I personally do NOT condone avast! free for home use. There is NO free lunch, you just haven’t figured out how your paying yet!
It is missing a critical element, that the rest of the avast! products use, which is the AutoSandbox. When unknown code (new or rare), passes through all stages of A/V detection, and spits out the end as unknown-rare, then the only process left is to execute it and see what’s there. avast! (pay) will then execute this code in a virtual environment. That way malicious code is isolated from the system. avast! free is just like Symantec, and some other A/V products. They just execute the code, and try to mitigate the infection. avast! will stop all known versions of CryptoLocker. AutoSandbox will stop the unknown versions of CryptoLocker. Also, without AutoSandbox, the same situation occurs with Polymorphic infection.
Most unknown-rare files are Polymorphic, which is impossible to detect using DAT technology. Injection of random characters and code scramblers guarantee that each sample is significantly unique (Microsoft uses code scramblers on Service Packs to prevent reverse engineering). With Polymorphism, the programmer, and the program, does not need to know the payload in advance. The exact behavior is only determined at execution. Final stage of assembly includes encryption into a self expanding executable. The packer information is embedded at the end of the file. Before the packer algorithm is understood, all initial scans see no decipherable code. So far, antivirus software has really had nothing to go. When the packer is known, then anti-virus can view the file using an appropriate decompression algorithm. If the file uses an unknown packer (most Polymorphic authors write their own encryption algorithm), then the file must be executed in the AutoSandbox. As this code executes, it is interrupted at different levels for structural checks, undergoing analysis for viral characteristics and behavior. Did “start, run” open? Was the registry modified?. If at any time the code is confirmed as malicious, it is moved directly to the virus chest. Under full analysis, the user will see “This code is being analyzed” for a maximum of 15 seconds. If at any time the code is deemed safe, it is allowed to fully execute. This type of code analysis becomes necessary!
DAT detection, as we have known it, is basically dead, and here’s why. The Polymorphic infection engine guarantees that every sample will have a different DAT. They prevent analysis by halting multiple downloads to the same location. Some samples, such as the “Storm” worm, have a “self-defense” module. It will attack any Internet address that trips this module, and cause a denial-of-service towards any investigation. This intelligent “anti-analysis” technology hinders antivirus vendors, as they can only obtain just a few samples at best.
Every organized crime syndicate and terrorist organization has a cyber division. It is their number one monetary source of income to fund their organization. A single virus writer, with a single Polymorphic engine, can produce over 30,000 unique samples per day. Multiply this times: how many Polymorphic engines can he do, and how many servers he controls, times how many of his peers have this job, times how many organizations, and this number of unique infections is growing exponentially every day.
The sheer effort required for data entry to obtain and insert all these new definitions becomes theoretically impossible (this is what AVG does). The only real advantage to “brute Force” definitions is higher rankings in antivirus tests. The more definitions you have, the more samples you catch, the higher your ratings. The problem is that current antivirus testing does not mimic real life occurrences. How can you test, what you haven’t seen. How can you test what doesn’t exist yet. This is why, DAT detection, as we have known it, is dead!
avast! free for home users are the 1st line of defense in testing new versions or features. Somebody has to test the code and identify the bugs. So, this job is bestowed upon the “free” users. After it is tried and tested in the home environment, it is then moved to the 2nd tier Guinea Pigs (avast! Pro / Internet Security users). The code was proven fairly stable at this point, but now it is tested for the first time in the business environment. All new untested variables are now brought to the table, and a new round of debugging occurs. It is impossible to predict all these different situations. Avast! can only do so much testing in their laboratory. After a final polishing of this new code, it then goes back to the developers to have the netclient module added for management capabilities, and the new features are then added to the avast! management consoles (SOA and AEA).
Advantage Micro Corporation
“At this point in time, the Internet should be regarded as an Enemy Weapons System!”