Disappointing Malware Submission Experience

It seems almost all user submission done at “https://www.avast.com/report-malicious-file.php” is handled automatically only. I could be wrong, but this is based on my experience.

There are times when I submitted not so prevalent malware to Avast that are not added to signatures. The same happens to most other products whose user submission is mainly handled by the automatic process without a human analyst analyzing them. Microsoft is the best example of that. Only false positives are checked by an analyst (for all AVs), which makes sense of course. But even there, Avast is one of the slowest to fix false positives in my experience. It usually takes 4-5 days, sometimes even a week or more, while Microsoft, Kaspersky, Sophos, Bitdefender (Enterprise submission only), some other fix them within a few hours.

I submitted the phishing/Scam pages described in this article to Avast 4 days ago.

https://www.bleepingcomputer.com/news/security/fake-tsa-precheck-sites-scam-us-travelers-with-fake-renewals/

But they are yet to be blocked by Avast. Probably it didn’t reach a malware analyst. The automatic process may have scanned the page and didn’t find anything malicious, that’s why it’s not blocked yet.
I submitted this to Bitdefender last night before going to bed and this morning I see that I received a reply from then saying these sites are malicious and detections has been added.
Bitdefender is detecting them as Fraud attempt. That’s a perfect description for these sites. The site themselves don’t contain anything malicious, probably, but they are fraudulent/scam. Trying to take money from users for nothing. Clearly, a human analyst analyzed those sites on Bitdefender one way or another.
Looks like in case of Avast, an analyst didn’t check my submission.
I also have two non-prevalent modified ransomware. The only difference between the two files is that one of it contains codes to elevate admin privilege, while the other one doesn’t. Both are able to encrypt some files anyway. After submitting multiple times in the past five-six months, Avast finally started to detect one of them (admin) via signature while the other one is not.
While after submitting to Bitdefender and Kaspersky, both added signatures for both of them because they were checked by an analyst instead of automatic processing.
So yeah, malware submission experience with Avast is quite disappointing. I know Avast surely receives a lot of submission, so it’s not possible to check all of them, etc…But fixing false positives shouldn’t take 5-6 days. So like I said, the malware submission experience is disappointing. Wish I could directly email an analyst working for Avast.

I would say that based on some of the posts here when given the link, many do get a response.

Personally I don’t feel a direct response is absolutely necessary if they add it to the database, but to check that you would need to visit the site (not a great idea). You could also check the link at virus total and see who detects it Avast doesn’t partake in these url scans, but they should get notifications from VT. So submission to VT is something else that could be considered.

I’m not sure this would be directly related to the Avast for Windows products, it seems more related to mobile security. Though the SCAM emails could well be received on your PC but might not be detected as infected. However, clicking on the suspect pishing link would then be scanned by the Web Shield that may well be detected by the Web Shield.

So I don’t believe it isn’t as clear cut as you suggest.

EDIT: I checked 4 of the URLs in the article at random and all were detected by the web shield.

Response is not necessary, in fact after submission it even says that you won’t get a reply for the submission. Simply adding detection should be satisfactory, like you said. About Virustotal, yeah, I always check those first.
Yeah, Avast is now detecting the URLs. Pretty sure it’s not a coincidence, someone from Avast saw my post and added those to the blacklist. It’s good that they are now blocked finally.
The experience I shared is not new, it happened many times in the past, that’s why I finally thought I should share it here. Also, what I said in my post about the time it takes to fix false positives needs to be improved.
If URLs related things occur again, then I’ll share them on the forum, like I did in this case, to increase the chance of someone from Avast noticing it. For malware, I’m not sure what to do.
The not so dangerous ransomware I talked about in the post will probably be added to the definition if an analyst can analyze it, but sharing something like a ransomware might not be a good idea to share here publically. If you can help me with it, then let me know. I mean like, if I privately share it with you, and then you forward it to someone from Avast on the forum you know.

If they don’t respond directly to your submission, I rather doubt they are responding to a post in the forums, just because of your post a few hours ago.

I do know that some to the virus labs team do frequent the forums, but with submissions and improving existing generic detections, they are pretty busy staying ahead of the game.

It’s possible that someone from the Avast team on the forum forwarded those to a malware analyst after seeing my post. It’s not uncommon and happens on the ESET and Kaspersky forum also for example. I have privately submitted samples to a ESET forum moderator a few times, who then forwarded those to an analyst to create signatures. Besides, Avast has streaming updates, so all users receives new updates very quickly after analysis. So I’m sure this is what happened one way or another in my case here.
Anyway, it will be better if Avast reacts faster to user submissions, specially false positives. 4-7 days on average (in my experience) for fixing false positives is not acceptable.

  1. Hi, I reported your thread to Threat Labs via Slack yesterday.
  2. Best you report it in the dedicated forum section: https://forum.avast.com/index.php?board=4.0
  3. See: https://support.avast.com/en-ww/article/258/
  1. My guess was correct then. Thanks for reporting.
  2. I missed it somehow. Will do, thanks.
  3. Yeah, I always submit that way but for some reason some submissions don’t reach an analyst always, maybe.
    Anyway, I’ll also use the dedicated section in such case.

Excerpt from the article: Files and websites that require manual analysis are prioritized according to their level of severity and the number of users the file or website may harm. After manual analysis, the file or website is categorized as either safe, or harmful.

Ow, I see. Thanks.

Hi @Mr. Avast,

Thank you for your feedback.
The vast majority of false-positive and threat reports are processed within 24 hours. However, some may need further investigation, and such cases may take longer to resolve based on the specific case and the current workload.
If you are reporting malware or false positive, please keep using the form available here: https://www.avast.com/false-positive-file-form.php

You’re welcome.

Alright :slight_smile: