Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Tambu on February 21, 2005, 04:06:46 AM
-
Hey All,
I'm testing out Avast 4.63 for the first time. I've been using AVG which I fine great but thought I would try another for fun. I have found that if you remove all the lame skins that the memory use is much lower than AVG which is nice. But I've run across what seems to be a serious problem. I know the scanning is working as I downloaded the eicar virus to several different places and whenever I open the folder containing the virus it detects it. However I decided to download it to my linux box which I have shared through SAMBA. After I downloaded the Virus. I then went to Explorer and opened \\tambu\tambu and the folder came up with the virus but it never scanned it. I even enabled those annoying popups that show every file being scanned and nothing gets scanned from a windows share. But wait it gets weirder... If I rename the file to eicar2.com instead of eicar.com AVAST actually scans the file but doesn't detect anything?!?!??! I'm like baffled. If I copy the file from my linux share to my windows share Avast detects the virus. and if I force scan the file on the linux share it detects the virus. The really scary thing... I can execute the file without Avast detecting the Virus. Could someone please tell me what the heck is going on? I've looked over all the options several times and I can't find any reason for this. I hate to be a killjoy but this is a killer point for me if Avast doesn't scan networks I will have to go back to AVG.
I currently have P2P Shield, Network Shield, Internet Mail, Standard Shield all running. They are all set to Normal. I tried High but this didn't detect them either.
I also have all the latest updates. Please let me know if I have missed something obvious but I've also put the eicar.com file on my brothers windows machine and go to it via windows sharing and again Avast doesn't detect the virus. (I had to disable his norton antivirus since it kept detect it :P )
-
So you are saying that if you are on the windows system and open the file on the linux system, Avast doesn't detect it?
Do I understand you correctly?
-
Yeah, this is because the avast service runs under the "LocalSystem" account which has full access to all local resources but no access to the network. This can be easily changed. Go to Control Panel -> Administrative Tools -> Services, open the properties of the "avast antivirus" service, and on the Log On tab, enter an account that has
- local administrative rights
- at least read-only access to the network resources
This will definitely solve the problem.
BTW if you look at the avast log files, you'll see that an error was log for each attempt to access a network file, with error code 5 (Access Denied).
Thanks
Vlk
-
I did what you suggested and changed the services to my Account that I login as Tambu and then restarted the services but it still doesn't detect the network virus. Also I went under my log viewer for Avast and where you said it should be showing Errors its blank/empty. I even went and changed the logging to Debug and nothing shows up anywhere but on Warnings (for when I manually scanned the virus file) Notice and Info which contained nothing important. My Tambu user is the Computer Administrator and is the account I login to the linux shares with.
Also I went over to my brothers machine and I opened up the linux share (he runs NAV2004) It didn't scan the file when I opened the directory but when I tried to run the eicar.com file it instantly found the virus and erased it. Whereas Avast let me run the infected file. I check under Task Manager and NAV is running as Local Service.
From what your telling me. It looks like my Avast is just flat out not scanning the files since nothing shows up in the log.
I am gonna try uninstalling and reinstalling AVAST but I don't see how this would help.
Thanks for your input I would appreciate any further thoughts.
Tambu
-
Uninstalling/reinstalling won't help, since avast isn't broken.
Are you sure you made the correct changes as Vlk suggested?
You need to set the login permission in sevices to a account that has administrator rights on the Windows systems, not to the account you use to login to your Linux box.
-
Strange really. I've just retested here on our network and it worked just fine (both on-exec and on-copy)..
What about Windows shares - does avast see viruses on those?
Thanks
Vlk
-
Ok I refollowed the directions and used Administrator as the "Log On As" type for all the Avast programs. I then went and executed the eicar.com file off my linux share and it executed without detecting a virus. I should also note that I activated the popup virus scanns on the Standard Shield and it shows Avast as scanning the file and ignoring the virus in it. I appreciate your responses and would ask for more instructions.
As to the second question Yes I can execute the virus off a windows share as well as a linux share.
To show you that I'm not a raving loon I've included several screenshots. The first screenshot will show: the Computer Management\Services screen with all AVAST set to Administrator, also the Task Manager with all AVAST running as Administrator, It shows the AVAST Popups showing that z:\test\eicar.com is SCANNED and ignored. I even managed to catch the dos screen with the EICAR virus executing and printing out its warning. Hopefully this may help you guys figure out the problem.
1st Screenshot (Shows executing and ignoring of the Eicar.exe virus with AVAST as administrator.)
http://members.cox.net/~tambu/Avast%20Problem.JPG
2nd Screenshot (Shows AVAST running as Local Service with the same effect.)
http://members.cox.net/~tambu/Avast%20Problem%20-%20Local%20System.JPG
3rd Screenshot (Show what happens when I try to copy the eicar.com file to my Windows Box)
http://members.cox.net/~tambu/Avast%20Problem%20-%20Virus.JPG
I hope these help you guys figure out the problem or tell me what I'm doing wrong. I do a lot of network sharing and if I can't get Avast to scan files properly I can't possibly use it.
Also if AVAST must be running as Administrator to scan network files, why doesn't norton? My brother's computer has Nav2004 and although it doesn't scan the files when I enter the directory it does prevent the eicar.com file from executing and tells me its a virus. Please don't take this as a flame thing I personally hate norton but I'm just trying to understand. To me network scanning is a requirement and it seems odd that you would not make Avast run as administrator to begin with if its required.
Thanks
Tambu
-
Hi Tambu, first thanks for the screenshots, they were very helpful.
One thing I noticed is that you changed the service log on info to the account ".\Administrator" but you're actually logged on as user "Tambu". Are you sure the user Administrator has access to the network shares? (Tambu presumably does as you have the network share open in one of the Explorer windows :)).
So, provided Tambu has local admin rights, I'd suggest changing the log on account for the service to .\Tambu instead of .\Administrator. Please note that you have to change only the "avast Antivirus" service, the rest will be fine with LocalSystem. Let's see if it makes any difference. :)
Also if AVAST must be running as Administrator to scan network files, why doesn't norton? My brother's computer has Nav2004 and although it doesn't scan the files when I enter the directory it does prevent the eicar.com file from executing and tells me its a virus. Please don't take this as a flame thing I personally hate norton but I'm just trying to understand. To me network scanning is a requirement and it seems odd that you would not make Avast run as administrator to begin with if its required.
Good question. The reason is not very hard to deduce, actually. Norton (starting with version 2003 I believe) moved its on-access scanning engine to kernel mode (runs inside the kernel-mode file system filter driver). Thus, it can access the file in context of the process that made the original request (which is quite good). However, that's probably the only advantage of this approach (maybe together with a slight performance gain). There is a number of cons, though. For example:
- kernel-mode code is quite fragile, in the sense that every bug usually causes a blue screen
- there's no chance of using 3rd party libraries e.g. for unpacking (forget complicated unpackers like RAR, 7ZIP or AsProtect)
Hope this helps,
Vlk
-
Hey Vlk,
I have already done the log on user as ./Tambu when you originally said to use a user that has rights. I changed it to Administrator per Eddy's request since he didn't believe Tambu had sufficient rights. Tambu is a Computer Administrator User and has access to all the files. Also Administrator would also have access since these are open shares. So I believe I've done everything suggested. Is there another option I can try?
Thanks
Tambu
-
What if you add COM to the list of extensions that Standard Shield should scan on open?
Would that make any difference?
Also, could you please copy'n'paste the whole file <avast>\data\log\error.log ?
EDIT: I meant warning.log, not error.log
Thx
Vlk
-
Ok I added COM to the list of extensions scanned on open. (I also did .COM as its not clear if your supposed to include the .) With either way Avast still opens the eicar.com file without finding the virus.
Here is the requested warning.log, Please note that where it says it found the virus was either when I manually scanned the file or when I tried to copy the file to my desktop.
2/21/2005 4:54:08 PM 1109026448 Tambu 3692 Sign of "EICAR Test-NOT virus!!" has been found in "Z:\eicar.txt" file.
2/21/2005 4:56:41 PM 1109026601 Tambu 3072 Sign of "EICAR Test-NOT virus!!" has been found in "C:\Documents and Settings\Tambu\Desktop\eicar.txt" file.
2/21/2005 4:56:56 PM 1109026616 SYSTEM 1752 Sign of "EICAR Test-NOT virus!!" has been found in "C:\Documents and Settings\Tambu\Desktop\eicar.com" file.
2/21/2005 5:04:42 PM 1109027082 SYSTEM 1752 Sign of "EICAR Test-NOT virus!!" has been found in "C:\DOCUME~1\TAMBU\DESKTOP\EICAR.COM" file.
2/21/2005 5:04:50 PM 1109027090 SYSTEM 1752 Sign of "EICAR Test-NOT virus!!" has been found in "C:\DOCUME~1\TAMBU\DESKTOP\EICAR.COM" file.
2/21/2005 5:04:57 PM 1109027097 SYSTEM 1752 Sign of "EICAR Test-NOT virus!!" has been found in "C:\DOCUME~1\TAMBU\DESKTOP\EICAR.COM" file.
2/21/2005 5:04:59 PM 1109027099 SYSTEM 1752 Sign of "EICAR Test-NOT virus!!" has been found in "C:\DOCUME~1\TAMBU\DESKTOP\EICAR.COM" file.
2/21/2005 5:07:31 PM 1109027251 SYSTEM 1752 Sign of "EICAR Test-NOT virus!!" has been found in "C:\RECYCLER\S-1-5-21-1957994488-1532298954-725345543-1003\Dc46.com" file.
2/22/2005 7:14:25 AM 1109078065 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp (E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp) returning error, 0000A48F.
2/22/2005 7:15:14 AM 1109078114 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp (E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp) returning error, 0000A48F.
2/22/2005 7:15:54 AM 1109078154 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp (E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp) returning error, 0000A48F.
2/22/2005 7:17:28 AM 1109078248 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp (E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp) returning error, 0000A48F.
2/22/2005 7:18:20 AM 1109078300 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp (E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp) returning error, 0000A48F.
2/22/2005 7:30:24 AM 1109079024 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\Fade Image.fla.A27SX7QDYZCC4ZWDTXOCD7FNRP7KUGEY64QLHYY.dctmp (E:\P2P\Downloads\Temp\Fade Image.fla.A27SX7QDYZCC4ZWDTXOCD7FNRP7KUGEY64QLHYY.dctmp) returning error, 0000A477.
2/22/2005 7:07:43 PM 1109120863 Administrator 3216 Sign of "EICAR Test-NOT virus!!" has been found in "C:\Documents and Settings\Tambu\Desktop\eicar.com" file.
2/22/2005 7:12:17 PM 1109121137 SYSTEM 3752 Sign of "EICAR Test-NOT virus!!" has been found in "C:\RECYCLER\S-1-5-21-1957994488-1532298954-725345543-1003\Dc56.com" file.
2/22/2005 7:44:56 PM 1109123096 SYSTEM 3752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\Booting_CD_Windows_95,98,ME,2000,XP.ISO.QVRKOF4CARMXXW5HYUHE7KBYLMZCZOL6NNIWPZQ.dctmp (E:\P2P\Downloads\Temp\Booting_CD_Windows_95,98,ME,2000,XP.ISO.QVRKOF4CARMXXW5HYUHE7KBYLMZCZOL6NNIWPZQ.dctmp) returning error, 0000A48F.
Thanks
Tambu
-
Bump!... Still with me Vlk? I pasted the log file for you any new thoughts?
Thanks
Tambu
-
Ok I decided to test to see if Avast would work any different on a different computer. I loaded the latest version as of 2/24/05 onto my laptop. I tested to see if it would find the eicar.com virus in my linux or windows share.
1. When opening the directory with eicar.com inside = Not Detected (though NAV or AVG doesn't either)
2. When opening the actual eicar.com file = AVAST fails to detect the virus and opens the file.
3. When copying the file from a Linux Share to another directory on the Linux Share = Avast doesn't find the virus.
4. When copying the file from Linux Share to Windows Share = AVAST finds the VIRUS
I would still love to use this program I like many of the features it has over other free based scanners but I must get it to scan network files.
Thanks
Tambu
-
Hi Tambu,
OK, let's do an experiment.
Please follow these steps:
1. kill all running avast components - namely: ashDisp.exe, ashServ.exe, ashMaiSv.exe and ashWebSv.exe (and also Outlook.exe if you're using Outlook - because of the avast plugin).
2. Download http://www2.asw.cz/misc/aavm4h.zip and extract its contents to the avast folder. It should be possible to overwrite the existing version of Aavm4h.dll thanks to step 1.
3. Restart avast. I.e from Control Panel -> Adminsitrative Tools -> Services start the "avast! Antivirus" service, and also run ashDisp.exe by directly executing it from the avast folder.
4. Download and run "DebugView" http://www.sysinternals.com/files/dbgvnt.zip
5. Simulate the problem
6. Post the dumps emitted to the DebugView window.
Thanks
Vlk
-
Here is the log output as requested.. not sure what the .dll is for but I don't think it.. or the logger is very stable it locked up my machine the first time I tried your suggestions. I ran the eicar.com file several times (without detection) and then I copied the file to my desktop (which did detect it.)
Thanks for sticking with me Vlk
Tambu
00000354 49.55169833 [484] Called avfilesScanReal - return code 0.
00000355 49.55197686 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000356 49.55231349 [484] C:\WINDOWS\SYSTEM32\WUAUENG.DLL
00000357 49.59138438 [484] Called avfilesScanReal - return code 0.
00000358 49.59166067 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000359 49.59209732 [484] C:\WINDOWS\SYSTEM32\ADVPACK.DLL
00000360 49.59794136 [484] Called avfilesScanReal - return code 0.
00000361 49.59836795 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000362 49.59876604 [484] C:\WINDOWS\SYSTEM32\ESENT.DLL
00000363 49.64860981 [484] Called avfilesScanReal - return code 0.
00000364 49.64888666 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000365 49.64930906 [484] C:\WINDOWS\SYSTEM32\WTSAPI32.DLL
00000366 49.65643762 [484] Called avfilesScanReal - return code 0.
00000367 49.65672201 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000368 49.65821215 [484] C:\WINDOWS\SYSTEM32\WINSTA.DLL
00000369 49.66356534 [484] Called avfilesScanReal - return code 0.
00000370 49.66385057 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000371 49.66427214 [484] C:\WINDOWS\SYSTEM32\NETAPI32.DLL
00000372 49.68186487 [484] Called avfilesScanReal - return code 0.
00000373 49.68216352 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000374 49.68258815 [484] C:\WINDOWS\SYSTEM32\WINSPOOL.DRV
00000375 49.69378622 [484] Called avfilesScanReal - return code 0.
00000376 49.69406531 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000377 49.69446033 [484] C:\WINDOWS\SYSTEM32\SETUPAPI.DLL
00000378 49.73426427 [484] Called avfilesScanReal - return code 0.
00000379 49.73453106 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000380 49.73496687 [484] C:\WINDOWS\SYSTEM32\WINHTTP.DLL
00000381 49.76115819 [484] Called avfilesScanReal - return code 0.
00000382 49.76145516 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000383 49.76188566 [484] C:\WINDOWS\SYSTEM32\WINTRUST.DLL
00000384 49.77773097 [484] Called avfilesScanReal - return code 0.
