now that DeepScreen isn't in those settings.

So I believe this could pick up on some old files (but legit) not yet in its database because they are so old.

DeepScreen is a thing with it's own story. And so is Hardened Mode. I also don't understand the logic behind these two entirely after all these years.

DeepScreen, once it scans the file and excludes it, you can modify that file into the worst virus ever and it'll just happily execute it because the exclusions are unconditional. Once it monitors the file once, it'll just happily execute it freely after that. I don't get it why DeepScreen exclusions don't allow permanent and on modifications exclusions. DeepScreen should be re-triggered when DeepScreen excluded program is modified. But they just don't check this for whatever reason. Been warning about it and never got any reply or elaboration about it.

And same goes for Hardened Mode exclusions. When you run suspicious executables, they get DeepScreened first. Always. But if you use Hardened Mode (Moderate), it get blocked on basis it WOULD trigger DeepScreen otherwise. But it doesn't actually screen it for malicious behavior. What this does is when Hardened mode (Moderate) blocks it and you decide to execute it anyway, it just executes it directly afterwards. Why aren't Hardened Mode (both levels) screened by DeepScreen BEFORE they get excluded? Again, requested elaboration, explanation and a future request for this several times. And it's still not here. New version is planned for January 2017 and with no avast! BETA's, I have no idea what they are doing and if they are even adding any of this.

I've wandered away from the original topic, but all this stuff is connected and it keeps on bothering me why they make all these seemingly cool features and they just never bother to perfect them based on user feedback and security concerns. I value how they take our feedback for many things, but this stuff just seems to be perpetually ignored for some bizarre reason...
Visit my webpage Angry Sheep Blog

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89354
  • No support PMs thanks
Re: CyberCapture needs to cover more infection vectors
« Reply #8 on: December 26, 2016, 03:20:22 PM »
David :)

I don't think you should exclude old legit files in CyberCapture, but better exclude them in Hardened mode as you use that.
CyberCapture exclusions are most and for all meant for programmers and software developers, who don't want to be bothered with it.

Greetz, Red.

I'm not saying that you should, just that if and when the CyberCapture gets expanded it is going to bump into these things also that aren't on the whitelist and require scanning.

The exclusion is in the CyberCapture column of Exclusions and I didn't put them there. They were originally in the DeepScreen tab, presumably avast moved them when CyberCapture came in.

@ RejZoR
I completely agree on the confusion issue and the multiple tools that on first glance seem to compete rather than compliment. That compliment should really be taken a step further and combine those that do a similar job 'analyse files.'

Whilst the Hardened Mode I see as a way of essentially forcing a scan by checking the # against the whitelist, if it doesn't exist then trigger the CyberCapture or DeepScreen or whatever the single scanning entity is called.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: CyberCapture needs to cover more infection vectors
« Reply #9 on: December 28, 2016, 05:07:01 PM »
But as not everyone is always online, a form of HIPS and/or behaviour blocker is important as well.
I would suggest a double step process (more or less like Smart Screen works for Windows):
1. When running a file, the antivirus get the online status: if the computer is online, it goes the normal way (via CyberCapture).
2. If it is offline, it could ask: a) Start Hardened Mode (Aggressive), b) Start Hardened Mode (Moderate), c) Does not run until online again.

What do you think?
The best things in life are free.