Author Topic: File System Shield scans archives while told not to scan them  (Read 1017 times)

Offline securitest

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
File System Shield scans archives while told not to scan them
« on: December 04, 2012, 07:27:46 AM »
Hi,
My system config : WinXP SP3, Avast 7.0.1466

Avast File System Shield (realtime scanner) config :
scan when executing : all 3 options checked
scan when opening : 'docs' + 'all files' checked
scan when writing : 'default extensions' + 'all files' checked
scan when attaching : all 2 options checked
exclusion : none
advanced : 'don't scan system DLLs' un-checked, 'transient caching' checked, 'persistent caching' un-checked
packers : NONE CHECKED (the problem comes from this option)
sensitivity : all 3 options checked

*** The scan archive problem ***
I place a large ZIP file on the desktop : 'BigFile.zip'
I right-click it, the copy and paste it on the desktop (thus creating a copy : 'Copy of BigFile.zip')

I see that 'BigFile.zip' and 'Copy of BigFile.zip' are both scanned
(I can see it in the file system shield traffic and it takes a few seconds)

> question : since no packers are checked, especially the ZIP ones, how is it that both zip files get scanned?
if the 'scan all files on opening/writing' overrides this option it looks like a bad idea.
My intend was to have all files scanned on opening/writing EXCEPT the archives (like the zip file I used for the test).

*** The transient caching problem (not really related to the first problem, except that it makes it worse) ***
Immediatly after creating the first 'Copy of BigFile.zip'
I right-click again 'BigFile.zip' and paste it again on the desktop (thus creating a second copy : 'Copy (2) of BigFile.zip')

I see that 'BigFile.zip' has been scanned again despite the fact that 'transient caching' is active

> this time it look likes a mere bug, Avast does not remember that it has already scanned the file 5 seconds ago.
(I've already made a similar remark about the 'transient caching' in another thread)

*** Conclusion ***
If I copy a 500Mb archive on my system, both the source file and the copied file get scanned, which hangs the system for a long time.
If this copy (or move) operation has been done automatically by a program then I don't even know why my system gets blocked.
(I've got the habit to look at the orange ball in the systray to see if it turning around)

Can anyone replicate this behaviour?
Any advice appreciated.
I won't advertise for Avira (for some other reasons) but this AV has the option to exclude archives from realtime scan.

Offline igor

  • avast! team
  • Serious Graphoman
  • *
  • Posts: 11333
  • Gender: Male
    • AVAST Software
    • Personal Message (Offline)
Re: File System Shield scans archives while told not to scan them
« Reply #1 on: December 04, 2012, 09:00:02 AM »
I don't know what you are trying to achieve, but your setting is... well, I would say "wrong".
Unchecking all the packers for the File System Shield is very wrong (A LOT of malware will go undetected if you uncheck the Self-extracting Win32 executables and Droppers - those two should certainly stay enabled in any case, as they are by default).

On the other hand, checking the option "Test whole files" on the Sensitivity page, together with checking "All files" on open and on write basically causes what you are describing - unnecessary scanning of huge files (the outer content only, without unpacking the compressed data if the particular archive unpacking is disabled). So, you haven't told avast! not to scan archives as the title suggests (on contrary, you told it to scan EVERY file) - you only told it not to unpack the content.
« Last Edit: December 04, 2012, 09:03:04 AM by igor »

Offline securitest

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
Re: File System Shield scans archives while told not to scan them
« Reply #2 on: December 05, 2012, 08:05:32 PM »
Unchecking all the packers for the File System Shield is very wrong
I unchecked all archives type for the testing purpose (otherwise I would rather leave the self-extracting executable and droppers checked)

"Test whole files" on the Sensitivity page
This is for added security and it does not slow down my system significantly even during boot (I have a basic computer),
unless it scans very big files (hundreds of MB) which are almost always archive files or video files.

the outer content only, without unpacking the compressed data if the particular archive unpacking is disabled
Here I disagree, from the time it takes, the whole Zip file seems to be scanned.
Unless you mean that the WHOLE raw binary datas (without unpacking them) inside the Zip file gets scanned.

So, you haven't told avast! not to scan archives as the title suggests (on contrary, you told it to scan EVERY file) - you only told it not to unpack the content.
This is the interesting point :
------------------------------------
1. would Avast, with the settings I gave, scan the whole Zip files as binary files WITHOUT unpacking them ?
(which would lead to nothing since zip encoding should scramble the virus signatures, probably...)
In this case the thread title could be changed to :
'Is it possible to have the File System Shield scan all files but ignore some archive types (those unchecked in the packers tab) ?'

2. scanning all files except archives seems still highly desirable since these archive files are somewhat 'inert', they are often big,
and their content will be scanned when they will be unpacked (with the possible exception of self-extracting executable and droppers, I don't know).

What I'm trying to achieve, but does not seem possible, is to realtime scan all files and whole files on read/write/execute,
except files recognized as archives by Avast (not from their extension but more securely from their file header).
Archive files would only have their header read by Avast so as to be recognized indeed as archives, and thus ignored by the scan.

I can understand that this option might not be available currently, so it would join the wishlist, if it makes sense of course.

Offline igor

  • avast! team
  • Serious Graphoman
  • *
  • Posts: 11333
  • Gender: Male
    • AVAST Software
    • Personal Message (Offline)
Re: File System Shield scans archives while told not to scan them
« Reply #3 on: December 06, 2012, 09:53:36 PM »
You are right - with these options, the scanner only scans the compressed binary content without trying to unpack it, so yes, it doesn't make much sense since it's rather unlikely the malicious code is visible through the compression layer (unless the file is stored uncompressed).
That's why the option is kinda useless... and we might better get rid if it. The scanning engine already decides what parts of files to scan, according to a file type detection, and I don't really see a point in making it overridable (besides, only a small part of the scanning process is affected by this option anyway).

What you are asking for (skipping archive files completely and not scanning them at all) is indeed not possible.
Also, I don't think it's really a good idea - the archive in question may be a self-extracing (i.e. executable) archive, yet huge - that's also covered by the corresponding unpacker option. You don't want to skip the scanning completely - you want to scan at least the EXE part, because if it were infected by a file infector, you'd get infected as soon as you clicked on it. However, you probably don't need to unpack the whole archive as it would get scanned during extraction.

Offline securitest

  • Newbie
  • *
  • Posts: 19
    • Personal Message (Offline)
Re: File System Shield scans archives while told not to scan them
« Reply #4 on: December 09, 2012, 10:48:41 PM »
Sorry to reply a bit slowly.
I agree with everything you said in your last post.

1. The inert archives (Zip, Rar...)
It does not seem possible to scan all files but completely skip these archive files.
About the setting 'file system shield settings'>'packers' the help file says :
'On this page, you can specify which types of archive file are checked when scanning'
If we are right about the file system shield behavior, this statement is somewhat misleading.

2. The executable archives
self-extracing (i.e. executable) archive [...] you want to scan at least the EXE part
Exactly what I thought : I've a few game installers EXE which are 100MB-500MB,
being able to scan only the EXE part, but not the packed part, would be great.

But, whatever the effect of un-checking the self-extracting executables/droppers in 'file system shield settings'>'packers',
checking the option 'file system shield settings'>'scan when executing'>'scan programs when executing' *should* (I hope) force
the EXE part of the archive to be scanned on execution (not on create/copy/move file).

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now