Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

January 8th, 2010

File infectors – part 2

Hello in 2010. I would like to wish you all the best in this year and I hope that our upcoming v5 will be your good fella starting from this January. Let me resume the previous article “Buggy file infectors” -  as the release date for v5 is getting closer and closer, I think it would be good to inform you what to expect regarding the file infectors cleaning. Version 4.x was sometimes criticised due to its lower ability to cure most recent file infector families (more on this will be written later in this text). Good news for you – v5 will perform better.

Ok, it’s time to get deeper into the topic (but not so deep to get stuck in technical details). First – we should clarify the situation around v4.x – version 4 already has a cleaning engine. This engine is able to clean certain virus families – mostly the families that were quite successful in spreading (high ITW rank) and some families that were very dangerous and created a high risk for victim computers. You’ve maybe noticed, that infections are getting more complex as time goes on. Recent virus families need advanced technologies to get rid of them and here’s the first limitation of the v4 cleaner – it’s not available within the boot-time scan (nor in the linux version). There’s also a need to emulate very tricky code to be able to walk through the virus bodies and the minimalistic emulator engine in v4 was not able to reflect all these aspects. But – this doesn’t mean that v4 is completely toothless – it is able to clean e.g. Win32:Parite (which is an evergreen between virus families). Your question probably is – what will v5 do better?

Version 5 contains a new emulation engine (in fact, it contains two new emulation engines  – one is faster, one is more handy and compatible). This emulation engine is the core of the new cleaning engine, that’s available also in the boot-time scan. It also has the ability to walk through the polymorphic code of modern file infectors. Now we know that v5 has new weapons. But how are they used? Avast is now strong at cleaning Win32:Alman, Win32:Cekar, Win32:DunDun, Win32:Expiro and other ITW threats. Sounds promising, right? But there’s always some threshold that will remain effectively uncurable. It’s necessary to simply accept that fact. Some virus families have such a big impact on your system that there’s no way back. Especially when we talk about Win32:Virut (Win32:Vitro) and Win32:Sality – they are very destructive (many wrongly infected files can’t be cured and the system would be left in a corrupted state). You should always keep in mind that once you have been attacked by these virus families, your computer is seriously compromised and can’t be trustworthy anymore (even after curing with various arbitrary tools). There’s no guarantee to fully disinfect such complex viruses and even when you’re able to cure all the files, the trust level is significantly decreased. Why?

There are basically two ways of signing files. System files are usually signed through catalogues, 3rd party files are usually signed with authenticode certificates (in-place certificates issued by VeriSign etc.). Most file infectors invalidate these certificates and the cleaning routine can’t do any better once the certificate is corrupted (cleaned files can’t match their signatures anymore, because we can’t take them to their original state). Are you sure that you can trust the unsigned binaries after the system disinfection? Not fully, right? The only way to be certain is to reinstall your system, but do you want to hear such advice? I don’t think so, that’s the reason why we always try to keep the trust level at some reasonable value. When we’re able to get rid of the infection – we do so (some examples were mentioned above). In case we’re not able to fully disinfect the system (e.g. in the case of Virut and Sality), we’re advising you to periodically backup your system and recover the data when needed.

You can see some tools claiming they’re able to clean even the most complex infections, but believe me, there’s no guarantee to restore the system to its original state. A cleaned file (in my opinion) means a file that has no malicious functionality and does not contain any (even inactive) traces of the infection. My daily practice offers me many files cleaned from the Virut infection with some 3rd party tools, but they still contain significant parts of the infection and are thus detected by our engine. Cleaned files should not be detected by any engine. Second, the problem with wrongly infected files was already mentioned, that’s a sufficient reason to ignore Win32:Mabezat in my opinion (its corruption ratio is soooo high).

So, what to expect from v5 after reading these concerns? It will always try to fully disinfect your system and it offers a wider variety of disinfection methods than v4. Always remember that no AV is the Holy Grail and some infections need special care. Feel free to visit our forums when you’re facing an infection but you’re not sure what to do and how.

  1. January 8th, 2010 at 19:03 | #1

    If someone is running Version 4.8 will it automatically update to version 5 or will they need to do a separate download and install?

  2. January 8th, 2010 at 22:51 | #2

    @Big Geek Daddy
    You’ll be probably asked for update (it will be performed after your confirmation). The update can’t be done incrementally, because there’s “completely” different VPS and slightly different engine. You’ll have to download cca 40MB of data, but that’s no problem on cable internet etc.

  3. January 8th, 2010 at 23:57 | #3

    @Michal Krejdl
    So, which do you fell more safety, to update automatically, or manualy donwload the update then install to upgrade to ver. 5 in low internet speed about 64-128 kbps?

  4. John
    January 9th, 2010 at 02:14 | #4

    Hello,

    Re Version 5 – Which operating systems will it support?

    Thanks

    John

  5. January 9th, 2010 at 12:09 | #5

    @Cahya
    Are you afraid of the protection in a meantime? The update process should not leave your computer unprotected (at least during the download of new version that can take a longer time on slow connections). If it is only a question of time, then I can’t see any major difference between the two ways.

  6. January 9th, 2010 at 12:10 | #6

    @John
    2k and above, as far as I know.

  7. @Eric
    January 9th, 2010 at 14:54 | #7

    Tell us:

    When a new version 5.0 Avast! out on a date?

  8. Jason
    January 10th, 2010 at 01:29 | #8

    Will the new avast version 5 apply to the current avast on demand scanner for linux?

  9. Decker
    January 10th, 2010 at 10:50 | #9

    So when will the avast 5.0 be released to the public for free usage? wating urgently and happily…

  10. January 10th, 2010 at 12:47 | #10

    Version 5 (all 3 products) will be released later in January (wait 10 or 12 days). It will initially support only Win, schedules for linux/mac versions are not yet known to me.

  11. AvastApple
    January 10th, 2010 at 21:14 | #11

    There are ways of removing Win32:Virt (win32:Vitro) using bootable anti-malware disks that are very effective, for example Dr.Web Live Cd. It cures Win32:Virut infections, along with other malware. Its free too. Heres a video made for removing Win32:Virut: http://bit.ly/meX6i

  12. January 10th, 2010 at 23:35 | #12

    @AvastApple
    It is “possible” to clean Virut and you can give it a try. You must consider all the points mentioned in the article – the cleaning may fail due to various reasons (corrupted files, disinfected files that still contain parts of infection etc). Remember, one wrongly/not disinfected file is enough to start the reinfection again.

  13. jadinolf
    January 11th, 2010 at 02:16 | #13

    The first information looks like it was written by a lawyer.

    Just state the facts and move on. Why is all the blather necessary?

  14. dream
    January 11th, 2010 at 15:06 | #14

    May i knoe avast ver 5 will release in January 11/12 or 20/21?

  15. Omar
    January 11th, 2010 at 15:46 | #15

    he type his comment at January 10th, and said it will be after 10 or 12 days …

    so it will be at 20 or 22/01/2010

  16. NONAME
    January 11th, 2010 at 23:39 | #16

    hello sorry for the amateur translators translate it to me just google translator. avast 5 will be in Slovak or Czech interface now the final version of the first edition? I think that if nothing comes out so tarnished avast 30th January. I heard that avast 5 will have available boot scanner. I met with an extremely infected computer, the competitive anti-virus program, but this feature boot scanner helped me very aware that scanning through the blue screen immediately after startup. I am concerned as I would have helped only by another application avast Because the final 5 this function will have integrated. Supposedly it should be, and in version 5.1 but I think that I rather than the end of 2010 will not.

  17. @will
    January 12th, 2010 at 16:31 | #17

    Hi Avast-team,
    First, thanks Avast-team for the recent years of use without any significant problem
    Second, after an attempt to update my Avast-Viruslibrary my Avast-Home-software fails to connect to – a912sl.avast.com – I’m not an expert in the field so I have some questions:
    1) Is this a wellknown common problem?
    2) is it related to the BadDef-problem in Decembre 2009?
    3) should I try to solve this or wait for the v.5-release?

  18. January 12th, 2010 at 18:17 | #18

    NONAME & @will: visit our forums and ask these questions there. ;-)

  19. Taketez
    January 12th, 2010 at 18:17 | #19

    hope avast Web Shield can support some more other explorer. like chrome,maxthon,sogouexplorer .ect

    these explorers are widely used in china,I hope over avast Web Shield can support them!

    there are so many users in china ,we like avast very much!!!

    sorry that my english is so bad,hope U can understand me.

    3x

  20. Julius
    January 14th, 2010 at 07:03 | #20

    Avast update only 2 times by day?

    I see here and Database is very small —> http://www.avast.com/eng/vps_history.html

  21. January 14th, 2010 at 11:58 | #21

    @Julius
    It’s not only a matter of quantity. Also the quality plays a big role. What you can see at the link is a list of new names (completely new detections) in the VPS update. There are also other detections, that are continuously extended and improved without any change of their names (so they’re not listed). You can also watch the size of each update and you’ll see, that we’re delivering more than few names to you.

  22. buhera
    January 14th, 2010 at 13:39 | #22

    Hello,
    Hungarian language also appears in the Avast 5?

  23. January 29th, 2010 at 10:38 | #23

    The avast 4.8 aatacks and delets some softwares i try to installon my computer, why.

Comments are closed.