00000385 49.77804805 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000386 49.77843916 [484] C:\WINDOWS\SYSTEM32\IMAGEHLP.DLL
00000387 49.79315695 [484] Called avfilesScanReal - return code 0.
00000388 49.79342710 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000389 49.79383609 [484] C:\WINDOWS\SYSTEM32\CABINET.DLL
00000390 49.80228269 [484] Called avfilesScanReal - return code 0.
00000391 49.80257463 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000392 49.80306408 [484] C:\WINDOWS\SYSTEM32\MSPATCHA.DLL
00000393 49.80512244 [484] Called avfilesScanReal - return code 0.
00000394 49.80539231 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000395 49.80576274 [484] C:\WINDOWS\SYSTEM32\SFC.DLL
00000396 49.80917239 [484] Called avfilesScanReal - return code 0.
00000397 49.80942690 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000398 49.80979007 [484] C:\WINDOWS\SYSTEM32\SFC_OS.DLL
00000399 49.81651020 [484] Called avfilesScanReal - return code 0.
00000400 49.81679208 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000401 49.81716280 [484] C:\WINDOWS\SYSTEM32\MSIMG32.DLL
00000402 49.82970154 [484] Called avfilesScanReal - return code 0.
00000403 49.83002868 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000404 49.83044577 [484] C:\WINDOWS\SYSTEM32\SHIMENG.DLL
00000405 49.84029507 [484] Called avfilesScanReal - return code 0.
00000406 49.84072417 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000407 49.84114294 [484] C:\WINDOWS\SYSTEM32\MSACM32.DLL
00000408 49.85169735 [484] Called avfilesScanReal - return code 0.
00000409 49.85234604 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000410 49.85277570 [484] C:\WINDOWS\SYSTEM32\WINLOGON.EXE
00000411 49.88099465 [484] Called avfilesScanReal - return code 0.
00000412 49.88136984 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000413 49.88180146 [484] C:\WINDOWS\SYSTEM32\CLBCATQ.DLL
00000414 49.90544748 [484] Called avfilesScanReal - return code 0.
00000415 49.90573215 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000416 49.90610399 [484] C:\WINDOWS\SYSTEM32\COMRES.DLL
00000417 49.92231862 [484] Called avfilesScanReal - return code 0.
00000418 49.93383153 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000419 49.93421203 [484] C:\WINDOWS\SYSTEM32\WUPS.DLL
00000420 49.93693305 [484] Called avfilesScanReal - return code 0.
00000421 52.73680677 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000422 52.73715319 [484] C:\Documents and Settings\Tambu\Desktop\eicar.com
00000423 52.73724314 [484] Called avfilesScanReal - return code 0.
00000424 58.42566360 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000425 58.42601476 [484] C:\RECYCLER\S-1-5-21-1957994488-1532298954-725345543-1003\Dc91.com
00000426 58.42610835 [484] Called avfilesScanReal - return code 0.
-
Thanks for the post but I'd probably need you to do the test once more :-\
The thing is - I don't see the files I need here (namely, \\tambu... files) which may be caused by the fact that they were placed in the "virus-free" cache before...
Did you do steps 4 and 5 in this order? That is, didn't you simulate the problem before starting DebugView?
Also, did you see the info messages as on your previous screenshot http://members.cox.net/~tambu/Avast%20Problem.JPG ?
Thanks
Vlk
-
How odd. I did do the steps in order for some reason I didn't get it in the log. Perhaps I didn't scroll down enough when I copied the text. I've redone the test. I executed the eicar.com file several times without it being detected and then I attempted to copy it to my desktop which it was detected.
Thanks for the help
Tambu
[\\BIGGLES]
00000003 8.85534083 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000004 8.85813057 [484] E:\Archives\Utilities\Codecs\[CODEC] Nimo50Build9Beta1.exe
00000005 8.85818114 [484] Called avfilesScanReal - return code 0.
00000006 11.86086081 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000007 11.86102563 [484] \\tambu\tambu\eicar.com
00000008 11.86165253 [484] Called avfilesScanReal - return code 3.
