Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


May 19th, 2011

Early warning may save your bacon :-)

Another day, another entry in the avast! Virus Lab submission system for reporting false positives:

just another groovy submission?

Processing hundreds of possible false positives each day is usually routine work, but a submission from a live internet link is always interesting and needs more individual attention. The reason is obvious – it can do more harm to potential site visitors than a file on a local system which isn’t linked anywhere. Considering the fact that we detect this bit of malware with two different detection systems (regular detection for Sality along with a heuristic detection) is a clear hint – there’s definitely something fishy here.

Let’s simulate the behavior of an average user who want to download the file and then goes to the site and clicks the link (well, I’m not quite strong in decrypting Turkish and the google translate results were a bit fuzzy, but here we go):

connection blocked due to an infection

Nice, the download was promptly blocked by our engine. That’s very important – we can warn the user at a very early stage and show him that something dangerous is inside. No waiting, no shillyshally fumbling around, just a straight STOP to the infection.

But what if the user wants to wait for the emergency brake (on-execution scan of sivanamain.exe after unpacking the setup which is already running) and put all of his or her faith in this protection of last resort? An early warning can increase user trust in us (as it shows that we know what’s going on from the beginning) and we can confirm the validity of this detection later when the infected binary is about to run and we block it with the “emergency brake.” The final decision is up to the individual avast! user, but when it comes to reporting dangerous stuff, my opinion is clear – the sooner, the better.

And what about other AV products and their early warnings on this specific binary file? (Remember, this result partly depends on what level of scan thoroughness has been established on a particular machine, but VirusTotal uses the highest possible level as far as I know.)

VT results for the setup

Frankly, the early warning results are nothing to celebrate with only five out of the more than 40 AV apps catching the malware (and two were from avast!). However, the emergency brake works well for most of tested AV engines:

infected binary extracted from the setup

 

The conclusion: When driving your computer on the internet highway, remember that only a few AVs work well as early warning systems. But nearly all have functioning emergency brakes – most of the time.

  • deesnider

    What happened to NOD32 in the second set of results?

  • http://www.avast.com Michal Krejdl

    @deesnider
    Ooops, it was not my intention to exclude NOD. There’s something wrong on VT side.

  • http://brancodesign.com Branco Design

    I use avast and I recommend to everyone to use at home or work, I use the two way at home and at work, where I have two web servers and never had any problems, thanks avast

  • http://risepk.com/ Faiz

    This is good to aware people about such kind of bad viruses, i use every virus scan/ antivirus , program but i found avast the best solutions , thanks to avast!!!

  • Tech

    The sooner, the better :)
    Good chasing.

  • Haresh

    Thank you avast for your Great Service…..!!!!!!!!!

  • negativo

    Me parece que avast hace un buen trabajo, nunca e tenido problemas con el sino que no me deja el alojo de posibles virus y eso seria fatal por el manejo de informacion valiosa.

  • http://noyet Messaoudi Saieda

    Vraiment Vous étes un Programe 5 etoiles Mercie Bien pour tous ce que vous faites pour nous Bonne Continuation

  • bong2x

    maybe because AV’s do not scan the password protected packed files ???

  • http://hacktohell.blogspot.com HackToHell

    How much ever packers you guys add to your database , there will always be new ways to crypt existing stuff. The number of Viruses running FUD is unimaginable

  • surcozi

    Since I have very small PC”experience,BUT WITH AVAST,ONLY!!!!!!!!!!!!!!

  • http://www.RobertHeckDentistry.com CharlotteDentist

    Good stuff….ust had my PC cleaned up…man, it’s like a new machine!!!

  • http://www.avast.com Michal Krejdl

    @bong2x
    But this is not a password protected archive.

  • http://www.avast.com Michal Krejdl

    @HackToHell
    Igor would tell you the exact number. There’s a threshold – some packers are more widespread than others, thus some are worth the effort to unpack, some are very rare (suspicious), some can be detected as a threat at all. And starting with version 5, unknown packers are generically unpacked with our emulator. It’s too complex to explain here in a reply. Anyway, ClickTeam installer used here is quite common packer for setups.

  • Michael

    When I put my cursor on the little spinning ball in the tray, the sign often comes up that warns me that my computer is not fully protected. When I open the interface, it tells me that my computer is fully secure. What is going on with that?

  • shre54321

    try restarting your computer michael it even happened with me i did this and then the problem never happpened.

  • http://katiadunet.fr.gd/ katia

    Bonjour

    J’ai telecharger l’antivirus hier mais il ne fonctionne pas

  • shre54321

    i am able to access the avast! blog in ie 8 and not in chrome whts on with that? chrome says the site is unresponsive? any guess whts the problem?

  • shre54321

    hello now i am writing this comment through chrome i think so avast! people repaired the problem on their blog. thanks a lot!!! luv u avast!!!!

  • shre54321

    well,michal early warning for avast! is a good function but what if the web shield is not configured to unpack the concerned packer???
    then i think so it would find it at the downloading time or not? or the file system will catch it???
    what do u say??

  • http://www.avast.com Michal Krejdl

    @shre54321
    The screenshot above was taken with default WebShield settings and it caught the file early. And there’s the emergency brake in addition, thus you don’t have to worry.

  • shre54321

    well michal whats the deal with the blogs june 2011 archive it doesnt load in chrome???pls tell me whts causing chrome to tell me the the page is unresponsive???if u have any idea???it oads in ie 8….

  • shre54321

    sorry that is loads…..and not oads

  • http://www.avast.com Michal Krejdl

    @shre54321
    No clue. I don’t use chrome. And no other users observe such issues so far.

  • Shre54321

    So it a indication of any infection?

  • shre54321

    so michal can it be indication of infection on my pc???

  • http://www.avast.com Michal Krejdl

    @shre54321
    It seems to be rather something wrong with Chrome settings. But this is definitely not a good place to discuss such unrelated stuff. Visit our forums and try to resolve everything there. And next time pls no links to possibly infected domains here.

  • shre54321

    sorry michal next time no links to possibly infected domains..sorry!!! but did u check the site pls check it and let me know…..thankyou…

  • shre54321

    i performed a quick scan frm avast! today michal and it found this:

    Win32:KillApp-w[pup] and it has now moved it to the chest….

    tell me one thing michal can potentially unwanted program can be harmfull for a pc i have never seen this before doing anything?????could it be a false positive????{thanks for ur advice to visit the forum the people out there resolved the problem wwith chrome}

  • http://hacktohell.blogspot.com HackToHell