Questions

Same file , but avast engine in virustotal doesn’t detect it.
https://www.virustotal.com/gui/file/5ee4d962d00340fe06ca92435cffbc95011c3420348ecbacb8723eb58b22db7d

https://virusscan.jotti.org/en-US/filescanjob/b9s0qewhob

And I also wondering what is the meaning of the X in the detection name.

variant letter

(CARO) Malware naming scheme, this is how it works
https://cyberwarzone.com/caro-malware-naming-scheme-this-is-how-it-works/

Jotti runs Linux version, VT runs Windows version. Might be problem there as engine itself should be the same.

after rescan the file, it seems now the engine on VT is also detected the sample now !

More fore those who want to read about malware naming …

Malware Naming Hell
https://www.gdatasoftware.com/blog/2019/08/35146-taming-the-mess-of-av-detection-names

Malware family naming hell is our own fault
https://www.gdatasoftware.com/blog/malware-family-naming-hell

CARO http://www.caro.org/articles/naming.html

It is relatively tempting to want to name malicious code based on its date of activation, this can create confusing duplication of names. For instance, if we were to name every new virus with some word derived from its payload, like “March6”, “January Friday 13th” or “CrashWindows” the fictional exchange illustrated below could become commonplace:

(A1 - Analyst1, works for the respectable AV company C1)
(A2 - Analyst2, works for the most respectable AV company C2)
(A3 - Analyst3, works for the (even more) respectable AV company C3)

A1: “Hey A2, have you seen that new beast, the ‘Newyork’ virus?”
A2: “You mean the one which fills all the files on disk with ‘New York’?”
A1: “No, that’s the ‘NYFiller’ virus, I mean the one which shows a message box with the text ‘New York New York’”
A2: “Could be, I remember having seen two of them, one was a macro virus and the other one infecting Linux ELF files”
A1: “Hm, the ‘Newyork’ I was thinking of actually infects Windows PE files”
A2: “Ah, but I think I know what you mean, however, the one I’ve seen shows a message box stating ‘New Orleans New Orleans’. We are calling it ‘NewOrleans’, of course.”
A1: “Hm, that must be a new version of our ‘NewYork’ virus with a modified message. I think you should rename your ‘NewOrleans’ virus to something like ‘NewYork(version:Orleans)’.”
A2: “Hey, wait a minute, why not rename your virus to ‘NewOrleans(York)’?”
A3: “Hey guys, have you seen the new virus which fills all the files on disk with ‘New Delhi’? We’re calling it ‘NewDelhi’, of course.”
A1: “Arghhh…”
A2: “Who designed this stupid payload-based naming scheme anyway…?”

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=78995af3-e961-46da-ad80-f6547bbce3b7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

;D 8)

Another question , do avast automated system identify the malware type for those sample that don’t require human to check ? (such as trojan or ransomeware and what if it is a trojan and ransome at same time ?)
And do avast automated system auto unzip the zip file ?

https://www.avast.com/technology/ai-and-machine-learning

I mean classify the type of new malware , not detect the new malware .

Isn’t this a bit of a joke, doesn’t GData use two other companies virus engine/database ?

Even then there really is no way there is ever going to be standardisation in malware naming when the method of detection is in many cases are different.

When you are talking of heuristic, generic, artificial, machine learning methods of detection when one signature detects multiple variants of the same/similar malware.

As Asyn’s link shows.

So I rather doubt that Avast is alone in this development it would make it near impossible for any standardisation on malware naming.

so , can anyone tell avast team to add a option to disable the local sandbox analysis ? since it is pretty useless , and will allow the malware run on the user computer.
https://forum.avast.com/index.php?topic=273698.0
or they can make the analysis longer (such as 1 minute or 30 seconds so it can actually detect malicious software)

You can adjust/disable it in the settings.

if i disable it , will avast detect the sample as suspicious ?

https://support.avast.com/en-ww/article/150/

All malware samples are analyzed by auto systems because of the enormus amount of files they recive

Ransomware is a trojan

Isn't this a bit of a joke, doesn't GData use two other companies virus engine/database ?
Joke ? What do you mean?

ok thanks , but if the auto system missed a sample and it was not send the avast team , then how to let them review it ?

the reason i say they should add the option is because do a sample need to send to avast when the sandbox can’t indefinite is a sample malicious or clean , however because the analysis time is too short , the sandbox will be easily bypass by malware.

All samples uploaded to virustotal are shared among all VT members