Possible bug - Continuous access denying after cleaning infected ZIP archive

[NON]

Bug report from Japanese forums:
Even after cleaning infected ZIP archive by File System Shield (on-access), denying access to cleaned ZIP archive continues.
* "Scan all archive" in the File System Shield enabled
With on-demand scan this symptom does not happen.

If we open file properties, change file name or save File System Shield settings, we can access cleaned ZIP again.
Windows 7 x64 (Original poster's computer)
avast! Free Anti-virus

I confirmed this symptom. I know we shouldn't use infected ZIP file, so I already told this to Op.
Original Post (in Japanese forums):
http://forum.avast.com/index.php?topic=66271.0


Edited: deleted another wrong bug report

[DavidR]

Well I would ask why enable scanning zip/archive files in the file system shield in the first place. Archived files are inert by their nature and until they are opened, their contents extracted and any executable run, then they present no immediate risk.

Long before that happens the file system shield would have scanned any newly created file (the act of extraction to your hard disk) and also scanned any executable before it is allowed to run.

[NON]

Thanks for the reply.

Well I would ask why enable scanning zip/archive files in the file system shield in the first place. Archived files are inert by their nature and until they are opened, their contents extracted and any executable run, then they present no immediate risk.

Long before that happens the file system shield would have scanned any newly created file (the act of extraction to your hard disk) and also scanned any executable before it is allowed to run.

Yeah mostly agreed.
If I were Op I don't scan all archives on-access, though I want avast to scan all archive on-demand (i.e. default full scan).
You may feel we (I?) are some kind of paranoia... there are some people worry something or other which seems groundless fear.

Since I got a bug report on Japanese forum, I thought I should at least report it here.

[igor]

Could you please add some more details? Such as:
- what was inside of that ZIP archive (only one infected file, multiple infected files, one infected and other clean files, nested archives with infected files, ...)
- what was the detection (name) on the infected file?
- what exactly does it mean "cleaning" - delete, move to chest... or repair?
- the "All archives" option in the File System Shield (which I wouldn't really recommend to use, but doesn't matter) only enables archive unpacking... so was also the ZIP extension added to "Scan when opening" or "Scan when writing"? (or was the "Scan all files" option checked in one of those windows?)
- was the initial detection triggered when accessing (e.g. opening) the ZIP file, or when writing (e.g. copying) it?

[bong2x]

@NON
do mean like this (see picture)
in that case the explanation is, there is an update in every software. protected to avoid the corruption.
and no anti virus can take that off.

regards!!!

[NON]

Thanks for the reply.

@igor
I asked OP to add these information. As far as my confirmation, details as follows:

Inside of the zip archive:
One or two infected file(s) (eicar / real malware) and one clean file (plain text file).

Detection Name:
Eicar / Win32:Small-NEG [Trj]

Action:
Delete / Move to chest.

- the "All archives" option in the File System Shield (which I wouldn't really recommend to use, but doesn't matter) only enables archive unpacking... so was also the ZIP extension added to "Scan when opening" or "Scan when writing"? (or was the "Scan all files" option checked in one of those windows?)

Firstly I checked "Scan all files", next added ZIP extension to "Scan when opening" option ("Scan all files" unchecked).
Now I uncheck both options, but alert continues...

It seems avast continues to scan added extensions even if I uncheck "Scan with custom extensions"
If I delete added extensions, avast stops to scan it.


Initial detection trigger:
Accessing. No alert when copying (I didn't add extensions to "Write" section).


@bong2x

do mean like this (see picture)

Unfortunately not.
This related to on-access scan, not on-demand (right-click) scan.

[NON]

Reply from the Op came.

Inside of the zip archive:
One infected file + one clean file
Two infected files + two clean files (in a directory)

Detection Name:
Win32:Parite

Action:
Move to Chest / Delete / Repair

Settings:
Only "All archives" option enabled.
No additional extensions added (both opening and writing), "Scan all files" unchecked.

Initial detection trigger:
Opening ZIP archive.

[NON]

Is there any news or required information, igor?

[NON]

Sorry for bumping up this old topic, but this issue still persists with 6.0.1000...

Please fix this...