Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

May 19th, 2011

Early warning may save your bacon :-)

Another day, another entry in the avast! Virus Lab submission system for reporting false positives:

just another groovy submission?

Processing hundreds of possible false positives each day is usually routine work, but a submission from a live internet link is always interesting and needs more individual attention. The reason is obvious – it can do more harm to potential site visitors than a file on a local system which isn’t linked anywhere. Considering the fact that we detect this bit of malware with two different detection systems (regular detection for Sality along with a heuristic detection) is a clear hint – there’s definitely something fishy here.

Let’s simulate the behavior of an average user who want to download the file and then goes to the site and clicks the link (well, I’m not quite strong in decrypting Turkish and the google translate results were a bit fuzzy, but here we go):

connection blocked due to an infection

Nice, the download was promptly blocked by our engine. That’s very important – we can warn the user at a very early stage and show him that something dangerous is inside. No waiting, no shillyshally fumbling around, just a straight STOP to the infection.

But what if the user wants to wait for the emergency brake (on-execution scan of sivanamain.exe after unpacking the setup which is already running) and put all of his or her faith in this protection of last resort? An early warning can increase user trust in us (as it shows that we know what’s going on from the beginning) and we can confirm the validity of this detection later when the infected binary is about to run and we block it with the “emergency brake.” The final decision is up to the individual avast! user, but when it comes to reporting dangerous stuff, my opinion is clear – the sooner, the better.

And what about other AV products and their early warnings on this specific binary file? (Remember, this result partly depends on what level of scan thoroughness has been established on a particular machine, but VirusTotal uses the highest possible level as far as I know.)

VT results for the setup

Frankly, the early warning results are nothing to celebrate with only five out of the more than 40 AV apps catching the malware (and two were from avast!). However, the emergency brake works well for most of tested AV engines:

infected binary extracted from the setup


The conclusion: When driving your computer on the internet highway, remember that only a few AVs work well as early warning systems. But nearly all have functioning emergency brakes – most of the time.

  1. deesnider
    May 19th, 2011 at 18:58 | #1

    What happened to NOD32 in the second set of results?

  2. May 19th, 2011 at 21:10 | #2

    Ooops, it was not my intention to exclude NOD. There’s something wrong on VT side.

  3. May 20th, 2011 at 08:07 | #3

    I use avast and I recommend to everyone to use at home or work, I use the two way at home and at work, where I have two web servers and never had any problems, thanks avast

  4. May 20th, 2011 at 12:42 | #4

    This is good to aware people about such kind of bad viruses, i use every virus scan/ antivirus , program but i found avast the best solutions , thanks to avast!!!

  5. Tech
    May 20th, 2011 at 13:18 | #5

    The sooner, the better :)
    Good chasing.

  6. Haresh
    May 20th, 2011 at 14:53 | #6

    Thank you avast for your Great Service…..!!!!!!!!!

  7. negativo
    May 20th, 2011 at 15:43 | #7

    Me parece que avast hace un buen trabajo, nunca e tenido problemas con el sino que no me deja el alojo de posibles virus y eso seria fatal por el manejo de informacion valiosa.

  8. May 20th, 2011 at 15:45 | #8

    Vraiment Vous étes un Programe 5 etoiles Mercie Bien pour tous ce que vous faites pour nous Bonne Continuation

  9. bong2x
    May 20th, 2011 at 16:04 | #9

    maybe because AV’s do not scan the password protected packed files ???

  10. May 21st, 2011 at 09:11 | #10

    How much ever packers you guys add to your database , there will always be new ways to crypt existing stuff. The number of Viruses running FUD is unimaginable

  11. surcozi
    May 22nd, 2011 at 15:57 | #11

    Since I have very small PC”experience,BUT WITH AVAST,ONLY!!!!!!!!!!!!!!

  12. May 22nd, 2011 at 18:41 | #12

    Good stuff….ust had my PC cleaned up…man, it’s like a new machine!!!

  13. May 22nd, 2011 at 21:06 | #13

    But this is not a password protected archive.

  14. May 22nd, 2011 at 21:17 | #14

    Igor would tell you the exact number. There’s a threshold – some packers are more widespread than others, thus some are worth the effort to unpack, some are very rare (suspicious), some can be detected as a threat at all. And starting with version 5, unknown packers are generically unpacked with our emulator. It’s too complex to explain here in a reply. Anyway, ClickTeam installer used here is quite common packer for setups.

  15. Michael
    May 23rd, 2011 at 17:56 | #15

    When I put my cursor on the little spinning ball in the tray, the sign often comes up that warns me that my computer is not fully protected. When I open the interface, it tells me that my computer is fully secure. What is going on with that?

  16. shre54321
    May 25th, 2011 at 04:12 | #16

    try restarting your computer michael it even happened with me i did this and then the problem never happpened.

  17. May 26th, 2011 at 12:07 | #17


    J’ai telecharger l’antivirus hier mais il ne fonctionne pas

  18. shre54321
    June 5th, 2011 at 09:55 | #18

    i am able to access the avast! blog in ie 8 and not in chrome whts on with that? chrome says the site is unresponsive? any guess whts the problem?

  19. shre54321
    June 6th, 2011 at 07:07 | #19

    hello now i am writing this comment through chrome i think so avast! people repaired the problem on their blog. thanks a lot!!! luv u avast!!!!

  20. shre54321
    June 6th, 2011 at 11:03 | #20

    well,michal early warning for avast! is a good function but what if the web shield is not configured to unpack the concerned packer???
    then i think so it would find it at the downloading time or not? or the file system will catch it???
    what do u say??

  21. June 6th, 2011 at 11:23 | #21

    The screenshot above was taken with default WebShield settings and it caught the file early. And there’s the emergency brake in addition, thus you don’t have to worry.

  22. shre54321
    June 7th, 2011 at 10:07 | #22

    well michal whats the deal with the blogs june 2011 archive it doesnt load in chrome???pls tell me whts causing chrome to tell me the the page is unresponsive???if u have any idea???it oads in ie 8….

  23. shre54321
    June 7th, 2011 at 10:09 | #23

    sorry that is loads…..and not oads

  24. June 7th, 2011 at 12:16 | #24

    No clue. I don’t use chrome. And no other users observe such issues so far.

  25. Shre54321
    June 7th, 2011 at 13:30 | #25

    So it a indication of any infection?

  26. shre54321
    June 8th, 2011 at 06:31 | #26

    so michal can it be indication of infection on my pc???

  27. June 8th, 2011 at 09:38 | #27

    It seems to be rather something wrong with Chrome settings. But this is definitely not a good place to discuss such unrelated stuff. Visit our forums and try to resolve everything there. And next time pls no links to possibly infected domains here.

  28. shre54321
    June 8th, 2011 at 10:17 | #28

    sorry michal next time no links to possibly infected domains..sorry!!! but did u check the site pls check it and let me know…..thankyou…

  29. shre54321
    June 11th, 2011 at 07:33 | #29

    i performed a quick scan frm avast! today michal and it found this:

    Win32:KillApp-w[pup] and it has now moved it to the chest….

    tell me one thing michal can potentially unwanted program can be harmfull for a pc i have never seen this before doing anything?????could it be a false positive????{thanks for ur advice to visit the forum the people out there resolved the problem wwith chrome}

Comments are closed.