Why did we appoint a new organization with the CheckLab.pl/en website?

A mysterious CheckLab logo occupies prominent place in the https://AVLab.pl footer for a long time. It is not without reason, because it is a graphical announcement of a professional services of security tests. This dedicated website is entirely devoted to one area exclusively that is precisely oriented towards technical aspects of testing solutions for protecting workstations and personal computers.

The CheckLab organization was founded in July 2019 by the AVLab.pl company operating since 2012 in the industry of informatics security. The primary objective of the CheckLab organization is to test security usefulness, and issuing certificates confirming the protection effectiveness against malware, and also provide results to public information while ensuring the maximum transparency of the tests. There is so much additional information related to tests so we have decided to prepare a supporting website.

To explain how complicated the procedure of test automation is, we must describe a few problems with which we have been struggling while monitoring activity of antivirus products and malicious software in real time. In fact, here we describe what needs to be done to interest big international corporations which provide their security solutions and services for business in such small company that is AVLab. In addition, in this article we want to share our knowledge, and at the same time make readers aware of the fact how many issues have turned out to be complex, and how much time we had to spend on apparently insignificant problems. It is our first big project that is why engineering approach has revealed extent of problems.

All instructions regarding the methodology and tools used in tests were published on the website https://checklab.pl/en.

have been working on the CheckLab project for over two years. In that time, we have been able to program scripts in NodeJS and Python programming languages which manage the whole procedure of testing. The CheckLab website is also very important. It visualizes interesting test data, and everything that happens in the invisible layer which is a backend.

Testing environment: VMware, Citrix or VirtualBox?

The beginnings were difficult. We had to start with selecting a hypervisor for a machine management. For licensing reasons, we have chosen free VirtualBox Initially it has met our requirements – it has got all we need which is an access to snapshots and management from the command line. In addition, VirtualBox is free for commercial purposes. Either way, after a few weeks of testing, we have registered too many unexpected errors. The virtualizer has been hanging up at random moments. It could not handle managing multiple machines at the same time. The VirtualBox technology was rough around the edges and highly inefficient. We believe that VirtualBox is good solution, but designed for smaller projects or for home use. Then we tried VMware Workstation Pro and Citrix XenServer. We have decided on VMware, because it was easier to use, has greater community support, and fit in better with our demands.

Dobór systemu operacyjnego jest ważny. Zdecydowaliśmy się na Windows 10 Pro, ponieważ jest najbardziej przyszłościowy.
The selection of operating system is important. We have decided on Windows 10 Pro, because it is the most future-oriented.

The application which is launched in the terminal you see on the left side of the screenshot, has been written in NodeJS and Python programming languages. Its task is to, among others, optimize available resources, e.g. to prevent hanging up systems or other unplanned downtime.

Our testing system can be launched on any Linux distribution. Even on a home computer that can handle at least one virtual system. In the current version, the application is scalable that is why it can use the available resources on a traditional dedicated server or the cloud server. High computing power is necessary if there are dozens of machines operating at the same time. From experience we already know that very high-speed drives are the most important. Hard drives such as SAS Enterprise don’t have enough processing speed. Same with SSD SATA III. The best suited are commercial NVMe drives which are available, for example, in the offer of OVH, Hetzner, or Oktawave. A CPU and RAM play a big role. The more resources the more efficiently a guest system can work. At the moment, we have a server with dozens of CPU cores, very high-speed drives, and enough amount of RAM to run multiple machines at the same time.

The testing system consists of several components

The whole testing application is like one organism composed of individual elements in which each operates separately and at the same time cooperates with other. Actually, we have created application that does exactly the same thing as a man, but incomparably faster and more efficiently, because at the same time it can manage an unlimited number of virtual machines — it performs large number of operations as it is not limited by human biomechanics.

The elements of which our applications for tests is composed:

 

The local DNS and HTTP/S server

The local DNS and HTTP/S server is responsible for “exposing” malware samples to random URL address that is transferred to a component that manages tests. From this URL address virus is downloaded to the operating system through the Chrome browser.

