How does Avast detect new malware?

Deborah Salmi 10 Aug 2016

To catch the newest malware before it infects your system, Avast Antivirus uses CyberCapture technology, zero-second threat detection for unrecognized files.

Our Avast Threat Lab is Grand Central Station to malware. Somewhere between 600,000 and one million files come through the detection system every day. Nearly half of those are unknown files. That means that somewhere in the world, someone is targeted by cybercriminals. Avast Threat Lab analysts like Michal Salat, in the above picture, works to stop those attacks.

CyberCapture’s automated systems do most of the heavy lifting, but when needed, Avast analysts, like Michal, will examine an unknown file and make the final decision.

How does Avast detect malicious files?

Cybercrooks are software developers who create programs meant to steal your information, hold your data for ransom, or crash your machine. They are constantly modifying malicious code to make variants that travel from computer to computer. Avast has a massive database called FileRep that contains more than 5 BILLION of these kinds of files.

Every day, 250,000 Windows executable binary files flow through FileRep and go through a 100-point checklist to determine if the files are safe or not. And every day, about 40,000 files are classified as malicious and are locked in quarantine so they won’t hurt you.

What happens when Avast discovers brand new malware?

Malware authors try every trick in the book to evade detection by antivirus software like Avast. One of those tricks is a shape-shifting technique called server polymorphism. This means that the malware code morphs or changes into something unrecognizable from its original code before it attacks another user. The engine that produces this code change actually stays within the system, like a website, and all the unique variations originate there. Cybercrooks like this method because it's an efficient, automated way to attack millions of machines with minimal human interaction and maximum impact.

When one of these morphed files shows up on Avast's FileRep doorstep, CyberCapture activates to give our Nitro Update users zero-second protection against attacks.

Unknown files are shared in real-time with the Avast Threat Labs where layers of false code and the “smoke and mirrors” of encryption and obfuscation that malware authors use to mask the malware’s true intentions are examined. CyberCapture is able to observe the binary level commands inside the malware and better understand the instructions hidden there so it can be neutralized. If necessary, a Threat Lab analyst will manually analyze the file.

Fast detection and protection 

We developed CyberCapture to decrease the time between the discovery of new malware and the deployment of detection to protect our users. Since CyberCapture runs in the cloud instead of locally on the user’s PC, as in previous versions of Avast, we can provide quick first-response defense against new threats.

CyberCapture examines all unknown objects and automatically blocks malicious code before it can launch its first attack. CyberCapture continually gathers intelligence on new viruses so it organically improves as it is used and will continue to iterate increased performance.

When the file is analyzed, Avast’s team updates the user as to whether it is considered “safe” or “dangerous.” With this direct access to Avast’s security experts in the Threat Labs, users benefit from faster response times to emerging threats and a more secure ecosystem overall.

CyberCapture is only available in the Nitro Update to Avast Antivirus, including Avast Free Antivirus Nitro Update. 

 

--> -->