00000009 11.87633708 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000010 11.89171166 [484] C:\WINDOWS\system32\ntvdm.exe
00000011 11.89176110 [484] Called avfilesScanReal - return code 0.
00000012 11.89889832 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000013 11.89954310 [484] C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWMONVD.DLL
00000014 11.89958919 [484] Called avfilesScanReal - return code 0.
00000015 11.90273820 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000016 11.90963321 [484] C:\WINDOWS\SYSTEM32\WINMM.DLL
00000017 11.90968433 [484] Called avfilesScanReal - return code 0.
00000018 11.91303085 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000019 11.91528672 [484] C:\WINDOWS\SYSTEM32\NTVDMD.DLL
00000020 11.91533924 [484] Called avfilesScanReal - return code 0.
00000021 11.91840974 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000022 11.94163588 [484] C:\WINDOWS\SYSTEM32\USERENV.DLL
00000023 11.94551514 [484] Called avfilesScanReal - return code 0.
00000024 11.94556710 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000025 11.94865576 [484] C:\WINDOWS\SYSTEM32\COMMAND.COM
00000026 11.95162933 [484] Called avfilesScanReal - return code 0.
00000027 11.95180114 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000028 11.95224868 [484] C:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
00000029 11.95625589 [484] Called avfilesScanReal - return code 0.
00000030 11.95630394 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000031 11.95689312 [484] C:\WINDOWS\SYSTEM32\REDIR.EXE
00000032 11.95697135 [484] Called avfilesScanReal - return code 0.
00000033 11.95881432 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000034 11.96069640 [484] C:\WINDOWS\SYSTEM32\DOSX.EXE
00000035 11.96113333 [484] Called avfilesScanReal - return code 0.
00000036 12.00563787 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000037 12.00872457 [484] C:\WINDOWS\SYSTEM32\COMMAND.COM
00000038 12.00964759 [484] Called avfilesScanReal - return code 0.
00000039 12.01760643 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000040 12.01802464 [484] C:\WINDOWS\system32\MSCDEXNT.EXE
00000041 12.01901359 [484] Called avfilesScanReal - return code 0.
00000042 12.01905577 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000043 12.01962289 [484] C:\WINDOWS\system32\REDIR.EXE
00000044 12.02062217 [484] Called avfilesScanReal - return code 0.
00000045 12.02066380 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000046 12.02254644 [484] C:\WINDOWS\system32\DOSX.EXE
00000047 12.02338677 [484] Called avfilesScanReal - return code 0.
00000048 12.02650868 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000049 12.02664557 [484] \\TAMBU\TAMBU\EICAR.COM
00000050 12.02737918 [484] Called avfilesScanReal - return code 3.
00000051 13.93084624 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000052 13.93391115 [484] C:\WINDOWS\SYSTEM32\COMMAND.COM
00000053 13.93482272 [484] Called avfilesScanReal - return code 0.
00000054 13.94021782 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000055 13.94066760 [484] C:\WINDOWS\system32\MSCDEXNT.EXE
00000056 13.94071174 [484] Called avfilesScanReal - return code 0.
00000057 13.94172919 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000058 13.94230412 [484] C:\WINDOWS\system32\REDIR.EXE
00000059 13.94300561 [484] Called avfilesScanReal - return code 0.
00000060 13.94331766 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000061 13.94630826 [484] C:\WINDOWS\system32\DOSX.EXE
00000062 13.94727989 [484] Called avfilesScanReal - return code 0.
00000063 13.95023921 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000064 13.95037665 [484] \\TAMBU\TAMBU\EICAR.COM
00000065 13.95111669 [484] Called avfilesScanReal - return code 3.
00000066 16.94912342 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000067 16.94950084 [484] C:\Documents and Settings\Tambu\Desktop\eicar.com
00000068 16.94960952 [484] Called avfilesScanReal - return code 0.