Dzięki własnemu serwerowi DNS i HTTP/S mamy kontrolę nad ruchem sieciowym.
Thanks to our own DNS and HTTP/S server we have control of network traffic.

 

Honeypot network

Samples used in our tests come from attacks on honeypots. Honeypots are traps whose task is to simulate target vulnerable to attacks and capture malicious software. We use low and high interactive honeypots. All of them emulate services such as: SSH, HTTP, HTTPS, SMB, FTP, TFTP, real Windows systems, and email servers.

Mapa wskazuje na lokalizacje serwerów, które pełnią rolę honeypotów.
The map points out location of servers which serves as honeypots.
Sumy kontrolne szkodliwego oprogramowania na jednym z honeypotów.
The checksums of malicious software on one of our honeypots.

 

Importer

It is this element of the application that logs into the honeypots once a day, and downloads captured malicious software. Then it calculates the checksum of every file and compares it against those in the database. Recipients of our tests are sure that we will never analyze two identical viruses.

Najpierw aplikacja loguje się do honeypota i pobiera przechwycone złośliwe oprogramowanie.
First, the application logs into a honeypot and downloads captured malware.

 

Manager

It is the most important element of the application. It automates the whole test procedure:

  • Manages the honeypot network.
  • Manages downloading malicious software.
  • Analyses malicious software in Windows 10 to see if every virus is suitable for tests (i.e. if it is able to infect Windows 10).
  • Manages virtual machines.
  • Performs automatic operations of testing virus samples on all security products in every machine.
  • Analyses logs passing them from guest to host systems.
  • Manages logs of tested security solutions.
  • Sends diagnostic information to the database after analysis of each virus sample is completed.
Próbka szkodliwego oprogramowania jest pobierana do systemu przez prawdziwą przeglądarkę Chrome.
A malware sample is downloaded into the system by the real Chrome browser.

The manager uses the VMware API to ensure that the machines are run at the same time. It responds to errors in analysis, and if necessary, it repeats operations (e.g. if the system freezes for some reason). That way, malicious software is set in the queue, so we know for sure that all protection solutions will be tested at the same time on the same virus sample.

 

Analyzer

It is a very important element of the testing system that firstly logs events performed in Windows 10 by malicious software, and secondly picks up information on reaction of a security product to malicious software.

Logi ze systemu Windows zawierają m.in. informacje o tym, czy testowane rozwiązanie wykryło zagrożenie. W tym konkretnym przykładzie analizator „widzi”, że oprogramowanie Bitdefender przeniosło wirusa do kwarantanny.
Logs from the Windows system contain, among others, information whether tested solution detects a threat. In this particular example, the analyzer “sees” that the Bitdefender software has moved a virus to a quarantine.

 

Parser

On the basis of implemented guideline, it decides whether malicious software has infected a system, and whether a security product has reacted to a virus. The script searches logs for a virus activity, and reaction of a security product on a malicious activity. Indicators got that way are transmitted to the database.

Przykładowa aktywność jednej z próbek ransomware. Parser wykrył 796 potencjalnych wskaźników złośliwego oprogramowania.
An example activity of one the ransomware samples. The parser has detected 796 potential indicators of malicious software.

 

Thanks to the website, we don’t have to manually filter the database. At this level, we have an access to details from the backend. Diagnostic data allow to visualize results in the form of charts and tables.

The CheckLab.pl website
The CheckLab website

Detailed methodology

This is an article describing the genesis of the CheckLab project. We do not want it to be crammed with technical information, because there is just a lot of it. Detailed methodology can be found at the https://checklab.pl/en website in the section:

These problems have given us a hard time

It was hard. Sometimes very difficult. Not once we have hit a dead end. We have not given up. This required dozens hours of testing, checking many settings in the system, and improving scripts for automation.

