[3005]DeepScreen and IDP triggered at the same time

[Lord_Ami]

First, I downloaded password protected sample archive from internet.
Unzipped, AVG removed one sample.

Next I ran other samples in VM to see what AVG does with them. To my amaze, DeepScreen was started just after IDP removed the file. See screenshot:
https://snag.gy/demtRK.jpg
After DS completed
https://snag.gy/wHX4ut.jpg
Content of quarantine
https://snag.gy/DpPz0t.jpg

Is this some kind of race condition? If you need, I can send you the file.

[RejZoR]

I was also wondering about this. There should be some sort of hierarchy on how files are processed through the scanning/protection pipeline. If you have well defined hierarchy, you can't get such conflicts because when protection module in the beginning of the protection pipeline confirms a detection, continues process is stopped and file is quarantined.

They should place DeepScreen in front of Software Analyzer and also include Software Analyzer within the virtualized DeepScreen. So it would initially inspect the malware using DeepScreen AND Software Analyzer WITHIN virtualized environment and then release it to host where it would be again monitored more extensively with Software Analyzer on an actual live host system. I mean, I've seen ransomware during testing (not necessarely during testing of avast!/AVG) which was detected, but after it has already encrypted files. If it tries that inside virtualized environment, you'll still catch it without giving it a chance to do any harm.

Running Software Analyzer on host level as well is a good idea because malware can refuse to do malicious actions when it knows it's running in a virtualized environment. Or within a short timeframe of DeepSreen monitoring.

[TrueIndian]

I think IDP of AVG is going to be somewhat a part of deepscreen making decisions more accurate and safer for the system?

Is it only me who thinks that IDP is or somewhat a part of deepscreen.

[RejZoR]

As things stand right now, Software Analyzer is entirely separate component from the rest. Maybe they've integrated small portions of telemetry from it, but I don't think they've done anything more in such short time.

[TrueIndian]

As things stand right now, Software Analyzer is entirely separate component from the rest. Maybe they've integrated small portions of telemetry from it, but I don't think they've done anything more in such short time.

Deepscreen by itself was essentially not doing anything in avast.The implementation of AVG IDP has made it function and block malware effectively.

It makes more sense that deepscreen sandboxes the file and then IDP monitors the behaviour along with whatever dyna-gen rules and blocks the file.It makes it safer and more accurate because even if sandbox would let it through IDP would still be active??

[RejZoR]

I don't think Dyna-gen actually exists. With the poor extent of detection DeepScreen always had, I don't think it even exists. If it does, it wasn't doing much in terms of expanding detection scope with every new malware encountered. It was the same rubbish the entire time.

[TrueIndian]

I don't think Dyna-gen actually exists. With the poor extent of detection DeepScreen always had, I don't think it even exists. If it does, it wasn't doing much in terms of expanding detection scope with every new malware encountered. It was the same rubbish the entire time.

Yes it was barely effective.I wonder if cybercapture's range of monitoring has been increased and now covers USB and other gates or not?? Since its been some months I am hoping it has matured to cover other threat gates or not??