avast 5 detects it, but not avast 4x

-http://www.virustotal.com/file-scan/report.html?id=461b6cab00dcb894cd07f10deef65b943ace2c5119d79a7461b9ecb995aaa3b9-1299366285

Not the first time something like this happens. Why is it that version 5x detects it, but not version 4x?

Cheers

Well… maybe because v5/6 is better than v4?

Do not worry if you are using avast! 6. If not, time to upgrade: http://forum.avast.com/index.php?topic=73048.new#new

(I think, I dont know exactly)This happen because avast! 4.x is soon to be expired and the virus database is different as avast! 5 & 6.

There are some signatures that aren’t in the 4.8 signatures because they can’t be run/aren’t supported on the older OSes. e.g. some of the heuristic, generic or algorithmic detections.

Hi m00nbl00d,

Read the Prevx info on TOS.EXE: http://spywarefiles.prevx.com/RREJDG155943/TOS.EXE.html
http://angui123.cn/VirusEncyclopedia/34838.html (also source for the quote mentioned below)
It was rather short-lived, and that may be also part of the why,

Jan 14 2011 and last seen on Jan 14 2011.

and the SAS info: http://www.superantispyware.com/malwarefiles/TOS.EXE.html

polonus

P.S. avast 6 is even better :wink:

So, if I’m running a business and for technical reasons I can’t upgrade to version 6, would that be your best answer? Can you explain me further why doesn’t avast! 4x detect known malware samples? Because, the way you answer, it simply sounds like you’re marketing versions 5/6. It’s just how it sounds.

AFAIK, VirusTotal antimalware apps versions are CLIs ?, so they just detect known malware, they won’t analyze behaviors, etc. So, why doesn’t version 4x detect known malware samples?

You see, DavidR and Polonus did try to assist me more. Something an avast! team member failed to do so. This makes you guys look bad.

Obviously, I do not run avast! (any version), because I have other measures, but if I was running a business and for technical reasons I just couldn’t upgrade, then your answer would make switch to other security vendor when possible, and simply because version 4x lacks certain detections and you didn’t make an effort explaining me why.

You see, I was just trying to understand why this discrepancy exists, but you failed explaining it.

Don’t take this as bad criticism, only a sign that avast! team should try and explain better why certain things happen. :wink:

(I think, I dont know exactly)This happen because avast! 4.x is soon to be expired and the virus database is different as avast! 5 & 6.

Well, that just sucks, doesn’t it?

OK, but the fact its life was short, avast still got the sample, so that’s no reason why version 4x doesn’t detect it. :wink:

Judging by the update dates it doesn’t look as if avast4 is being updated on virustotal

Hi m00nbl00d,

Two remarks to counter your remark. Your remark in the posting before this one supports the fact that av programs should always be updated to their latest versions, especially at the end of a previous software program’s life cycle, avast 4. Two that one should not rely utterly and exclusively on one resident av program, but also use some additional anti-malware program, like in this case SuperAntiSpyware, that would have found up the malware anyway, and mag’s observation is also relevant (meta-av-scanners does not equal the results of a real life av scan for the separate scanners)

polonus

I agree with you. But, don’t forget that upgrading versions within business is not without its risks (even more than for home users) and new learning process to known how to deal with the new version, because they introduce new features; so versions aren’t always upgraded whenever a new one comes out; there’s a waiting period, for testing stuff and see what other clients complain about as well. Some businesses simply don’t see immediate reasons to upgrade to newer versions (whatever the application is)… (Heck, some folks still run IE6!!!)

So, the fact that people should upgrade, and I agree, doesn’t mean they will do it right away; no, there’s a waiting period before they are deployed.

Only very recently I’ve upgraded a security application from another vendor to its newest version, and the newest one came out in late 2010.

The thing is, considering the above scenario and that many are using the paid-for products (and specially businesses), it’s to be expected that the “older” version is not forgotten regarding definition updates; at least, until the license allows so.

I’m aware that the VirusTotal versions aren’t complete versions, and that’s something I previously mention, but the reply I got from an avast! team member was nothing explanatory of why such discrepancy exists. The complete 4.x version may detect the sample for all we know, but I wasn’t given a satisfactory answer explaining that, despite VirusTotal shows its lacking detection, the complete version (the one clients actually use) may detect it. Something that could be explained.

Kind regards

First of all, I have no idea what makes you think that it’s a “known sample”.
It might be a sample avast! virus lab has never seen, and avast! 5 detects it due to more generic signatures, better unpackers, or some kind of heuristic rules.

So yes, due to reasons I just mentioned (better unpackers, code emulator, heuristics, …) - avast! 5 certainly detects more than avast! 4; you may call it a better proactive detection, thanks to architectural changes in the virus database done between versions 4 and 5. Yes, I suppose these samples are added into avast! 4 as well, but it takes some time - it’s simply “faster” if avast! 5 detects it beforehand, without having seen that particular sample.

Usually, and this a behavior I’ve seen happening, not just with avast! but with other antimalware apps, when a detection is provided by generic detection it’s added gen to the malware name, just like this example:

-http://www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284116017

Avast 4.8.1351.0 2010.09.10 Win32:Trojan-gen
Avast5 5.0.594.0 2010.09.10 Win32:Trojan-gen

The name of the one I reported in my first post is Win32:FakeAlert-ABT.

Could you confirm is a generic or heuristic detection? Because if it isn’t generic or heuristic, then it’s a known sample to avast.

At least, you could have mentioned something about why avast! 5 detects the sample and that’s the reason why avast! 4 fails to do it so, when you replied to my first post.

I understand if you don’t want to confirm whether or not it’s not a generic or heuristic detection.

I have no idea what type of detection that is - but it doesn’t really matter, you are wrong in your assumptions.
All the detections are more or less generic (the only exception would be a full-file hash, but avast! doesn’t use anything like that for detections). Even the most “strict” signatures may detect more in avast! 5 - e.g. because avast! 5 has better unpackers, and is able to extract (and subsequently scan) embedded objects from the scanned file. Or, with the help of the emulator, it decrypts an encrypted file, even if unsupported by the unpackers. Or, different parts of the file are scanned (than in avast! 4) because the engine is able to change the behavior in a more clever way.

So, saying that “avast! detects the file, thus the virus lab must have seen it” - is basically never true.

As for mentioning why avast! 5 detects the sample - I’m afraid I couldn’t, because I simply don’t know (since I don’t have that sample, for example).
But yes, I think it’s quite likely that the reason is simply the fact that the virus database on VT is obsolete for avast 4.

Yes, I’m aware that such situation would make version 5/6 have better detections.

So, saying that "avast! detects the file, thus the virus lab must have seen it" - is basically never true.

Now, I didn’t say that. I wondered myself why avast!5 would be detecting that sample and avast! 4 wouldn’t. At the time, I didn’t even notice about the definitions not being up-to-date. But, besides that, and considering I had previously seen avast! name certain malware samples with additional wording gen, I thought that the malware sample in question was given a name based on a “strict” signature, as you put it; which is why I mentioned that if such malware detection was based on a “strict” signature, then for sure avast had to be in possession of such sample. I just couldn’t find the right words before, which I apologize for.

No problem, I am just saying that even if the detection is a “strict” signature, it doesn’t mean the virus lab has seen that exact sample.
There are no signatures in avast! that “strong” that the detection would have such an implication.