Author Topic: Samples missed by avast (VirusTotal links only!)  (Read 373173 times)

0 Members and 1 Guest are viewing this topic.

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #765 on: May 22, 2012, 02:54:03 PM »
In all honesty, posting here (not just for you) achieves nothing, especially when those posting here don't go back and edit their posts as and when they are added to the virus definitions.

Otherwise this is pointless, it achieves nothing.

Really?? I thought the virus analysts are looking at this topic...sorry  :-[

So can anybody explain me why and what should actually be reported here?  ???

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86920
  • No support PMs thanks
Re: Samples missed by avast (VirusTotal links only!)
« Reply #766 on: May 22, 2012, 04:20:37 PM »
Even if they did monitor the topic (which I rather doubt, they have more to do than monitor this topic) the virus analysts can do nothing with reports, they need samples.

So the reports are essentially worthless in terms of getting it added to the definitions. All that is achieved is a report in this topic when there is no follow up (modify post) when added to the database then it is just an unbalanced topic, lots of reports and no reports of addition to the database.

I can't explain why post here, as I feel it doesn't get it added to the database, that will only come on receipt of the sample and analysis.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33522
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #767 on: May 22, 2012, 04:41:34 PM »
true indian,

Report a few days upon a sample of the actual malware has been sent to virus AT avast dot com.
You should at least extensively check and counter-check and re-check after some time has elapsed.
For instance you report as undetected a downloader that avast has detection for as Win32:Ivelog-D PUP
The malware that is missed could have been found up when run as a riskware toolbar download aka TR/Dldr.Agent.apg.
Now avast team analysts has decided to treat this as a PUP detection.
You miss a detection with URLVoid, but the Networkshield flags it. Avast has protection for it.
You scan a so-called missed detection just before avast detection is being added. Sometimes detection cannot be made
because the malware is no longer active, closed etc., Some malware only survises for a minimal time online (generally 3 1/2 hrs).
As you do not know what the avast detection brew is made up with, do not comment the contents!
here I give you an example for which the greens (active) and reds (closed, taken down) are not showing the real-time situation results:
htxp://www.mwis.ru/  (a lot of greens are actually to be interpreted as reds),

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
« Last Edit: May 24, 2012, 02:12:23 PM by true indian »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33522
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #769 on: May 23, 2012, 11:49:24 AM »
true indian,

Avast already detected a previous version: https://www.virustotal.com/file/d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523/analysis/
as Win32:Malware-gen. See: htxp://www.threatexpert.com/report.aspx?md5=c4c129fa72b3c0a6364635e33ee3d9b7
Tested your submission with avast Networkshield: URL:Mal detected with webBug get...
So my question is - did you check the url with the microsoft: Trojan:Win32/Weelsof.A against avast Networkshield?
I guess you did not, for we have detection there,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #770 on: May 23, 2012, 12:30:43 PM »
i got the sample from another site called malwares.pl   :-[

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33522
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #771 on: May 23, 2012, 01:47:40 PM »
true indian,

There was only an image from an image sharing site on VT, from : http://i.imgur.com
That image is not from malwares.pl !
As we can see from the image url.
The original forwarder was: htxps://www.virustotal.com/user/tommyklab/
and this one: hxtps://www.virustotal.com/user/24tachion/
As these finds for https://www.virustotal.com/file/3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458/analysis/
are also landing on the avast desks, so detection will be added sooner or later anyway.
This time I think I have to agree with a couple of DavidR's remarks,

polonus
« Last Edit: May 23, 2012, 06:42:33 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33522
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #772 on: May 23, 2012, 03:38:23 PM »
TR/Crypt.XPACK.Gen undetected by avast:
https://www.virustotal.com/file/1ac55d11a737f0fee48c8226cd37dca69f79c70fff57deecf49308871b998f75/analysis/1337779565/
Up and alive malware since 2012-05-23 04:50:02
DrWeb's online scan detects: htxp://91.202.244.89/files/cd88e infected with Trojan.Winlock.5600
reported to virus AT avast dot com

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #773 on: May 23, 2012, 06:10:39 PM »
true indian,
You shamelessly copied that, so again you are feeding us fud. That image is not from malwares.pl !
polonus

Pol,i didnt say the image is from malwares.pl i said the sample is from malwares.pl yes the image is from VT comments but sample from malwares.pl...I thought u understood my previous post...Please ask me before blindely accusing..U misunderstood my previous statement  :-\ ..Thats all i want to say.
« Last Edit: May 23, 2012, 06:15:59 PM by true indian »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86920
  • No support PMs thanks
Re: Samples missed by avast (VirusTotal links only!)
« Reply #774 on: May 23, 2012, 06:34:31 PM »
Regardles of this I see no need for an image it adds nothing to help detections, samples are king, just send the samples, the rest is just wasted time.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33522
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #775 on: May 23, 2012, 06:40:53 PM »
As I initially misinterpreted that I have changed my initial posting accordingly.
Thanks for that explanation and the link to malwares.pl.
Well I misunderstood that because when users are going to visit the VT results, they can see that image anyway.
So like DavidR says this only takes forum disk space....as the image is availanle anyway to those that are interested.
For malwares.pl I do not know whether you provided the malware sample there, but that could be.
I think avast will add detection for it anyways within the next day or so,

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #776 on: May 24, 2012, 09:40:07 AM »
Hi pol,
I am sorry for troubles...I will put the description from the sample source next time

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #777 on: May 24, 2012, 09:41:45 AM »
See: http://zulu.zscaler.com/submission/show/910c0046443f9e7f5a794e7e3cada966-1337845129
Given as rogue RealRegistryCleaner  here but avast missed it:
https://www.virustotal.com/file/4e09f3f888c58f152d9da643075a2f29/analysis/

I also added the Associated URL's hosting these nasties in the E-mail so they can apply analysis and block down these sites with network shield  ;)

Reported to avast!
« Last Edit: May 24, 2012, 09:54:07 AM by true indian »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33522
  • malware fighter
Re: Samples missed by avast (VirusTotal links only!)
« Reply #778 on: May 24, 2012, 10:08:36 AM »
true indian,

This software is bordering on being suspicious/malcious. They try to prove their software comes without malware: htxp://www.softwaredownloads.org/windows/system-utilities/system-maintenance/virus-report/system-boost-elite/
When it is being flagged it is via WOT rep reports, because it comes with additional adware.
This rather should be reported then to MBAM and SAS etc. to be added to detection there,
see: http://v.virscan.org/Adware.Win32.RealRegistryCleaner.AMN!A2.html

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Samples missed by avast (VirusTotal links only!)
« Reply #779 on: May 24, 2012, 10:10:01 AM »
I am uploading this sample to MBAM now  ;D