Problems that have given us really a hard time are described below. Please consider that probably not all events occur when using computer on a regular basis. They have caught us a little by surprise only if we wanted to automate all operations using VMware API:

  • Disabling UAC in the control panel haven’t been respected under some file-virus extensions. The solution to the problem was disabling UAC in the Windows registry. Otherwise, we have not been able to skip confirmation of UAC through VMware API.
  • Downloading malicious software via the Chrome browser was one of the challenging procedures to automate. Why? If a file contains any extension, in new versions of Chrome (also in Firefox) it is not possible to disable the pop-up informing of a file harmfulness – even when the chrome://settings flag is disabled that is responsible for security.
  • The machines are managed by API of the VMware software. The problem is that we do notreally know when the network service is up and running after logging into the system. Consequently, it was not possible to automate steps from running a browser to downloading a virus with the „chrome.exe hxxp://IP/malware_sampledoc” parameter. This method has not worked, because the network service was not ready for operation within the first few seconds after logging.
  • Disabling the Windows Defender antivirus was effective only after changing options in Group Edit.  Antivirus would interfere with analyzing malicious software, and send files to the Microsoft cloud. We did not want that. One of the machines act as a sandbox-system without any security product. We analyze malware for malicious activity, that is why the Microsoft’s native protection would interfere with the tests.
  • Running viruses through API has not been optimal method of representing the real situation. Instead, we have improved procedure, and we are currently doing this as if a user runs any programs in a system, clicking on folders and applications.
  • Logging certain event was not possible when actions were performed with the ring(-1) privileges at the VMware API level. The hypervisor works “below” the Windows system, that’s why some events cannot be recorded in Windows. We have moved away from doing anything using this method. Instead, we have focused on processes and services in Windows that natively run malicious software and analyze logs.
  • Using free solution to analyze logs has appeared to be too complicated or impossible, bearing in mind our requirements. We needed a tool which will be doing particular things – not just analyzing events of malware, but above all detecting product reaction to a malicious file (i.e. whether antivirus has displayed a warning pop-up or moved a file to a quarantine).
  • Tests with a number security products have required a dedicated server, which unfortunately significantly increased the project costs. At this moment, our testing application manages available resources, and runs the optimal number of machines at one time — just in case to avoid an unplanned freeze of the system or the hypervisor.

CheckLab.pl/en — the results of over 1000 working hours

The results of our work can be seen on the website https://checklab.pl. The English version is also available at https://checklab.pl/en.

We attach a few screenshots from the backend. We can’t show everything, because programming some components cost a lot of money, so it is covered by the trade secret.

Wynik działania ransomware jest przekazywany z Windows do hosta w celu parsowania logów.
The output of ransomware is passed from Windows to the host in order to parse logs.
Prawidłowa reakcja antywirusa Avast na zagrożenie. Kopiujemy logi systemowe oraz logi antywirusa do hosta w celu parsowania.
The right reaction of the Avast antivirus to a threat. We copy system and antivirus logs to the host in order to parse.
Na hoście mamy zapisane szczegółowe logi dla pełnej transparentności oraz uzyskania dokładnych wyników.
Detailed logs are recorded in the host for the full transparency and to obtain accurate results.

Below, we include exemplary output of the testing system. With such details, every developer will be able to analyze all inconsistencies of each tested malware samples. In the following example is the results of Avast Free Antivirus.

