COLOSSAL fail: Avast no longer detects trojans it used to?

so I tested 2 more files (they appear to be mini installers of sorts)

the first one’s definitely malware, the second one I’m not sure

  • first tested them on virustotal: both register as positive (including the Avast scanner)

  • then tested them with my PC’s Avast: no effect (not even on highest heuristics with all options like code emulation & what not)

so what gives? :o :o
it’s like a downgrade or something (the fact that Avast on virustotal detects it means it used to be able to detect unknown malware but all of a sudden it no longer does? unfortunately I no longer have an old installer of Avast - say, back to september 2013 - else I’d have reverted to it)

ps. there’s no option to scan online on avast’s site so I can’t upload the files here either :confused:

Post the virus total link of that file here.

ok I’ll post link to the first one (the real malware)

https://www.virustotal.com/en/file/5147716a03c11a5d0153762f2a08df42634cf0f4f6833865e4318bafc3187ec5/analysis/

btw that’s a past (known) scan: it been scanned over a year ago & Avast picked it up

but when I alter the file a few bytes to change its hash & rescan it then Avast no longer picks it up (just like on my PC) - that really bad news:

https://www.virustotal.com/en/file/49f94c55fd953bd6922d72990766e4c9c30314749bb959ba0e1f5237e05ddb15/analysis/

ps. there's no option to scan online on avast's site [b]so I can't upload the files here either[/b] :/
If you mean submit samples? >> https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

anyway i guess there is a logical explanation to this …

You altered the file which changed the hash which most likely the reason why it’s not being detected any more.

I could be wrong though.

could be, but if it does the same malicious stuff i would think it should be detected?

Would like to see a fresh VT scan of the not changed file
The first VT scan i 1,5 year old so it could be that detection is removed because it is not seen in the wild anymore?

Anyway only a expert fom avast lab can tell

Hello,
in our internal system I see both samples detected by same detection. On VT I see different scan times and the detection is old (released 11.11.2014). I can imagine a reason that the detection was not seen in our userbase for long time so it was moved to cloud, which is not asked during on demand scan but on sample execution.

Milos

in that case the only explanation is that the standard version of Avast doesn’t detect this sort of thing (btw this is the version I use: http://files.avast.com/iavs9x/avast_free_antivirus_setup.exe )

it doesn’t react at all to the trojan (even if that malwares no longer in the database at least the Av should be able to detect its behavior but it doesn’t, not even on max heuristics & code emulation etc.)

were heuristics somehow disabled/crippled in recent versions of avast?

nope on my PC it detects neither the modified nor original version

(btw this is the version
right click avast tray icon and select about ... what does it say?

program version 11.2.2262

btw I submitted the sample by mail to avast (filename is fail1.exe)

as I said in the OP I’ve another file too but I’m not sure if it’s real or false (it’s an installer exe)

Have you actually executed the sample? That’s what Milos said. avast! only detects portion of malware on execution and not on-access.

yup on an XP VM as usual (with same avast on it. doesn’t stop its execution)

definitely malware, easy to tell yet even with max sensitivity the Av’s powerless against it

besides I also set the on-demand scanner to “scan entire file” + “code emulation” so even the on-demand scanner should detect it if it can, either by looking at the whole file or at least by “running” it

Hello,
thanks for reporting. We were able to reproduce the issue. Now we are analyzing the root of problem.

Milos

Hello Theblob,

there was a problem with the detection that originally detected the file, but the (unmodified) file should be still covered by our cloud-based detection (FileRepMalware; note: triggers on execution/download of a file, does not trigger during on-demand scans). We haven’t seen the file among our user base for a while but once it reappeared during your testing, our backend systems noticed the problem automatically and promptly fixed it. I’ve just verified that with the latest VPS (160526-1) and Streaming updates enabled, both files are detected with Dropper-gen detection.

Jiri

ok but what about the heuristic part? that’s actually infinitely more important than sig-based detection so it should be able to detect the file (and custom made variants) how come it didn’t detect this one even though it clearly displays malware-like behavior? :o

so can the heuristic bug/vulnerability be fixed? :slight_smile: