avast pro missing keylogger ?

[Arsenic]

Hello,

I am new here and I am trialling avast pro.I like the av because it is light but I am worried because it missed a keylogger.





I went to this site http://www.winsite.com/bin/Info?26000000037599 downloaded martin's undetectable keylogger and executed it to  see if avast would catch it.

It missed it. I am not sure I did not configure avast right.

Any of you gurus willing to help ?


Thanks

[Bluesman]

Hello,

I am new here and I am trialling avast pro.I like the av because it is light but I am worried because it missed a keylogger.

I went to this site http://www.winsite.com/bin/Info?26000000037599 downloaded martin's undetectable keylogger and executed it to  see if avast would catch it.

It missed it. I am not sure I did not configure avast right.

Any of you gurus willing to help ?


Thanks

Welcome to the forum!

Test the file at Jotti Multi engine on-line virus scanner or Virus Total Multi engine on-line virus scanner...just to see if other scanners would catch it

You can find links to the multi engine-sites in this post by David:

http://forum.avast.com/index.php?topic=24265.msg199255#msg199255

To test Avast you can try the eicar test-file:

http://www.eicar.org/anti_virus_test_file.htm

[Arsenic]

Bluesman,

Avast catches eicar..but then again all avs catch eicar ?

Have a look at this...


http://forum.avast.com/index.php?action=post;topic=24813.0;num_replies=1

[Bluesman]

Bluesman,

Avast catches eicar..but then again all avs catch eicar ?

Of course I know that  I was just thinking you wanted to test that your avast works ok, eicar is a good test to see if avast is correct installed. Sorry to have misunderstood you.

And the thing about the multiengines, that was just for you to see if the keylogger really is dangerous and other scanners catch it. If other sees it and not avast, send the file in a password-protected zip-file to virus@avast.com , and tell them your story and write the password in the mail.

[Arsenic]

I submitted the keylogger to viruscan...
here are the results:

Complete scanning result of "Keylog.zip", processed in VirusTotal at 11/10/2006 12:38:00 (CET).

[ file data ]
* name: Keylog.zip
* size: 136464
* md5.: 8935a514da0aac5d8828c4afa37a6c08
* sha1: 886a6b1b9875edf850471f183af938ce55c204a8

[ scan result ]
 AntiVir        7.2.0.39/20061110        found [TR/Spy.KeyLogger.LF]
Authentium        4.93.8/20061110        found nothing
Avast        4.7.892.0/20061109        found nothing
AVG        386/20061109        found [PSW.Generic2.LFE]
BitDefender        7.2/20061110        found nothing
CAT-QuickHeal        8.00/20061110        found nothing
ClamAV        devel-20060426/20061110        found nothing
DrWeb        4.33/20061110        found nothing
eTrust-InoculateIT        23.73.51/20061110        found nothing
eTrust-Vet        30.3.3186/20061110        found nothing
Ewido        4.0/20061110        found [Logger.KeyLogger.lf]
F-Prot        3.16f/20061110        found nothing
F-Prot4        4.2.1.29/20061109        found nothing
Fortinet        2.82.0.0/20061110        found [Spy/KeyLogger]
Ikarus        0.2.65.0/20061109        found nothing
Kaspersky        4.0.2.24/20061110        found [Trojan-Spy.Win32.KeyLogger.lf]
McAfee        4892/20061109        found nothing
Microsoft        1.1609 /20061110        found nothing
NOD32v2        1861/20061110        found nothing
Norman        5.80.02/20061110        found [W32/Keylog.BAM]
Panda        9.0.0.4/20061109        found [Suspicious file]
Sophos        4.11.0/20061107        found nothing
TheHacker        6.0.1.116/20061109        found [Trojan/Spy.KeyLogger.lf]
UNA        1.83/20061109        found [Trojan.Spy.Win32.KeyLogger.2021]
VBA32        3.11.1/20061109        found [Trojan-Spy.Win32.KeyLogger.lf]
VirusBuster        4.3.15:9/20061109        found nothing

[ notes ]
packers: ASPACK
packers: Aspack

[galooma]

I guess one could argue (as VLK has ) that an AV gains no credibility from increasing its detection of simulated malware. Which is probably why so many miss on this item.

[Lisandro]

I am worried because it missed a keylogger.

Well, not a software is perfect and you need layered defense. You've done the right thing, helping avast to improve detection.

I am not sure I did not configure avast right.

Most probably it's not a problem of configuration... but, anyway, you can ask for help in any configuration you need/want  

[Arsenic]

Well, avast is not exactly the only av that missed this keylogger.Nod32 missed it!

Maybe avast should add heuristics  and become more like kaspersky ?

[DavidR]

Key loggers are also used as tols, avast does detect and report a number of keyloggers, but the problem is also is the tool being used for good or evil.

Heuristics has been frequently discussed in the forums and responses have been made by Alwil members, perhaps a forum search is in order.

[Arsenic]

Yes I did run a search but looks like that if I want  a top notch antivirus my only choice would be kaspersky...at least ur safe..and..better safe than sorry 

[DavidR]

If you want to pay for Kaspersky, that is entirely up to you and good luck. However, Kaspersky isn't the be all and end all of AVs it is about what suits your needs and avast is one of the most flexible and configurable out there. Not to mention the other shields and functions not often found in other AVs.

You downloaded a keylogger and installed it on your system that requires a degree of co-operation that isn't forthcoming if an attempt is made to install this without your permission. That would require another element, trojan downloader or backdoor, etc. those to can be combated, by avast and other anti-spyware/trojan software and a firewall that provides protection against unauthorised outbound connection.

By applying a multi-layer/application approach to your defences you go a long way to improve your protection stopping this sort of thing getting installed in the first place.

[Arsenic]

Hello David,

I already had kaspersky, SSM, Ewido,Spybot,Spyware Terminator,Comodo fw, (outpost but not installed), sandboxie and Acronis True Image.

I wanted to try avast because I heard it was decent/good.I knew it does not even come close to kaspersky but still I like to try different software.

>However, Kaspersky isn't the be all and end all of AVs it is about what suits you needs and avast is one of the most flexible and configurable out there.



I think Kaspersky is the best AV out there. yet.Yes avast is flexible but I need an antivirus to catch viruses.. the higher the detection rate the better

>By applying a multi-layer/application approach to your defences you go a long way >to improve your protection stopping this sort of thing getting installed in the first >place.

I agree with you ,that is why I have the progs I listed above. If the AV is strong like kaspersky so much the better.


Each to his own I guess.

Thanks for answering

[DavidR]

No problem, your system and your choice.

[Arsenic]

David,

Yes, my choice.But.I would like to add that I do not think that Kaspersky is a magic wand.I have been using it for the longest time and I feel safe with it because it does perform well.I know it stuffs up.like any other AV.If you read one of my previous posts you can see that even a top tier like Nod32 didn't catch the keylogger.

So a layered a approach is a must..even if u have nod or kav.

I think that with avast+ewido+spybot+ssm and sandboxie u'd have a hard time getting infected.One needs to be careful tho because a fool with a tool is still a fool 

Thanks all for your input and help.

[DavidR]

Your welcome, your input will also be very useful for those also reading the topic now and in the future.

I have been waiting for SSM to mature a little more, when I last tried it there was no help file and it was somewhat difficult to work out how to configure it, too much like a black art (I like to know what is going on in the programs I use) and I didn't find the forum too hot. Perhaps time to take another look.

I looked at sandboxie and even went as far as downloading it, I still haven't got around to installing and trying it. I like the concept, but as a dial-up user (I need all the help a cache provides), I didn't like the fact that you lose the cache and bookmarks, etc. unless you set it up to save them to the real location. So I wasn't sure if this breaking out of the sand box might not be a weakness.

As you will see from my signature, DropMyRights is a very useful proactive tool to limit user rights in certain programs that access the internet and stop malware writing to the registry and placing files in the system folders limiting any potential damage, should you catch a cold. This is more convenient that running on a limited user account. This is what the Vista UAC is about restricting rights even if you are logged on to an account with admin privileges.