[2019-07-23 17:09:57.120] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Fetching snapshots for machine
[2019-07-23 17:09:57.617] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Does snapshot przed exists? Answer: true
[2019-07-23 17:09:57.618] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Snapshot przed found
[2019-07-23 17:09:58.034] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Does snapshot przed_2019-07-22 exists? Answer: false
[2019-07-23 17:09:58.442] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Does snapshot przed_2019-07-23 exists? Answer: true
[2019-07-23 17:09:58.443] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Prepare to restore snapshot: przed_2019-07-23
[2019-07-23 17:09:58.864] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Snapshot has been restored
[2019-07-23 17:09:58.865] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Start tests!
[2019-07-23 17:09:58.866] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Prepare to restore snapshot: przed_2019-07-23
[2019-07-23 17:09:59.300] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Snapshot has been restored
[2019-07-23 17:09:59.301] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Going to start VM
[2019-07-23 17:10:08.093] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - VM has been started
[2019-07-23 17:10:08.095] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for it, next copyWhiteList function call in: in 2 minutes, countdown...
[2019-07-23 17:10:38.101] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next copyWhiteList function call for: in 2 minutes
[2019-07-23 17:11:08.099] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next copyWhiteList function call for: in a minute
[2019-07-23 17:11:38.102] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next copyWhiteList function call for: in a few seconds
[2019-07-23 17:12:08.098] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Starting copy whitelist files from /home/test/BackEnd-develop/src/vmwarerunner/whitelist to C:\Users\perun\Documents\av\obserwator
[2019-07-23 17:12:08.107] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Found 1 files to copy
[2019-07-23 17:12:08.950] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Starting download gFY6J_2019-07-23_exe from http://micro51139soft.com/sandbox/2019-07-23/gFY6J_2019-07-23_exe to C:\Users\perun\Downloads
[2019-07-23 17:12:20.845] [WARN] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Chrome killed, file should be downloaded and saved
[2019-07-23 17:12:20.847] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Start checking if file: gFY6J_2019-07-23_exe exists in C:\Users\perun\Downloads\gFY6J_2019-07-23_exe
[2019-07-23 17:12:21.390] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File gFY6J_2019-07-23_exe has been checked and it's in path C:\Users\perun\Downloads\gFY6J_2019-07-23_exe
[2019-07-23 17:12:21.391] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Starting move gFY6J_2019-07-23_exe from C:\Users\perun\Documents\av\src to C:\Users\perun\Documents\av\dst
[2019-07-23 17:12:22.872] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File gFY6J_2019-07-23_exe moved to C:\Users\perun\Documents\av\dst as gFY6J_2019-07-23_exe.exe
[2019-07-23 17:12:22.873] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Start checking if file: gFY6J_2019-07-23_exe exists in C:\Users\perun\Documents\av\dst\gFY6J_2019-07-23_exe.exe
[2019-07-23 17:12:23.470] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File gFY6J_2019-07-23_exe has been checked and it's in path C:\Users\perun\Documents\av\dst\gFY6J_2019-07-23_exe.exe
[2019-07-23 17:12:23.471] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Start runObserver, timeout: 5 minutes
[2019-07-23 17:12:24.143] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for it, next runSample function call in: in a few seconds, countdown...
[2019-07-23 17:12:36.152] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Starting sample: gFY6J_2019-07-23_exe.exe
[2019-07-23 17:12:38.029] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Sample executed
[2019-07-23 17:12:38.029] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for it, next finishObserver function call in: in 5 minutes, countdown...
[2019-07-23 17:13:08.032] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next finishObserver function call for: in 5 minutes
[2019-07-23 17:13:38.034] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next finishObserver function call for: in 4 minutes
[2019-07-23 17:14:08.036] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next finishObserver function call for: in 4 minutes
[2019-07-23 17:14:38.037] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next finishObserver function call for: in 3 minutes
[2019-07-23 17:15:08.038] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next finishObserver function call for: in 3 minutes
[2019-07-23 17:15:38.039] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next finishObserver function call for: in 2 minutes
[2019-07-23 17:16:08.041] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next finishObserver function call for: in 2 minutes
[2019-07-23 17:16:38.043] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next finishObserver function call for: in a minute
[2019-07-23 17:17:08.044] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Wait for next finishObserver function call for: in a few seconds
[2019-07-23 17:17:41.965] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Observer terminated
[2019-07-23 17:17:47.638] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Report converted
[2019-07-23 17:17:48.208] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] We are going to copy raport_timeline.csv file to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/gFY6J_2019-07-23_exe.report.csv
[2019-07-23 17:17:50.969] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File copied as /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/gFY6J_2019-07-23_exe.report.csv
[2019-07-23 17:17:50.970] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Moving sample file from /home/test/BackEnd-develop/src/../malware/sandbox/2019-07-23/gFY6J_2019-07-23_exe to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/gFY6J_2019-07-23_exe
[2019-07-23 17:17:50.972] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File gFY6J_2019-07-23_exe successfully moved from pre_sandbox to sandbox
[2019-07-23 17:17:50.973] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Starting to parse report /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/gFY6J_2019-07-23_exe.report.csv
[2019-07-23 17:17:52.435] [DEBUG] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Report parsed, and have 228 indicators
[2019-07-23 17:17:53.647] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\Amsi.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\Amsi.log
[2019-07-23 17:17:54.408] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\anen.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\anen.log
[2019-07-23 17:17:55.050] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\arpot.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\arpot.log
[2019-07-23 17:17:55.708] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\aswAr.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\aswAr.log
[2019-07-23 17:17:56.876] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\AvastSvc.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\AvastSvc.log
[2019-07-23 17:17:57.751] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\AvastUI.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\AvastUI.log
[2019-07-23 17:17:58.380] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\BCUEngine-trace.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\BCUEngine-trace.log
[2019-07-23 17:17:59.021] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\Browser-Cleanup.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\Browser-Cleanup.log
[2019-07-23 17:17:59.658] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\BugReport.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\BugReport.log
[2019-07-23 17:18:00.285] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\BugReport.status copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\BugReport.status
[2019-07-23 17:18:00.910] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\ccr.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\ccr.log
[2019-07-23 17:18:01.550] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\CommChannel.Protocol.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\CommChannel.Protocol.log
[2019-07-23 17:18:02.176] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\commonpriv.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\commonpriv.log
[2019-07-23 17:18:02.819] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\commonpriv.log.lock copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\commonpriv.log.lock
[2019-07-23 17:18:03.456] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\detections.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\detections.log
[2019-07-23 17:18:05.019] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\event_manager.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\event_manager.log
[2019-07-23 17:18:05.753] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\FilterEngine.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\FilterEngine.log
[2019-07-23 17:18:06.377] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\FwServ.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\FwServ.log
[2019-07-23 17:18:07.033] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\Hns.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\Hns.log
[2019-07-23 17:18:07.798] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\HtmlRemoteContent.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\HtmlRemoteContent.log
[2019-07-23 17:18:08.532] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idp-removal.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idp-removal.log
[2019-07-23 17:18:09.218] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idp2.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idp2.log
[2019-07-23 17:18:09.892] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpagent.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpagent.log
[2019-07-23 17:18:10.827] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpagent.log.1 copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpagent.log.1
[2019-07-23 17:18:11.880] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpagent.log.2 copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpagent.log.2
[2019-07-23 17:18:12.613] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpagent.log.lock copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpagent.log.lock
[2019-07-23 17:18:13.426] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpagentdetection.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpagentdetection.log
[2019-07-23 17:18:14.160] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpagentdetection.log.lock copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpagentdetection.log.lock
[2019-07-23 17:18:14.788] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpagentmonitor.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpagentmonitor.log
[2019-07-23 17:18:15.520] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpagentmonitor.log.lock copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpagentmonitor.log.lock
[2019-07-23 17:18:16.143] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpluascript.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpluascript.log
[2019-07-23 17:18:16.801] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpluascript.log.1 copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpluascript.log.1
[2019-07-23 17:18:17.424] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\idpluascript.log.lock copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\idpluascript.log.lock
[2019-07-23 17:18:18.115] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\js_console.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\js_console.log
[2019-07-23 17:18:18.831] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\lim.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\lim.log
[2019-07-23 17:18:19.457] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\mywin.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\mywin.log
[2019-07-23 17:18:20.116] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\opm.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\opm.log
[2019-07-23 17:18:20.739] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\prod_lis.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\prod_lis.log
[2019-07-23 17:18:21.364] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\psi.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\psi.log
[2019-07-23 17:18:21.987] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\psi.log.lock copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\psi.log.lock
[2019-07-23 17:18:22.616] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\removal.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\removal.log
[2019-07-23 17:18:23.348] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\removal.log.lock copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\removal.log.lock
[2019-07-23 17:18:23.974] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\Rep.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\Rep.log
[2019-07-23 17:18:24.598] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\scans.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\scans.log
[2019-07-23 17:18:25.239] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\secapi.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\secapi.log
[2019-07-23 17:18:25.974] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\secapi.log.lock copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\secapi.log.lock
[2019-07-23 17:18:26.595] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\selfdef.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\selfdef.log
[2019-07-23 17:18:27.223] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\StreamFilter.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\StreamFilter.log
[2019-07-23 17:18:27.865] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\StreamingUpdate.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\StreamingUpdate.log
[2019-07-23 17:18:28.489] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\szb.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\szb.log
[2019-07-23 17:18:29.111] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\UITracking.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\UITracking.log
[2019-07-23 17:18:29.739] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\UrlInfoQuery.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\UrlInfoQuery.log
[2019-07-23 17:18:30.363] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\vps.1.etl copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\vps.1.etl
[2019-07-23 17:18:31.004] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\vps.2.etl copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\vps.2.etl
[2019-07-23 17:18:31.628] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\vps.3.etl copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\vps.3.etl
[2019-07-23 17:18:32.253] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\vps.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\vps.log
[2019-07-23 17:18:32.943] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] File c:\ProgramData\AVAST Software\Avast\log\wsc.log copied to /home/test/BackEnd-develop/src/../malware/testing/Avast Free Antivirus/2019-07-23/8b124559bc26103c2a45f32af4d292567f8f0d63f2aa5ff439f8eb516199039f_gFY6J_2019-07-23_exe/17-09-57/c:\ProgramData\AVAST Software\Avast\log\wsc.log
[2019-07-23 17:18:32.944] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Indicators extracted, saving them into db
[2019-07-23 17:18:39.463] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Indicators saved in database
[2019-07-23 17:18:39.464] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Saving summary of indicators into db for Avast Free Antivirus
[2019-07-23 17:18:39.535] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Summary saved in database
[2019-07-23 17:18:39.536] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - [ID:16] Finished test
[2019-07-23 17:18:39.536] [INFO] [TESTING] [fc14cba4-aa85-4369-bceb-c7e907154bd3] [Avast Free Antivirus] - Going to shutdown VM

Functioning of our testing system in practice

First stage – sample verification. Testing application launches the analyzer: Sandbox. It is a normal operation system lacking in protection in which we check whether malware samples can move to the next stage (must be able to infect a system).

 

Second stage – antivirus testing. Testing application launches the analyzer: Testing. If a sample was malicious, it shall be subject to security testing with solutions for workstation protection installed.

Special thanks

Przemysław Czekaj from ProCoder.pl

We would like to express our special thanks to Przemysław Czekaj from ProCode company for programming the whole backend on the basis of guidelines as well as for additional know-how. A professional approach to the project from the planning phase to the testing and implementation, an active aid, and consulting services in the field of functioning and improving the application. It is to be commended! Przemysław’s commitment in the creation and development of the project lets us continue to cooperate. We highly recommend  Przemysław for a very good knowledge of the Linux system – as an expert in the field of designing application, programming, and using third party API.

Rafał Pogroszewski from CreLab.pl

We thank Rafał Pogroszewski for graphic design of the Checklab’s website, logo, and certificates. We actively work with Rafał at AVLab. We recommend his company CreLab for very good approach to the customer – his examination of requirements before and during implementation of the project is thorough.

Robert Grzegorzak from RoburStudio.com

We thank Robert Grzegorzak for assist with configuration of the website. We have been working with Grzegorz at AVLab for few years.

SmartBees.pl company

We thank SmartBees.pl company which has linked the website with the backend. On the basis of an entity from the database they have implemented visualization of charts, tables, and other details. Through their work it is possible to view the results on charts and tables which are now understandable to any person.

Bartłomiej Hawrot from AVLab.pl

We thank Bartłomiej Hawrot for preparing a dedicated server with different configuration many times and continuous technical support. For few years already. His knowledge is invaluable, and his experience gained in managing and configuration of government websites turns into security and performance of our servers.

Mateusz Kurlit from AVLab.pl

Our special thanks goes to Mateusz Kurlit for preparation of the CheckLab website in English version. We have been working with Mateusz for several years with translation of almost everything when it comes to articles and tests.

Regards also go to others people who have shared their knowledge, and wanted to remain anonymous.

What are our plans for future?

The plans are ambitious, but they require time and money. First of all, we want to provide companies with additional services. In the tests we want to complete vector of sending malware with additional protocols. It will certainly complicate an automation therefore we need time and additional budget. We want to improve the functionality of the virus analyzer and logging events in Windows using a public software Sysmon. We would like to provide users with an interface to transfer files. Such files could be added to our tests. But most of all, we do not want to create a second VirusTotal.

VirusTotal is not suitable for giving an opinion on whether or not antivirus detects anything. We will try our best to prove this below.

At the occasion of various campaigns with spam on many technical websites, we can read that “only a few antivirus applications detect a threat”. It is a half-truth, because VirusTotal should not be used to give such opinions. Therefore, a non-technical person who read such information can conclude that it is not worth investing in security.

We will prove that the results from scanning on VirusTotal does not have any relation with an actual reaction to running a threat on a real operating system. We conducted a similar research in April 2019. It came in handy when we presented facts regarding fair testing. At the conference Check Point Experience 2019 w Łodzi, we proved that VirusTotal is helpful in analyzing malicious software, but it is totally not suitable for carrying out even amateur tests, because:

Stworzyliśmy cztery zagrożenia. Trzy z nich nie były wykrywane przez silnik Check Point zastosowany na VirusTotal. W prawdziwym scenariuszu rozwiązanie od Check Point wykryło wszystkie zagrożenia.
We have created four threats. Three of them have not been detected by the Check Point engine implemented on VirusTotal. In a realistic scenario solution from Check Point has detected all threats.

Antivirus engines implemented on VirusTotal operate from the command line. In this connection, they may not be able to access the functionality which form part of real security suites. It proves a practical approach to testing. For example, malware which will be blocked by a firewall module, it will not be blocked by an antivirus engine on VirusTotal in a realistic scenario.

As we read in the official document, antivirus engines on VirusTotal are binary versions, operating from the command line. They will not behave exactly the same as versions which we install on computers. In other words, engines implemented on VirusTotal usually do not have a firewall, scanning in the cloud, sandbox, HIPS, DLP, blocking script viruses, and other modules.

We are tired of repeating that VirusTotal was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by sending them the malware they have failed to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology.

– source: https://support.virustotal.com/hc/en-us/articles/115002094589-Why-do-not-you-include-statistics-comparing-antivirus-performance

For this reason, we are joining the VirusTotal request and reminding not to issue a false opinion on security products.

This is the first real reason which shows why not to follow the opinion from the VirusTotal scanning. The second reason probably is more relevant, but it is not documented:

Malware which is uploaded using online panel into the VirusTotal service IS NOT LAUNCHED in certain cases. It performs a static analysis of a file, i.e. checksums are calculated, DLLs are extracted, Windows API functions are disclosed, and links with other malicious campaigns are revealed. Every file is scanned by antivirus engine, however, a dynamic analysis is performed only for binary files. Consequently, analyzed EXE files will show a virus activity, but for instance VBS scripts, malicious invoices, PDF file, or macro viruses in DOCX files not always.

In our security tests we launch every malicious file and use genuine versions of antivirus software, so those which are installed by users on their computers. Next, we collect logs from the whole Windows system: from the activity of malware and the response of tested product to a threat. This way, our tests are popular, and enjoy a good reputation among the community and developers of protection solutions themselves.

Just one more thing…

The total cost of the project slightly exceeded 100 000 PLN. It is hard to tell if it is a lot or too little. It depends on the level of the budget. On our micro scale, it is a lot of money. The investment has been funded from private money (without any subsidies). Now we are just waiting for implementation of tests to the benefit of users, developers, and our small business.

We encourage you to visit the https://checklab.pl/en website that is entirely dedicated to security tests. And do not forget about https://avlab.pl that continuously plays an important educational role since 2012.

Add new comment