Author Topic: Samples missed by avast  (Read 31673 times)

0 Members and 1 Guest are viewing this topic.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Samples missed by avast
« Reply #45 on: September 14, 2010, 11:41:19 AM »
guys, don't turn this topic into a jungle :P

RejZoR: but there are new heur detections and modifications of current ones (some of them were not announced).. you're a lucky guy, if you haven't met any of them in-the-wild, but it doesn't mean that they're not effective or that they're not continuously tuned to reflect recent news from malware scene..

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9411
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Samples missed by avast
« Reply #46 on: September 14, 2010, 12:26:15 PM »
In fact i'm having a hard time finding a malware that others get from nowhere lol :D

Btw max, how come youu guys use [Susp] for some and [Heur] for others? As far as igor managed to answer me, they are the same thing, it just depends on the analyst who made the detection and which tag he uses. I know it doesn't make much difference to the most but if they are the same then i'd prefer one or another, not both at the same time.
Visit my webpage Angry Sheep Blog

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Samples missed by avast
« Reply #47 on: September 14, 2010, 01:11:06 PM »
well, an example of Susp could be:

we can certainly identify a script obfuscator e.g. and we consider its usage/presence as (highly) suspicious.. so then we exactly detect the particular obfuscator and give it a suffix [Susp] (there was no heuristics involved in fact)

and an example of Heur:

we can process a file and if we think there's something fishy, we can go deeper and apply further analysis (emulation, generic unpacking) and collect necessary informations to find malicious behavior patterns etc. - but we don't focus on known suspicious obfuscators, packers here..

basically it could be considered as a difference between "known" and "unknown" threat types.. and of course there could be little deviations from these general rules :)


Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Samples missed by avast
« Reply #49 on: September 14, 2010, 03:17:19 PM »
Tech, can you register at VT and write some metadata (where the file comes from etc.) to these analysis? when the file is called suspicious.exe and two engines detect it under such generic names, there's no clue what the file belongs to... it is very useful to know further informations when we're dealing with possible rogues ;)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Samples missed by avast
« Reply #50 on: September 14, 2010, 03:30:23 PM »
Tech, can you register at VT and write some metadata (where the file comes from etc.) to these analysis? when the file is called suspicious.exe and two engines detect it under such generic names, there's no clue what the file belongs to... it is very useful to know further informations when we're dealing with possible rogues ;)
Answered by PM.
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9411
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Samples missed by avast
« Reply #51 on: September 14, 2010, 03:34:58 PM »
I was thinking, is there even a way to generically and with heuristics detect rogues? I mean they don't perform any malicious actions in general so you can't rely on that. But they are really annoying and latest versions even block IE and stuff like that. If there was a way to effectively block them it would be really great.
Visit my webpage Angry Sheep Blog

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Samples missed by avast
« Reply #52 on: September 14, 2010, 03:48:44 PM »
RejZoR: we started an automated submission system of rogues (for v5 users) to get a fresh feed of samples few weeks ago.. some of them are well detectable due to their obfuscation, so there's not always a need to reach the lowest layer (but there are two ppl committed to analyze the capabilities of our generic unpacker and find interesting things inside the rogue samples).. this effort will probably not generate a big bang during one day, but there's a reasonable potential..


Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Samples missed by avast
« Reply #54 on: September 15, 2010, 11:44:33 AM »
xqrzd: new versions of Security tool should be detected generically now (Win32:MalOb-CM, Win32:MalOb-CN)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Samples missed by avast
« Reply #56 on: September 15, 2010, 10:56:47 PM »
Please modify your post and remove the link to the malware download.
Not necessary. Better change http for hxxp in the link. Then avast team has the information of the source of the file in my opinion.
An example... http://forum.avast.com/index.php?topic=63894.0;topicseen
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89625
  • No support PMs thanks
Re: Samples missed by avast
« Reply #57 on: September 15, 2010, 11:03:10 PM »
Hardly what I would call an example, the same rule should apply send the sample directly to avast. Stopping the link being active doesn't stop it from being harvested and used maliciously.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Samples missed by avast
« Reply #58 on: September 15, 2010, 11:11:25 PM »
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
The best things in life are free.