Author Topic: avast behavior shield is late my all files are encrypted by jaff Ransomware  (Read 6070 times)

0 Members and 1 Guest are viewing this topic.

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1910
Why avast behavior shield is so slow to monitor the ransomware and failed to block it in time? >:(

But good news is that i am testing it in SD(Shadow Defender)with only avast behavior shield on.

Another good news it is block by FilerepMalware. 8)
It is the new Jaff Ransomware with .wluExtension.
I mention it in SECURITY WARNINGS & Notices:https://forum.avast.com/index.php?topic=52252.msg1396539#msg1396539
At last Avast users are protected. :D
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline Staticguy

  • Super Poster
  • ***
  • Posts: 1440
You should have installed Malwarebytes 3.0 Premium. Malwarebytes protects users from this ransomware. Look at my signatures

https://blog.malwarebytes.com/cybercrime/2017/05/new-jaff-ransomware-via-necurs-asks-for-2-btc/
DELL Inspiron 15" 7000 Gaming, Windows 10 Home 2004 (OS Build 19041.388), Trend Micro Internet Security 2020 (16.0.1391), Avast SecureLine VPN (5.6.4982), Windows Firewall, Unchecky 1.2

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1910
You should have installed Malwarebytes 3.0 Premium. Malwarebytes protects users from this ransomware. Look at my signatures

https://blog.malwarebytes.com/cybercrime/2017/05/new-jaff-ransomware-via-necurs-asks-for-2-btc/
Thanks but i am using Voodooshield with avast. :)
Avast also block this ransomware by FileRepMalware but avast behavior shield is so slow to monitor the ransomware and failed to block it in time.
« Last Edit: May 24, 2017, 11:56:39 AM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline Evjls

  • Jr. Member
  • **
  • Posts: 96
hi, according to the same test on malwaretips. Avast was bypassed while AVG's IDP blocked it succesfully
This is the 4th time I have seen this happened

Offline cristianojgm

  • Jr. Member
  • **
  • Posts: 70
hi, according to the same test on malwaretips. Avast was bypassed while AVG's IDP blocked it succesfully
This is the 4th time I have seen this happened

Plus the shell behavior of avast is the same idp of AVG.

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Hey guys,thanks for reporting.We have brought this to the attention of someone responsible for behaviour detection internally.Just like you guys I am curious about this possible issue and improving Avast.

We need some details from you guys right now.Were both avg and Avast were tested in a in working internet connection environment? And were both products tested only with IDP?

Screenshots of both products IDP detecting it and sample hash.

Now remember IDP is no silver bullet it just has multi stage detections so the malware did something at the end that got caught so files getting encrypted is not unusual Avast is always trying to make it better and filerep and Evo gen always are on toes detecting new samples as it did here so we should be protected.

Much appreciated.
« Last Edit: May 24, 2017, 08:50:53 PM by TrueIndian »
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline Evjls

  • Jr. Member
  • **
  • Posts: 96
according to what I read from the testers, both were tested with internet connections, under a VPN in VMs:
Avast free: File-Web-Behavior Shields, PUP enabled -> blocked | Bonus test: only file shield was disabled -> failed to react, no notification, everything was encrypted
AVG internet security: was tested at least 5-6 hours after avast, similar conditions. Default settings, PUP enabled. Blocked almost instantly by IDP and nothing was encrypted

the AVG tester performed a bonus test WITHOUT the internet connection and AVG's IDP failed to react. As soon as he turned on the internet, IDP blocked it. The 2 testers thought that IDP was cloud-based because of this. Moreover, they noticed, everytime they ran the same samples, they received different numbers from IDP

EDIT: the tester told me this, thank you:

 Avast did detect it as Filerep so perhaps it was not analyzed thoroughly as of that time. This could explain why IDP did not get the "correct" answer from cloud or a confirmation of this file being malware.


AVAST: FileRepMalware - IDP did not detect.
AVG: Malware Gen - IDP detected.
« Last Edit: May 25, 2017, 09:49:30 AM by Evjls »

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1910
Thanks@Evjls. :)
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Online Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2234
Just to be clear here:

Avast: Running the sample with internet connection with cloud enabled = IDP never reacted or reacted late?
AVG :  Running the sample with internet connection with cloud enabled = IDP caught the sample immediately?

