Jump to content

Avast Detects Agent.exe's Signatures In Memory


ibell63

Recommended Posts

It appears that Immunet's agent.exe process is not encrypting it's signatures in memory, therefore Avast detects them when it does a scan of memory and Immunet has signatures loaded.

 

See this topic at Avast's forum for more info:

 

http://forum.avast.com/index.php?topic=71380.0

 

 

Thanks. We will not be encrypting them in the future, our signatures are open source so there is no reason for us to obfuscate them.

 

Best,

al

Link to comment
Share on other sites

Sorry, I think I may have not described the issue clearly enough.

 

What I mean is that Avast is detecting the agent.exe process as malicious because of it's signatures, which contain pieces of malicious code.

 

This has nothing to do with proprietary vs. open source code, it's a compatibility issue.

 

I suspect that this issue may cause incompatibility with other AVs as well.

Link to comment
Share on other sites

Sorry, I think I may have not described the issue clearly enough.

 

What I mean is that Avast is detecting the agent.exe process as malicious because of it's signatures, which contain pieces of malicious code.

 

This has nothing to do with proprietary vs. open source code, it's a compatibility issue.

 

I suspect that this issue may cause incompatibility with other AVs as well.

 

There is no code in our signatures, what Avast is picking up on is op codes or strings in the sigs which help id malicious binaries. Is Avast actually killing agent.exe as a result?

 

al

Link to comment
Share on other sites

No, Avast does not kill agent.exe when it makes these detections, but the alerts are annoying and could be confusing to less experienced users.

 

Seeing as Immunet is a product that is designed to run alongside other AVs, I assumed until I saw this that all of it's sigs would be have been encrypted / obscured to prevent issues like this.

Link to comment
Share on other sites

To clarifty this matter:

please correct me if I am wrong.

 

At some point Avast is picking up agent.exe as malicious.

 

this is because the virus definition info is showing - not anything malicious - just the definition hints.

 

if the agent.exe was decrypted it would not show these hints.

 

Other potential companion AV's may detect the hints, also.

 

 

 

> please comment if I am wrong in understanding this.

Link to comment
Share on other sites

No, Avast does not kill agent.exe when it makes these detections, but the alerts are annoying and could be confusing to less experienced users.

 

Seeing as Immunet is a product that is designed to run alongside other AVs, I assumed until I saw this that all of it's sigs would be have been encrypted / obscured to prevent issues like this.

 

You have a good point, we are speaking with them today to try to see if we can get a solution in place.

 

Best,

al

Link to comment
Share on other sites

@Duncan,

 

Avast is detecting the signatures stored in memory by agent.exe, but only when the process is running. When the actual executable on disk is scanned, there are no detections made, and the file looks clean. Avast does not kill the process as a result, but issues alerts to 200 some pieces of malicious code found inside the process.

 

It is common practice for antimalware tools to encrypt their signatures and temporary files. For example, Malwarebytes Anti-Malware encrypts it's quarantined files so that other Anti-Viruses like avast don't detect these quarantined files and remove them.

 

This is most likely part of the reason why Immunet itself has exclusions for various temporary file folders for various antiviruses including Kaspersky, Avira, and Avast.

 

@Alfred

 

Thank you for your understanding in this matter, I am glad to see this sort of support.

 

I would also like to mention that Avast does not appear to make these detections unless the user specifically initiates a scan involving memory. This would include the default settings for a full scan, and is also a selectable option for custom scan settings.

 

This being the case, one would consider it a minor incompatibility but it may also cause issues with other AVs that scan memory; I'm sure you already know this.

 

Thanks again for the support!

 

Ian

Link to comment
Share on other sites

@Duncan,

 

It is common practice for antimalware tools to encrypt their signatures and temporary files. For example, Malwarebytes Anti-Malware encrypts it's quarantined files so that other Anti-Viruses like avast don't detect these quarantined files and remove them.

 

This is most likely part of the reason why Immunet has exclusions for various temporary file folders for various antiviruses including Kaspersky, Avira, and Avast.

 

That is correct, it's precisely why we exclude those directories. I am hoping we can solve this issue with a whitelist applied to the agent in memory from Avast. Encrypting the actual contents in mem is not rocket science but it's not likely to happen in the short term. We may simply need to build a knowledge base article about it in the near term.

 

al

Link to comment
Share on other sites

Ok, I think I have my head around it now,

 

So if:

 

Avast is detecting the signatures stored in memory by agent.exe, but only when the process is running. When the actual executable on disk is scanned, there are no detections made, and the file looks clean. Avast does not kill the process as a result, but issues alerts to 200 some pieces of malicious code found inside the process.

 

then:

 

 

If the sigs stored in memory cannot be encrypted, so as to: not create alerts in AVG.

 

then:

 

You will try to have the memory sigs whitelisted by AVG so as to: not create alerts in AVG.

 

 

 

 

If this is the only solution then it might be advisable to check all other AV's that are accepted as companion AV's to make sure that the same issue is not occuring. (and contact any that are re/ whitelisting)

 

If the memory sigs can be encrypted as in malwarebytes for example, then wouldn't this be the best solution?

 

I am only trying to understand and assist in this matter, as a lot of users that are not computer savvy may over-react to this issue.

 

As Immunet-3 has just recently been released it would be good to sort any issues out as quickly as possible and possibly release a patch or update to further stabilise the product.

 

I think that the notification and discussion of this in this forum is a very positive step, and thank you, Ian for raising and discussing this matter.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...