Three ?s for Vlk on Avast for Mac

  1. On many AV tests Avast for Mac has been called out for heavy resource use. On one test is was the worst, but it was on a download being scanned inline so I can give that a partial pass.

There have been a couple posts here on about Avast for Mac stressing out SSD drive with excessive read and writes.

What is Avast doing to reduce this resource use?

  1. While I know this may or may not have anything to do with resource use.
    Does the Mac have a more efficient coding language that COULD be used as per windows with
    “assembly” but for the Mac? Would “swift” be a better language to compile Avast for Mac in?

  2. Is Avast working on implementing a heuristic engine for Avast for Mac so it will be the first AV company to advance Mac AV with the same advancements the PC based AV has. I assume you know, Patrick Wardle of Synak, an OS X malware researcher who has stated that ALL Mac AV programs lack any heuristic engine for OS X, and making ALL Mac AV programs basically very simplistic and somewhat noneffective for the upcoming Mac advanced malware.

Here is a short six minute video with Patrick at BlackHat 2015

https://www.youtube.com/watch?v=yHZ9XGvNeik

Vlk, PLEASE advance Avast for Mac faster then the rest of the SLLLLOOOWWWW development cycle that AV companies are doing on OS X AV. Maybe a collaboration with Patrick Wardle and Avast would be a WIN WIN for Avast.

.

[ol]- Well, the latest AV-TEST test is defective by design. A serious
test can never mix products (or their setups) in a single test where
some of them scan the files (Avast) and some of them don’t (all others).

What they did is, they downloaded several GB of compressed archives
(DMGs) and measured the performance impact by download time
measurement. The problem is, none of the products, or more precise their
fileshields, does scan compressed files. Even Avast’s file shield does not
scan them. Also note, that there were no infected files among the test files,
so AV-TEST could’t even have any evidence whether the files are scanned
by the AVs or not…

When the Webshield is ON in Avast, it does archive scanning (to a certain
file size limit) which of course takes a significant amount of time. As Avast
was the only product in test with a webshield scanning the archives (or with
a webshield at all) the results are as they are.

If they wanted to test the products in default configurations, they still could
do this right. In a serious test, the products would than either be penalized
by resource consumption or by scan results. What they did instead is a test,
where they test all but one product on doing nothing and one product on
doing archive decompression and scanning…

  • The mac engine is written in C++ with some assembler parts, so there is
    no better alternative. Using Swift would actually make it probably more than
    10 times slower…

  • The Avast Mac engine is exactly the same as the Windows engine, so
    everything that you understand under “heuristic engine” that runs in the PC
    engine runs in the Mac scans as well.[/ol]

As for #3, Patrick Wardle has stated there is NO Mac AV on the market that has a heuristic engine, they are ALL simple definition scanners. I guess I would have to take his word on that one. He has tested all of names including Avast for Mac with very simple zerodays and ZERO Mac AVs caught simple malware that had a bit or two changed of commonly known malware. He said any AV with a good heuristic would have pick it up right away.

Well, such experiments only show, if there are heuristic detections for certain file
types, not if the engine is capable of doing heuristic detections in general. In case
of Mac malware there may be no reason to do such scans at the moment as there
may not be a real malware spreading with modifications.

Because of performance reasons, we always try to do only the detections required
(= for malware that is really “out there”). In fact the whole detection processing is
more and more based on statistical data.