CyberCapture needs to cover more infection vectors

RejZoR · 2016-12-25T20:47:14.000Z

As things stand now, CyberCapture only covers suspicious files downloaded from web through a browser.

It should also cover:

downloads from IM software
downloads from P2P software
downloads from e-mail apps (attachments)
external devices like USB drives

Web, in terms of browser isn’t the only source from where users get files of questionable “quality”. And while I know submission of every unknown file on local disk is problematic (because it would mean every new program would be sent for analysis after you compile it). But it just feels like CyberCapture potential is being wasted since it’s hardly ever even gets a chance to process files that come from otherwise questionable places.

Alikhan · 2016-12-25T21:33:13.000Z

I’ve been saying that since it’s been released…

I assume it must be fine tuned for the web now…

Rednose · 2016-12-26T00:01:31.000Z

CyberCapture should cover everything what is unknown e.g. not whitelisted ( hardened mode aggressive ) or blacklisted ( antivirus ).

Greetz, Red.

RejZoR · 2016-12-26T00:06:42.000Z

Would be nice, but I’m not sure they can handle the influx of all the unknown files people have on their computers… Though, this would be one way of building the most extensive whitelist ever.

Rednose · 2016-12-26T00:20:21.000Z

Yes, I realise that

But as not everyone is always online, a form of HIPS and/or behaviour blocker is important as well.
And I think we are on the same line on this as well.

Greetz, Red.

DavidR · 2016-12-26T00:29:20.000Z

When DeepScreen (and possibly Hardened Mode) first came on the scene I can recall it pinging lots of ‘old’ but legit files even winword.exe and excel.exe executables. Just checked my Settings > General > Exclusions > CyberCapture and both executables are in there now that DeepScreen isn’t in those settings.

So I believe this could pick up on some old files (but legit) not yet in its database because they are so old.

Rednose · 2016-12-26T00:47:04.000Z

David

I don’t think you should exclude old legit files in CyberCapture, but better exclude them in Hardened mode as you use that.
CyberCapture exclusions are most and for all meant for programmers and software developers, who don’t want to be bothered with it.

Greetz, Red.

RejZoR · 2016-12-26T08:49:42.000Z

DavidR post:6:

When DeepScreen (and possibly Hardened Mode) first came on the scene I can recall it pinging lots of ‘old’ but legit files even winword.exe and excel.exe executables. Just checked my Settings > General > Exclusions > CyberCapture and both executables are in there now that DeepScreen isn’t in those settings.

So I believe this could pick up on some old files (but legit) not yet in its database because they are so old.

DeepScreen is a thing with it’s own story. And so is Hardened Mode. I also don’t understand the logic behind these two entirely after all these years.

DeepScreen, once it scans the file and excludes it, you can modify that file into the worst virus ever and it’ll just happily execute it because the exclusions are unconditional. Once it monitors the file once, it’ll just happily execute it freely after that. I don’t get it why DeepScreen exclusions don’t allow permanent and on modifications exclusions. DeepScreen should be re-triggered when DeepScreen excluded program is modified. But they just don’t check this for whatever reason. Been warning about it and never got any reply or elaboration about it.

And same goes for Hardened Mode exclusions. When you run suspicious executables, they get DeepScreened first. Always. But if you use Hardened Mode (Moderate), it get blocked on basis it WOULD trigger DeepScreen otherwise. But it doesn’t actually screen it for malicious behavior. What this does is when Hardened mode (Moderate) blocks it and you decide to execute it anyway, it just executes it directly afterwards. Why aren’t Hardened Mode (both levels) screened by DeepScreen BEFORE they get excluded? Again, requested elaboration, explanation and a future request for this several times. And it’s still not here. New version is planned for January 2017 and with no avast! BETA’s, I have no idea what they are doing and if they are even adding any of this.

I’ve wandered away from the original topic, but all this stuff is connected and it keeps on bothering me why they make all these seemingly cool features and they just never bother to perfect them based on user feedback and security concerns. I value how they take our feedback for many things, but this stuff just seems to be perpetually ignored for some bizarre reason…

DavidR · 2016-12-26T14:20:22.000Z

Rednose post:7:

David

I don’t think you should exclude old legit files in CyberCapture, but better exclude them in Hardened mode as you use that.
CyberCapture exclusions are most and for all meant for programmers and software developers, who don’t want to be bothered with it.

Greetz, Red.

I’m not saying that you should, just that if and when the CyberCapture gets expanded it is going to bump into these things also that aren’t on the whitelist and require scanning.

The exclusion is in the CyberCapture column of Exclusions and I didn’t put them there. They were originally in the DeepScreen tab, presumably avast moved them when CyberCapture came in.

@ RejZoR
I completely agree on the confusion issue and the multiple tools that on first glance seem to compete rather than compliment. That compliment should really be taken a step further and combine those that do a similar job ‘analyse files.’

Whilst the Hardened Mode I see as a way of essentially forcing a scan by checking the # against the whitelist, if it doesn’t exist then trigger the CyberCapture or DeepScreen or whatever the single scanning entity is called.

Lisandro · 2016-12-28T16:07:01.000Z

Rednose post:5:

But as not everyone is always online, a form of HIPS and/or behaviour blocker is important as well.

I would suggest a double step process (more or less like Smart Screen works for Windows):

When running a file, the antivirus get the online status: if the computer is online, it goes the normal way (via CyberCapture).
If it is offline, it could ask: a) Start Hardened Mode (Aggressive), b) Start Hardened Mode (Moderate), c) Does not run until online again.

What do you think?

Announcements