Author Topic: A challenge for Avast  (Read 4508 times)

0 Members and 1 Guest are viewing this topic.

Rappaping

  • Guest
A challenge for Avast
« on: August 01, 2011, 09:00:17 PM »
Dear stuff and users,
I've tried the BufferZone security test and I partially failed that.
Now, I've got, installed on my pc, Avast antivirus free edition (updated in engine and definitions), Spybot, Spyware terminator, Lavasoft Ad-aware, Spyware Blaster and no-one of them could detect the spying activity of the test file. Morover, no malware advisories appeared downloading the file.
WHY?

You can find the test file here:
http://www.trustware.com/Free-Security-Test/

P.S.: I just failed one test: the file could read the name of the files in "My Documents" folder.

Best regards

SHARKY7SHARKY

  • Guest
Re: A challenge for Avast
« Reply #1 on: August 02, 2011, 09:11:49 AM »
All I see is a programe written to display your documents, no internet disconnect no knowledge of any server being used. & for your programes if they are not realtime they wont catch anything untill you do scans 

Rappaping

  • Guest
Re: A challenge for Avast
« Reply #2 on: August 03, 2011, 03:24:46 AM »
Spybot and Avast (that is also antispyware) ARE realtime, but they can't detect the test program, that, reading "My documents" folder, IS a spyware program. After reading my documents, the test program attempts to connect to internet, but I can block it thanks to the detection by my firewall.
The problem, however, is that no-one of my antimalware programs can't detect the Spyware activity of the test program or recognise the test program itself as a spyware.

Gargamel360

  • Guest
Re: A challenge for Avast
« Reply #3 on: August 03, 2011, 04:21:26 AM »
Well, it says right on the page you linked
Quote
We will attempt to prove that none of your security system's defense layers will identify or alert you to our intrusion attempt
but the funny thing is, when such a thing is stated by a company that obviously has intentions of debunking the competition, and the statement is proven correct, it leaves you to wonder if this is even a legitimate test of security at all, or more about promoting their own product.  There are other examples of such "tests" out there, that in fact test only a proprietary facet of a program that they know everyone else is going to "fail".

Rappaping

  • Guest
Re: A challenge for Avast
« Reply #4 on: August 03, 2011, 04:44:42 AM »
Ok, right observation. However,
first of all, I haven't installed BufferZone sandbox,
second, it can be a "proprietary facet of that program", but my interest is to understand WHY (or, better, my interest is THE FACT that) "everyone else is going to fail" to detect the intrusion.
My unique interest for this test is the security aspect.

Gargamel360

  • Guest
Re: A challenge for Avast
« Reply #5 on: August 03, 2011, 05:42:31 AM »
No what I mean is, lets say you are setting up an actual "physical" security system for say, a bank. 

One of the features you use are motion sensors along the floor at night, so anyone walking across the floor triggers the alarm.  But your competitor sets up a security system in the bank across the street, and places motion lasers across all the doors and windows. 

Then he promotes his security system against yours by telling people to place their arm through the window of the bank your system guards.  When the arm through the window doesn't trigger the alarm, he claims triumph, says your security is inferior, because his alarm would be going off and yours is not, even though if any of those people had set foot on the floor that you had motion sensors on, the alarm would go off, the bank was protected the same.

The metaphor is a bit long-winded, but the principals are roughly the same.  What I meant by a proprietary facet is a feature of their program that is nearly exclusive to them (motion sensors on window).  So they make a special tool to test this feature (arm-through-window test), knowing nearly everyone else is going to fail.  But that doesn't mean they have less security, only different security.  Now, Avast! for example might indeed fail to notice this tool looking at your documents.  But where Avast! kicks in is as soon as actual infections try to phone home.  As this tool likely just looks but doesn't try to phone home, Avast! leaves it be.

SHARKY7SHARKY

  • Guest
Re: A challenge for Avast
« Reply #6 on: August 03, 2011, 06:18:39 AM »
Well said Grasshopper

Did it Launch your Windows Calculator?
Did it Abort your Internet Explorer?
It accessed documents because the programe was written to do so.---Access several sensitive files (no harm will actually be done), and scan your "My Documents" folder where you most likely keep your private information.


We will place your sensitive file names (names only!) on our server. Your firewall may notify you of our demo trying to access your system. This means that our simulation was successful and is reporting its findings to our server.  No report was sent to any server.
Your firewall was activated by this programe on your desktop, so wheres the server?
The firewall was not activated by a Protocall, IE the firewall was not asking to access the net.
Only to access  your system.




Rappaping

  • Guest
Re: A challenge for Avast
« Reply #7 on: August 03, 2011, 06:36:08 AM »
Leaving away the good metaphore, what is sure is that the program spies my documents. You may say it's not important because the program doesn't phone home, but actually it PHONES home, asking you for the permission! Now, let's say that instead of asking you for a connection to its server, it ask you for another (fake) thing. Authorizing the program (that you thing is a goodware) it'd  secretly connect to its server without your permission (in that case we could call that program as a "trojan", as it would make a thing different from that it say to do) to send home your private informations, and no-one of your antimalware programs would detect this secret operation (because all would be like it now is with the only difference of a different message by the spying program). That's a test program with no risks, but I think it uses an exploitable spying technique that could be used also in REAL spying software, so I think antimalware programs should detect that at least as a PUP. Otherwise (like it is) it would be "a feature (feature? I say "AN INTRUSION TECQNIQUE") of their program that is nearly exclusive to them (FOR NOW!)".

TO SHARK7SHARKY
"no harm will actually be done": the worse harm a spying program can do is to spy your data!
« Last Edit: August 03, 2011, 06:45:10 AM by Rappaping »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: A challenge for Avast
« Reply #8 on: August 03, 2011, 06:56:02 AM »

Gargamel360

  • Guest
Re: A challenge for Avast
« Reply #9 on: August 03, 2011, 06:59:43 AM »
Avast! blocks phoning home many ways, to my understanding.  Traditional signatures, detecting the actual malware.  The Behavior Shield or heuristics detecting the action are also both separate possibilities.  But Avast!'s best guard against phoning home is probably the Network Shield.  

The domain this tool wants to phone home to is obviously not malicious and you are okaying the action according to what the program asks you, so I think Avast! will detect nothing of it unless maybe by suspicious behavior detection.  

I can't really say this should be classified as a PUP, but thats not my call.  Whether it warrants a detection or not, it would be, to me, an....inadvisable move, for an AV vendor to flag the tools of its competitor as any detection at all is always subject to some controversy sooner or later, and needs to be considered carefully.  

You think this could be used for ill purposes?  Believe me, there are better/worse things out there that are easier to acquire than this tool.  I would say it is what it is....a harmless and likely useless proprietary testing tool.

Rappaping

  • Guest
Re: A challenge for Avast
« Reply #10 on: August 03, 2011, 07:20:06 AM »
Hi Pondus, pleased to meet you again!
"Also, passing that test wont actually block malware from installing all it does it prove that this fake scenario is blocked.":
- Fake scenario? It really sends your information to its server
- It doesn't install? It doesn't need, because it can collect and send informations also without installing.

I mean:
changing the written instructions of the program (changing the user interface) it could fully be a functional spyware.


"The domain this tool wants to phone home to is obviously not malicious": it's not malicious because no-one of the antimalware programs can recognize trojdemo.exe as a pup/malware.
"You are okaying the action according to what the program asks you": suppose the program ask you something different from what it really does (it would be classified as a trojan): Avast! couldn't know what the program say you!
I mean that the spying technique used by this test program could alreaby have been used by REAL spying programs and we cannot detect them!
"You think this could be used for ill purposes?  Believe me, there are better/worse things out there that are easier to acquire than this tool": there's always something easier, so I think it's not a good reason to snob the GOOD-WORKING spying technique of this test file.