It's also important that both samples were tested near the same time.
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Offline Evjls

  • Jr. Member
  • **
  • Posts: 96
Just to be clear here:

Avast: Running the sample with internet connection with cloud enabled = IDP never reacted or reacted late?
AVG :  Running the sample with internet connection with cloud enabled = IDP caught the sample immediately?

It's also important that both samples were tested near the same time.

Avast never reacted, AVG reacted and caught the ransomware immediately, I assumed because nothing was encrypted

AVG was tested/posted ~5-6 hours after Avast

Online Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2234
Just to be clear here:

Avast: Running the sample with internet connection with cloud enabled = IDP never reacted or reacted late?
AVG :  Running the sample with internet connection with cloud enabled = IDP caught the sample immediately?

It's also important that both samples were tested near the same time.

Avast never reacted, AVG reacted and caught the ransomware immediately, I assumed because nothing was encrypted

AVG was tested/posted ~5-6 hours after Avast

Thanks for that. I've just asked one of the devs behind the Behaviour Shield. The most likely reason is that the AVG test was conducted 5-6 later.the cloud.
« Last Edit: May 25, 2017, 01:44:16 PM by Alikhan »
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Online Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2234
Regarding the behavior shield being dependent on the cloud, that isn't entirely true:

The cloud is just another layer, it checks the cloud for getting info, if the file is clean/bad etc.

The difference of these samples is because of the time between the two tests and that it meanwhile got classified.

Also, the behaviour shield is the last line of defence. Most of the time other mechanism should catch the malware which is why just testing the behaviour shield on it's own isn't viable.

« Last Edit: May 25, 2017, 01:55:30 PM by Alikhan »
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

Offline Evjls

  • Jr. Member
  • **
  • Posts: 96
Regarding the behavior shield being dependent on the cloud, that isn't entirely true:

The cloud is just another layer, it checks the cloud for getting info, if the file is clean/bad etc.

The difference of these samples is because of the time between the two tests and that it meanwhile got classified
The tester of AVG told me that he also tested AVG without the internet connection after the sample being blocked by IDP in the previous test. IDP didn't react and everything was encrypted. Then, he turned on the internet and tested it again. IDP worked
Therefore, we agreed that without the internet, IDP won't work properly

Offline Lord_Ami

  • Sr. Member
  • ****
  • Posts: 227
Regarding the behavior shield being dependent on the cloud, that isn't entirely true:
Sure, it's not. It has it's own rules and goodies :) Overall I think this whole thing is kinda overblown in terms of Avast vs AVG (or such). Let me explain my understanding/point of view:

First: The test itself is far from perfect and does not mimic real world scenario.

Avast in my test picked up the samples as FileRepMalware. This (as far as I know) is coming straight from the cloud or classification system(s). I say that because for example Windscribe VPN is blocking cloud access for some strange reasons. So while I did use Windscribe some time ago, detections from right click scan never showed "FileRep" or similar "cloud" detections.

Now onto AVG's case: It was tested ~5 hours later. From the right click scan we can see this same file was now categorized as Malware-Gen - meaning it is deemed as malware and signature was created. So with Web/Behavior Shields on, IDP queried the cloud and since the file was 100% marked as malicious, it gave it random name and quarantined it...? Seems like so.

I don't think Avast devs want to go into details on how their systems work. I don't see a problem - the file was detected correctly in both cases and VM was protected.
However, IDP itself was not able to detect the file via behavior in both cases (in my opinion). So that's where Devs need to work on.
« Last Edit: May 25, 2017, 02:08:22 PM by Lord_Ami »

Online Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2234
Therefore, we agreed that without the internet, IDP won't work properly

That is not true. Without the cloud, you are just missing another layer. If you had the file shield enabled, it would get caught by file shield.

Ofcourse some IDP detections do come from the cloud (most come behaviorally) but that doesn't mean Avast would fail to detect the sample since the File Shield would catch it.
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •