so I tested 2 more files (they appear to be mini installers of sorts)
the first one’s definitely malware, the second one I’m not sure
first tested them on virustotal: both register as positive (including the Avast scanner)
then tested them with my PC’s Avast: no effect (not even on highest heuristics with all options like code emulation & what not)
so what gives? :o :o
it’s like a downgrade or something (the fact that Avast on virustotal detects it means it used to be able to detect unknown malware but all of a sudden it no longer does? unfortunately I no longer have an old installer of Avast - say, back to september 2013 - else I’d have reverted to it)
ps. there’s no option to scan online on avast’s site so I can’t upload the files here either
could be, but if it does the same malicious stuff i would think it should be detected?
Would like to see a fresh VT scan of the not changed file
The first VT scan i 1,5 year old so it could be that detection is removed because it is not seen in the wild anymore?
Hello,
in our internal system I see both samples detected by same detection. On VT I see different scan times and the detection is old (released 11.11.2014). I can imagine a reason that the detection was not seen in our userbase for long time so it was moved to cloud, which is not asked during on demand scan but on sample execution.
it doesn’t react at all to the trojan (even if that malwares no longer in the database at least the Av should be able to detect its behavior but it doesn’t, not even on max heuristics & code emulation etc.)
were heuristics somehow disabled/crippled in recent versions of avast?
nope on my PC it detects neither the modified nor original version
yup on an XP VM as usual (with same avast on it. doesn’t stop its execution)
definitely malware, easy to tell yet even with max sensitivity the Av’s powerless against it
besides I also set the on-demand scanner to “scan entire file” + “code emulation” so even the on-demand scanner should detect it if it can, either by looking at the whole file or at least by “running” it
there was a problem with the detection that originally detected the file, but the (unmodified) file should be still covered by our cloud-based detection (FileRepMalware; note: triggers on execution/download of a file, does not trigger during on-demand scans). We haven’t seen the file among our user base for a while but once it reappeared during your testing, our backend systems noticed the problem automatically and promptly fixed it. I’ve just verified that with the latest VPS (160526-1) and Streaming updates enabled, both files are detected with Dropper-gen detection.
ok but what about the heuristic part? that’s actually infinitely more important than sig-based detection so it should be able to detect the file (and custom made variants) how come it didn’t detect this one even though it clearly displays malware-like behavior? :o