Malware Criteria

[mhonzell]

First... I'm really glad I switched to avast!
(Finally, an AV that works without notifying me every 10 seconds that it's doing it's job.)

I'm trying to figure out the standard used in determining what is considered malware.
Examples:
1. I am told repeatedly that I have Adware within an installation file for some cheap game I installed. Once installed and the installation file is removed, I am no longer notified.
   a. Is the AV not detecting it in it's installed form?   (adware.win32.Trymedia.b)
   b. Or, is it optional in the installation by the user's selection?
       If it's optional, why would it be flagged as Adware?

2. Why does Adware (obviously, my criteria) such as Steam's "shell" not get flagged?

3. Why do programs such as SecuROM which have all the characteristics of a virus not get flagged?
    a. Writes encrypted entries into the registry that cannot be deleted.
    b. Writes corrupted files on the hard drive to prevent deletion.
    c. If you manage to partially delete it, your computer may no longer work and it attempts to restore itself.
    d. It phones home to transmit computer information to the vendor.

[DavidR]

1. What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.
It may be something that the installation file does that could trigger it but not necessarily the program.

1. avast isn't a specialist anti-adware tool but it does detect some adware. AdAware would be a reasonable addition to a multi-application/level approach to security. What detected the adware ?
Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

3. There are some tools that do get flagged/detected because of what they do the problem is the determination of what is a legitimate use. However, since the first Sony rootkit I avoid all Sony products as they clearly thing their customers are thieves and take action against everyone of those customers.

[Lisandro]

First... I'm really glad I switched to avast!

Welcome.

(Finally, an AV that works without notifying me every 10 seconds that it's doing it's job.)

avast is so configurable that you can even do that...

1. I am told repeatedly that I have Adware within an installation file for some cheap game I installed.

To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
VirusTotal and Jotti both have file size limits 10 and 15MB each.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

Once installed and the installation file is removed, I am no longer notified.
   a. Is the AV not detecting it in it's installed form?   (adware.win32.Trymedia.b)

I think it is not present in the installed form, otherwise, will be detected.

   b. Or, is it optional in the installation by the user's selection?
       If it's optional, why would it be flagged as Adware?

There isn't a stripped version (on detection rate meaning) of avast.

2. Why does Adware (obviously, my criteria) such as Steam's "shell" not get flagged?

David answered... maybe just the malware is not present in the installed version and it's a false detection of the setup. Maybe avast should improve detection. Please, submit the file to virus@avast.com.

3. Why do programs such as SecuROM which have all the characteristics of a virus not get flagged?
    a. Writes encrypted entries into the registry that cannot be deleted.
    b. Writes corrupted files on the hard drive to prevent deletion.
    c. If you manage to partially delete it, your computer may no longer work and it attempts to restore itself.
    d. It phones home to transmit computer information to the vendor.

Riskware is not malware.
Maybe detection should be improved in this case.

[Spiritsongs]

   Hi :

      You should NOT expect an antiVIRUS program, like Avast, to detect
      ALL forms of malware ; we believe in a layered approach on this forum,
      meaning should have 2 or more antiSPYWARE/antiTROJAN programs, such
      as "SUPERAntiSpyware" from www.superantispyware.com AND a software
      firewall and possibly a "standalone" rootkit detector program .

[mhonzell]

I truly appreciate the feedback!

I had no problem removing the adware identified. My question was regarding the criteria used to classify something as malware.
In the examples provided:

adware.win32.trymedia.b was removed by deleting the file when identified. It was a simple game from Gamehouse.com.
I simply wondered if it really is adware when it doesn't install anything detectable. (It is only flagged while in the setup.exe form which meant to me that it was probably user controlled during setup, or a false positive which was addressed by Tech and DavidR.)

Second, the product used by Steam creates it own browser that takes you to nothing but advertisements, but it's "legitimate" only by the fact that you must install it (agree to EULA) to load the associated game. (e.g. Half-life) Luckily, it's completely removable. Again, I was wondering why there are no AV / Spyware products that flag this as adware. Legitimate by force is hardly legitimate. This is no better than illegitmate adware in it's method.

Last, SecuROM is another "legitimate" product, but it borders strongly on the malware side with some AV/Spyware products detecting it as a rootkit and others ignoring it.

I have no contention with avast! I find it to be great. There just seems to be inconsistency in what qualifies as "malware" between the various AV / Spyware groups. So, I was wondering, "What makes the grade?"

Regarding multiple layers:
The best layer is "common sense." I was operating computers for 15 years before I received true "malware" that destroyed my hard drive and data. I've used the basic firewall, antispyware and antivirus since then... another 15 years... and have not had anything other than adware which I've always been able to remove when I didn't want it anymore. While multiple layers are "good protection", it's typically a waste of time and computer resources. It's far easier to perform automatic incremental backups and a full backup on occassion. If ever attacked again, it takes 20 minutes to restore my entire computer. (I've tested it.) Security aware on a home computer is far more important than any software protection since clicking allow or ignore negates all protection. I have work to do and shouldn't have to be talking to my protection every few seconds. (e.g Vista's UAC) Work computers are a completely different issue since you never know who will be on your workstation. But, again, if the user is having to respond to prompts they ain't working and are probably answering them wrong anyway disabling the protection you're relying on. So, I want protection that works without prompts. avast! is hitting above 95% correct detection without prompts. That's my kind of protection.

[DavidR]

Check out this post, http://forum.avast.com/index.php?topic=31090.msg258315#msg258315. There is also a similar trymedia detection by another scanner, DrWeb link checker and this may simply be ad supported trial software.

This may well be different to your issue though, but this finds the detection in the setup file and not a file within the setup file.

The problem as I see it is one of intent. Your anti-virus/adware program won't know if this is a legitimate ad supported piece of software, it only sees something that serves adverts and that is adware, it doesn't know intent.

Common sense has always been the first level of defence when combined with proactive measures (limited user account or dropmyrights, etc., a good back-up and recovery strategy, you could probably get away with very limited protection my signature shows I'm not snowed under with security applications.

[Lisandro]

My question was regarding the criteria used to classify something as malware.

A question to the virus analysts... We can only guess and get closer...