Hello

I’ve been drawing some conclusions why some very similar trojans are not detected by avast even if the signature of one of them has been included in the database.

I believe the quality of the service team of analysts is not the best. I have noticed that the detection of trojans bankers by Avira AntiVir is much better than avast. I wonder if it would be the choice by analysts of the line of code that does not accurately characterize the malware.

The names of malware identified by analysts avast are not accurate (example the name “Win32: Malware.gen” given the trojans bankers).

Am I correct ?

There is some expectation of improvement ?

Thanks very much.

Common voice in our country.

There is always hope

As far as naming is concerned, there is absolutelys no standard or rule how to name them. Companies could name them “Malware/Virus” or even just “Threat” and that’s it. To 99% of ppl, names of the malware families don’t mean a thing. If it’s Banker or Virut, only one thing is in comon. They want it off their computer.
As for everything else you complained about, i cannot really comment that. Only ALWIL programmers/analysts can answer you to that…

I feel the same way, the name isn’t an issue, what is, is that it is detected as I mentioned in the other topic.

The win32:Malware-gen is a generic detection designed to catch multiple occurrences of a type of malware, so long as it makes the detection, the name given is totally unimportant as there is no standardisation/convention in malware naming.

You will see this when you do a virustotal check and you will see the many different aliases given in detections across the 42 different scanners.

But the nomenclature is important to tell what type of malware is and what does.

There are cases where the name indicates a type of malware when in fact it is another kind.

No response of the one malware analyst ?

I have two similar trojans to prove what I say.

This question seems very important.

So, did you send them to avast yet…??
Meanwhile all AV companies (kind of) depend on users feedback…!!!
asyn

Already sent have a few days.

One is already detected by avast not the other.

Great, thanks for submitting…!!
Let’s hope the other one will also be detected soon…
asyn

Because the Trojans are similar since they must all be detected and not just a.

Therefore to say that the service quality of analysts needs to be improved.

This also occurs with AVG (Grisoft).

If there was quality in the analysis the cracker could create several trojans that all would be detected by the same signature.

You should never rely on one security solution. Never ever…!!
A layered protection is the ultimate secret…!!!
asyn

I just want that avast is as good as Avira AntiVir in detection.

I don’t care about Avira…!
If you want maximum detection rate use Emsisoft AM.
But I guess we (users of avast) all like it to be the best and imo it is the best AV, otherwise I (and many others) wouldn’t use it…!! Nevertheless, as already said, don’t fully rely on it, protect your browser at first level and get a second opinion with an antimalware like Mbam or A²…
asyn

1. Please check the photo, which comes from F-Secure’s blog from CARO 2010 conference:

http://www.f-secure.com/weblog/archives/v_caro.jpg

From our internal testing it seems that in day 0, the best AV gives you maximally 60-70% protection by the signatures. This is not an excuse, this is an explanation why you may see what you see. I could as well show you many samples missed by antivirus X, in the very same way.

2. Nomenclature does not exist, and while you’re getting 50 000 new samples a day, it’s nonsense to spend time and resource with naming something which will be extinct tomorrow. Also, from our tests it sometimes seems like these names are assigned by random generator. 8)

So, how to be protected by day 0 attacks? Which is your suggestion side by side with avast?

Solution for the 50.000 new malwares per day?

Well the point being made is ‘detection by signature’ with a signature for every detection. So with the generic detection, win32:Malware-gen in this case it can detect hundreds/thousands of variants of malware.

Now that Nomenclature doesn’t specifically identify ‘banker’ or other specific malware family name (as in the OPs concern) it just detects it as malware. The important thing is that it detects it and not the Nomenclature given to the detection.

So the use of generic and heuristics to detect zero day/new variants is playing a greater part in detection as it is almost impossible to keep up with the volume of 50,000 new malware per day if you are going to try and give them all a specific Nomenclature or malware family name rather than win32:malware-gen, etc.

But we know that still not enough…

Yeah… But I would like to hear from Kubecj what is his solution…

I believe Kubec just wanted to say that it’s necessary to react quickly - and detect the stuff.
Thorough analysis and attempts to use a great name for the detection… isn’t doable.

Ok. What is the pathway to happiness in his opinion?
What do you use to protect your computer when you will play with fire? ;D

If you want to go to suspicious sites, just prepare to be infected anyway and make the precautions as backups and not storing anything even moderately sensitive on your machine. And I specifically said by “signatures”. But there are also generic protections and layered protections.

See the typical chained scenario of today:
Porn site → malicious js → malicious pdf → malicious downloader → malicious binaries.

Don’t go to such porn site.
Don’t use vulnerable apps.
Have antivirus with layered protection.

And then - who cares if avast! does not detect one of the downloaded malicious binaries, when the porn site is blocked and we detect the js and pdf?

It’s very hard to evaluate the real-world performance of an AV solution when we don’t (and I suspect we can’t) test the whole chain and prove if the user is protected. The tests on VT and such don’t prove anything, but the ability of the engine to detect it by the signature.