00000069 20.79166291 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000070 20.79885432 [484] E:\Archives\Utilities\Codecs\wma8_redist.exe
00000071 20.79941110 [484] Called avfilesScanReal - return code 0.
00000072 28.85914327 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000073 28.86279848 [484] C:\WINDOWS\system32\NOTEPAD.EXE
00000074 28.86341616 [484] Called avfilesScanReal - return code 0.
00000075 28.87920699 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000076 28.88551310 [484] C:\WINDOWS\SYSTEM32\WINSPOOL.DRV
00000077 28.88556423 [484] Called avfilesScanReal - return code 0.
00000078 28.88777680 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000079 28.89120601 [484] C:\WINDOWS\SYSTEM32\SHIMENG.DLL
00000080 28.89125601 [484] Called avfilesScanReal - return code 0.
00000081 28.89407648 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000082 28.89451704 [484] C:\Documents and Settings\Tambu\Recent\dbgview2.log.lnk
00000083 28.89614490 [484] Called avfilesScanReal - return code 0.
00000084 28.90056250 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000085 28.91560017 [484] C:\WINDOWS\APPPATCH\ACGENRAL.DLL
00000086 28.91566666 [484] Called avfilesScanReal - return code 0.
00000087 28.91849579 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000088 28.94207225 [484] C:\WINDOWS\SYSTEM32\OLEAUT32.DLL
00000089 28.94216416 [484] Called avfilesScanReal - return code 0.
00000090 28.94829091 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000091 28.95182544 [484] C:\WINDOWS\SYSTEM32\MSACM32.DLL
00000092 28.95187601 [484] Called avfilesScanReal - return code 0.
00000093 28.95490321 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000094 28.95677104 [484] C:\WINDOWS\SYSTEM32\VERSION.DLL
00000095 28.95692330 [484] Called avfilesScanReal - return code 0.
00000096 28.95993485 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000097 28.99059908 [484] C:\WINDOWS\SYSTEM32\WIN32K.SYS
00000098 28.99065691 [484] Called avfilesScanReal - return code 0.
00000099 31.65571071 [484] x_AavmCheckFileDirectEx - calling GetFileTimeoutAndValidityW for
00000100 31.65819427 [484] C:\WINDOWS\system32\xpsp1res.dll
00000101 31.66462693 [484] Called avfilesScanReal - return code 0.
-
On a side note that dbgview.exe program seems to lockup if you click Save As while its logging. Happened several times now. Just to let you know.
Thanks Tambu
-
I guess I never did and you never asked for system specs but just incase its useful I've included them below.
AMD Athlon 64bit 3500+ (CPU)
MSI NEO K8N Neo2 Platinum (Motherboard)
Coursair DDR400 512meg x 2 (1gig memory)
Western Digital WD750GD (Raptor 10,000RPM) 74GB (Harddrive - Windows)
2x Western Digital 80gig Harddrives (RAID 0) (Harddrive - Games/Storage)
SoundBlaster Audigy 2 MP3 (Soundcard)
Sony DRU-500 DVD+ / - RW
Toshiba DVD-ROM SD-M1612
Floppy Drive
Network Card 10/100
Windows XP w/ SP2 and all windowsupdate.com
Thanks
Tambu
-
A minor bump for progress. Any other info I can provide Vlk?
Tambu
-
Hi Tambu, I have just uploaded a modified version of the patch (to the same location - http://www2.asw.cz/misc/aavm4h.zip ).
Do you think you could retry the test?
Maybe it could even solve the problem... :) (maybe not :-[)
Thanks
Vlk
-
Ok here we go again. I download the updated .dlls and installed them as previously told. I ran Avast as administrator. I then started the debug program. I then executed several files in my \\tambu\tambu directory and it appears from the debug window it scans those. I then executed the eicar.com virus and it ran without finding the virus. I did this several times. I then executed the eicar.com virus in \\tambu\tambu\test\ and it was executed without a problem. I then manually scanned the eicar.com virus and it found it as a virus.
I hope this helps find the problem.
Tambu
[log text is too log so I've attached it.
-
Btw if it helps feel free to contact me by IM.
My info is in my profile section.
Thanks for the Help.
Tambu
-
hmm, from the log it's clearly visible that the attempt to access the network share was rejected with error code 5 - access denied.
I have a question. When you're accessing the network drive (from Explorer or otherwise), can you access it automatically (just like that) or you're asked to fill in username/password details and only after that you're permitted to access it?
Thanks
Vlk
-
Well if I restart windows when I intially connect to \\tambu\tambu it will ask for username password. However that it will "remember" the password until I restart my system. so basically I login once per system start and then all my programs can access network drives without a problem.
Tambu
-
Bingo! I figured it out. Not sure what you guys will have to do to fix the problem though.
Ok here goes I hope you know about samba.conf on linux
Here is the config for the directoryies inquestion with the eicar.com virus
[homes]
comment = Home Directories
browseable = yes
writable = yes
By testing I have found that apparently Avast doesn't use windows networking to access shares. I have found that if I create another share with these options.
[Test3]
path= /test
browseable = yes
public = yes
read only = yes
guest ok = yes <----- This is what makes Avast work.
Then Avast reads the virus and stops the execution. YES!!
Course the problem is you have to enable guest access so it can be read by users that aren't logged in. Not a normal option for Samba or Windows Shares.
I guess other virus programs must use windows networking to access shares so they get the passwords and the problem is avast tries to look for \\tambu\tambu\eicar.com and my linux box spits back it doesn't have access or something so it fails.
I've included another log showing first where it doesn't access the file and then when it does access the file because it has the "guest ok = yes " enabled.
Please let me know if this is fixable or something I can do to make avast do this? Otherwise will it later be included? As stated before network shares are a requirement for me as I would think it is for others. And since I would be using the computer as a user if I have access to the files they should be scannable by AVAST.
I would point out (and please don't think me bashing I rather like Avast) that both Norton and AVG will both use windows networking to properly scan the files.
Thanks for you responses Vlk
Tambu
PS> Found another feature I rather like apparently if avast detects a virus and you tell it to continue without fixing/repairing the problem it won't let you execute the file after. I found this out when I was trying to test the \tambu\test3\eicar.exe and it gave me windows access errors. I had to stop and then restart AVAST before it would scan and detect the virus. REALLY NICE.
-
Quick Bump for help.
Thanks for your assistance Vlk
Tambu
-
Hey All
Just trying to see if I can get a finally response to the solution I've found. I was hoping to hear that there is some option to enable Avast to scan network shares. As I said before I am concerned that a virus scanner can't scan files that the user is logged in can scan. especially when it works for manual scan but won't scan on execution. I realize there may not be a solution yet.. but I'd just like to know if I should try the next version or something.
Tambu
-
Hi Tambu,
there's a couple of innaccuratenesses in your post.
First, it's not a matter of whether an app uses "Windows Networking" (how you called it) or not. All apps access the network in pretty much the same way. The difference is, however, where from. Logon sessions are associated with so-called desktops. I.e. logged on user, his workspace. A system service runs on a different dekstop than the logged on user. This is why the avast service is unable to access the share even thought you have already filled in the credentials (on your desktop).
But to discuss the actual problem: I'd say that it's not too relevant whether guest access is enabled or not on the share. The interesting part is, why is the networking manager asking you for username/password in the first place? This is not how it should work - it should open the share automatically, without the need of reentering the logon data every time you start your machine. That is, it should work automatically. Of course, only if the account under which you're logged on on your machine has access to the share (not a different account). Please note that you must have a computer name specified as part of the logon name when specifying the access control list on the server. I.e. COMPUTER\Account, instead of simple Account. Otherwise, the name Account will be considered as an account called Account on the target, not on the machine from which your making the connection.
Can you check the ACL's on the Samba share and verify this?
Vlk