Michal Krejdl

19 May 2011

Early warning may save your bacon :-)

Another day, another entry in the avast! Virus Lab submission system for reporting false positives:

Processing hundreds of possible false positives each day is usually routine work, but a submission from a live internet link is always interesting and needs more individual attention. The reason is obvious - it can do more harm to potential site visitors than a file on a local system which isn’t linked anywhere. Considering the fact that we detect this bit of malware with two different detection systems (regular detection for Sality along with a heuristic detection) is a clear hint - there's definitely something fishy here.

Let’s simulate the behavior of an average user who want to download the file and then goes to the site and clicks the link (well, I’m not quite strong in decrypting Turkish and the google translate results were a bit fuzzy, but here we go):

Nice, the download was promptly blocked by our engine. That’s very important - we can warn the user at a very early stage and show him that something dangerous is inside. No waiting, no shillyshally fumbling around, just a straight STOP to the infection.

But what if the user wants to wait for the emergency brake (on-execution scan of sivanamain.exe after unpacking the setup which is already running) and put all of his or her faith in this protection of last resort? An early warning can increase user trust in us (as it shows that we know what’s going on from the beginning) and we can confirm the validity of this detection later when the infected binary is about to run and we block it with the “emergency brake.” The final decision is up to the individual avast! user, but when it comes to reporting dangerous stuff, my opinion is clear - the sooner, the better.

And what about other AV products and their early warnings on this specific binary file? (Remember, this result partly depends on what level of scan thoroughness has been established on a particular machine, but VirusTotal uses the highest possible level as far as I know.)

Frankly, the early warning results are nothing to celebrate with only five out of the more than 40 AV apps catching the malware (and two were from avast!). However, the emergency brake works well for most of tested AV engines:


The conclusion: When driving your computer on the internet highway, remember that only a few AVs work well as early warning systems. But nearly all have functioning emergency brakes - most of the time.

Threat Research, Security News