Evo-Gen, FileMetaGen, FileRep, FileString.

Currently I am testing Avast Free latest very often. And I test on real system i.e no VM, XP SP3 32 Eng.

Can anyone explain what these detections are or how these scans work?

Today I tested Avast 2 times.
Both the times, after rightclick scan (PUP enabled) & execution of the malware (PUP enabled), some malware were not detected. After 5 mins I executed the malware that were not detected & now few were detected as FileMetaGen. After 5 mins again I executed the remaining few malware & all were detected as FileString, only one was not detected.

Now I dont know if these detections were due to streaming updates
OR
Evo-Gen, FileMetaGen, FileRep, FileString detections are like live scans i.e suspicious/unknown samples are uploaded & scanned by autoscan/autoanalyzers & found malicious detections are sent to the users so these detections were there.

Can anyone explain/give info?

do you have virustotal scan of the samples?..if so, post link to scan results

These detections are not possible in Virustotal.

FileRep means that the file has a bad reputation.

Evo-Gen is a technique to detect unknown samples with one big signature for millions of files, cloud based.

FileString and Metagen are variations of FileRep.

It’s dangerous to do testing on your productive system… what would you do it it got infected with a sample a cryptolocker and it wasn’t detected by the anti-virus?

These detections are not possible in Virustotal.
others may detect and VT will give lots of file info detected or not ;)

Its my test system so no worry.

Sorry dont have the samples now as after test I reverted to clean state of the system with Comodo Time Machine & deleted the snapshot of the test.
But I will do a test soon & if the same scenario happens, will post the VT links here.

By the way, dont know how the samples were detected after 5 mins as asked in my first post, but one thing I forgot to mention that when I first ran the samples those undetected were running in the memory. After 5 mins when I ran the undetected samples again as I have mentioned in my first post few were detected, & those few detected the second time 2 were already running in the memory from the first run but they were not detected & they should be detected, right?

Dont know if you will understand what I mean so let me explain with example.

First run - Undetected samples - A & B active in the memory.

Second run - After 5 mins I ran A & B from the folder again & they were detected. But A & B already active in the memory from the first run were not detected/terminated/quarantined, etc… Whereas they should also be quarantined/blocked, etc… by Avast, right?

Do you restart and wait for a while after installing avast,maybe cloud servers take time to stabalize connection to the protection backend?

I always check connection is established

Could test avast again and keep me posted with the results on deepscreen and others here.Really interested on how it does.This time before you go out executing the files wait for a while to see if the connection goes off in between. :slight_smile:

I know what you mean.These backend detectors are getting tough to understand now. :o

OK, when I will do a test, will keep the connection GUI interface open.

Tested 120 latest malware pack on malwaretips.
Avast latest, PUP enabled
XP SP3 32 Real System i.e no VM

Todays test was shocking. I dont if Avast new technology is stable?

Scan detected 96/120
24 executed, few detected, couple didn’t run, few missed. I didn’t got a single Deepscreen scan popup, strange? Finally a ransomware 21.exe infected & restarted the system & blocked system boot.

I tested 21.exe with both Hardened mode, Moderate & Aggressive & no alert, strange? & same as above, ransomware infected the system.

For all test I had kept update GUI interface opened & connection was established.
For every test I reverted the system to clean state & did the test.

I dont understand, why no Deepscreen & Hardened alert was there?

Take a look at this: http://forum.avast.com/index.php?topic=147058.0

Tested in a VM with Win 8.1 and no updates.

No Deepscreen alerts, few Evo-Gen detections and one heuristic detection.

Now this is getting wierd really…sometimes backend detects sometimes missed.

Naren,could you re-test the samples again to see if any changes are there now?

If possible could you upload the files and test them at virustotal.com?

Hello,
some of detections are alerted only on execute: Evo-gen, and cloud detections (with “FileRep” in name). Updates of Evo-gen detection are delivered in stream updates.

Milos

Malware - 2014-03-02 PZ pack from malwaretips.
After scan 19 remaining.
Executed 19 - Same results as previous test i.e few evo-gen detection, no Deepscreen scan, no Hardened alert.

This was my last test with Avast for now.