Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Lars-Erik on December 21, 2003, 07:31:18 PM
-
We got the common mail supposed to be from MS containing the Swen32 worm. When someone clicked the Pack65.exe file in the mail program (Agent) it gets written to Windows/Temp (by the mail program) and avast! dectected it at once (as it should). BUT I couldn't delete it from the avast! dialog warning as it was in use by Windows, and a full scan showed that it was in memory and that several windows files has been infected/renamed allready (of course avast! repaired this OK).
BUT the question is WHY did the virus get into memory and WHY did avast! allow the virus file to be started.
I have scan both for writing and opening EXE files on, and the warning was shown, but apparently the virus started in the backuground anyway (while avast! displayed the message). Doesn't avast! stop all action in the background? And shouldn't I've gotten a second virus warning (the file was first saved from the mail-program to Windows/Temp, and then it was runned from Windows/Temp after that)?
Suddenly I'm a bit unsure about avast!. McAfee NEVER let a virus into the system, even if I ran it from the mail program.
Any explanation? Any settings that are wrong?
If this can happend inside a mail-program, the same thing will happend if someone click a .EXE file on a web-page (it also first gets saved in folder, and then executet from there)
-
I have no idea! I've received that same virus via email on at least three different occasions without any adverse effects. And I used the delete option offered by the Avast warning screen and ran a full scan afterwards.
I'm assuming you're using Avast on an internal network system and not just an ISP?
-
I've received that same virus via email on at least three different occasions without any adverse effects.
I agree Culpeper, Avast has taken care of this virus for me on a couple of occassions.. .. no problem ;D ;)
W.
-
I'll add that I don't use the mai-scanner. So virus was decteted on double-click on a attachement in a message. When that file was written to the temp-directory before beeing started - but again - it got started anyway - even with scan on both "write file" and "open file" on "exe" type.
I mail I can fix this by using the mail-scanner too, but when using web-mail or clicking on files on web-pages they get written to "Temporary Internet Files" and then started. And if the detect of a virus during saving of file will not stop it from running anyway (that takes an "open" as well) then the protection is not that good (doesn't help to detect a virus if the file can still be saved and started in the background - all access to the file should be halted at once)
-
I'll add that I don't use the mai-scanner. So virus was decteted on double-click on a attachement in a message. When that file was written to the temp-directory before beeing started - but again - it got started anyway - even with scan on both "write file" and "open file" on "exe" type.
I mail I can fix this by using the mail-scanner too, but when using web-mail or clicking on files on web-pages they get written to "Temporary Internet Files" and then started. And if the detect of a virus during saving of file will not stop it from running anyway (that takes an "open" as well) then the protection is not that good (doesn't help to detect a virus if the file can still be saved and started in the background - all access to the file should be halted at once)
Lars:
I agree and will refer to the programmers to address your problem when they return to the forum. That is a very common infected file and shouldn't have been executed. Was there any other factors involved that may have circumvented Avast via human error or perhaps a setting within Avast?
-
Have double checked. Basic settings are set to scan all executables on open, and advanced is set to scan all standard types on create/modify.
BTW: I'd like a new check-box in advances. Under "Scan files on open" I'd like the "Default extension set" here as well (so that all common file types can be scanned on open too, it's not obvoius what files are scanned on open today)
-
Culpeper,
What about the 'Advanced' setting tab (in resident task settings). Aren't temp *.tmp files in the excusion list?
W.
-
Have double checked. Basic settings are set to scan all executables on open, and advanced is set to scan all standard types on create/modify.
BTW: I'd like a new check-box in advances. Under "Scan files on open" I'd like the "Default extension set" here as well (so that all common file types can be scanned on open too, it's not obvoius what files are scanned on open today)
Okay, I see. You will need to address this directly with the Avast Team members on this one because it is obviously a serious problem and they need to communicate with you directly.
-
*.tmp files are in exclusion, but it was saved as a .exe file, and avast! DID detect it when it was saved (and/or opened), but the problem is that it still was executed (it got into memory, and managed to change som system files). And I did NOT click any other buttons than "Delete" and "Move to chest" - and then I got a "avast! unable to ..... file" (because it was in use I guess). So the code inside did get executed.
-
Culpeper,
What about the 'Advanced' setting tab (in resident task settings). Aren't temp *.tmp files in the excusion list?
W.
Under the Advanced setting tab for the Standard Shield I do not have .tmp as an exclusion. However, .tmp files is not included in the Blocker tab default extension set and the setting for allow operation is on if Avast cannot ask what to do.
-
*.tmp files are in exclusion, but it was saved as a .exe file, and avast! DID detect it when it was saved (and/or opened), but the problem is that it still was executed (it got into memory, and managed to change som system files). And I did NOT click any other buttons than "Delete" and "Move to chest" - and then I got a "avast! unable to ..... file" (because it was in use I guess). So the code inside did get executed.
Lars:
What operating system are you using?
-
I use Win98se (english language version)
-
On my system, you have to be very daft or determined to run an exe file from the temp folder. Windows tells me it's a security risk and unsafe!.
-
Yes, I don't do that either (the mail program warns about it). But not everyone reads warnings. And if you select to run the attachement it is first saved to a files (and is caught by the anti-virus allready then) and THEN it's run (and should be caught be the anti-virus again since it's an exe-file). But when I heard the virus-alert (only once) the virus was allready in the memory and avast! couldn't delete the file (because it was in use). Tried to delete it from Explorer as well and got a "file is in use by windows". Strange anyway.
-
Whilst I can see what this is all about, my opinion is it's impossible for any piece of software to prevent humans doing what they do best.. .. ignore warnings!.
Personally, I think it very ambiguos to say that it 'got past Avast'. Seems the warnings were there and Avast DID catch it.
Just mho from what I understand from the post.
-
1) The warning about opening attacements was from the mail program (and was ignored, but that could happend, maybe someone though it was a real file, maybe it was a document, maybe someone was using Outlook Express :-)
2) The virus warning from avast! WAS correctly understood. "Delete" was selected, but did not work (error message). And that's what I'm complaining about. A virus program that catches a virus SHOULD prevent further access to that file. And if it does - how did it the virus get to be activated and change system settings and several files?
I like avast! (else I wouldn't use it). But if it lets viruses run in the background while displaying the warning then it's not the program for me anway (and that would be real sad).
-
2) The virus warning from avast! WAS correctly understood. "Delete" was selected, but did not work (error message). And that's what I'm complaining about.
Now this is a different slant on the original post(s). If this is all your complaining about then so be it. As Culpeper say's, no doubt the Alwil team will have a reply.
A virus program that catches a virus SHOULD prevent further access to that file.
This I don't accept. What if it was a 'false alarm', would you then be happy not being able to get into a valid file?.. . I don't think so 8) .
I also ask, as did Culpeper, is this on a network or the Server edition of Avast.
BUT I repeat... mho 8)
-
Yeah, I'm a little confused. I get the impression that Lars is a network administrator. That someone else on the network actually got the Avast warning?
I'm very prejudice and I'll assume that Avast wouldn't let something as common as the Swen virus run in the background. But I have been wrong in my assumptions before and will let the experts investigate alongside Lars what happened here.
-
To the second quote. If you CHOOSE to continue access the file of course you should be able to. But when you choose "Delete" (or another choice to remove the virus) then there should be no way for that virus to get active.
Now, we don't exacly now what happened. But say that when we pressed "Delete" and avast! gave the error message about not being able to delete the file, that the control then was passed back to the system making further execution of the infected file possible - that would be bad.
The only way an detected file should be able to be executed should be when the users answers the virus alert message with "Continue access anyway" (or something similar), right?
BTW: Just to clearify, this IS one my home PC (but there are not only me living here, I'm a developer/tech, I know what not to open, I could have lived without an anti-virus - I think anyway :-)
My system is a Win98se, avast! resident scanner, Zone Alarm, and I'm connected to the world through a cable-modem.
-
To the second quote. If you CHOOSE to continue access the file of course you should be able to. But when you choose "Delete" (or another choice to remove the virus) then there should be no way for that virus to get active.
Now, we don't exacly now what happened. But say that when we pressed "Delete" and avast! gave the error message about not being able to delete the file, that the control then was passed back to the system making further execution of the infected file possible - that would be bad.
The only way an detected file should be able to be executed should be when the users answers the virus alert message with "Continue access anyway" (or something similar), right?
Yes, I agree. What is your settings in the Blocker tab for the standard shield provider? I'm curious about the setting for if Avast is unable to warn should the operation be continued or not.
Okay, I see. You're on a single machine with an ISP.
-
Now my blocker settings are for all operations. But that's a bit annoying sinces you get messages for every operation (program DO open/write/rename/delete files all the time).
But with the prevoius standard settings (no blocking) avast! still should stop access to files when a virus is detected, right?
I'll run with block warning on every access now to be a bit more sure (then we will get lots of warnings on writes :-)
-
Get rid of ZoneAlarm! Especially if you're using the free version. It allows selected IPs that pay ZoneAlarm for the privilege. They may be trusted by ZoneAlarm but that is moot. That would make ZoneAlarm free edition a platform for their own trusted spyware.
-
Have no bad experiences with Zone Alarm. Frequently scan for SpyWare with AdAware, but most ads and stuff never reaches my browser as I use WebWasher to filter it out.
-
Now my blocker settings are for all operations. But that's a bit annoying sinces you get messages for every operation (program DO open/write/rename/delete files all the time).
But with the prevoius standard settings (no blocking) avast! still should stop access to files when a virus is detected, right?
I'll run with block warning on every access now to be a bit more sure (then we will get lots of warnings on writes :-)
I'm not sure on that one, Lars. My theory is that Avast was unable to give another warning because a file was already in memory and since it was set to allow the operation if Avast couldn't warn then it got executed upon opening. Just a theory though.
-
Have no bad experiences with Zone Alarm. Frequently scan for SpyWare with AdAware, but most ads and stuff never reaches my browser as I use WebWasher to filter it out.
I'm just warning that the free version of ZoneAlarm has preconfigured settings that are beyond your control. That organizations pay ZoneAlarm to preconfigure access past the firewall settings. It will not show up as spyware on any scans. For example, XYZ Advertising Inc., gets to see your IE history without your knowledge because they have paid ZoneAlarm to program access past the firewall. This is just an arbitrary example.
See my following posts/links.
-
Food for thought:
http://www.itsolvers4u.com/security/Firewalls/ZoneAlarmSpyWare.htm
-
Many people first notice something is up when they install a firewall, such as ZoneAlarm, which only lets programs with explicit permission access the net.
http://news.bbc.co.uk/2/hi/in_depth/sci_tech/2000/dot_life/2487651.stm
-
And just to give ZoneAlarm a fair shake but you should read the entire page especially the part about Media Metrix and TrueVector technology.
http://www.grc.com/zonealarm.htm
-
To the second quote. If you CHOOSE to continue access the file of course you should be able to. But when you choose "Delete" (or another choice to remove the virus) then there should be no way for that virus to get active.
As the legal profession would say.. . 'already asked and answered'. I've agreed that if 'delete' didn't work then it is a issue for the Alwil guys to address. I've also given my opinion on what you 'previously' asked which was "A virus program that catches a virus SHOULD prevent further access to that file.", which I disagree on. These were two different responses to two seperate sentences that you wrote, which I replied to as such (seperately).
The only way an detected file should be able to be executed should be when the users answers the virus alert message with "Continue access anyway" (or something similar), right?.
I still disagree with you (depending upon exactly what you mean by 'something similar') in as much as a file caught by 'false alarm' (NOT one that you have chosen to delete, but this hasn't happened), should still be accessable from quarantine or the 'chest'.
My system is a Win98se, avast! resident scanner, Zone Alarm, and I'm connected to the world through a cable-modem.
OK, so this is Avast 'Home' or 'Pro' on a single machine?. To refer back to your earlier comments about an executable being activated on a web site (and I am open and happy to be corrected on this), the Pro version has the 'Script Blocker', which is not in the Home version. So until an .exe file is run from your local machine, it can only remain a 'script' and the Pro version should, I assume, deal with it. Note: I'm not referring to an .exe file that has been downloaded/sent with e-mail etc., or that Avast should have deleted at your bequest.
-
It is indeed easy to make a mistake and press "the wrong button" when alerted for a possibel virus. Everybody gets scared from a mesage like that.
It's also possibel that AVAST did detected it, but ley it run anyway...also, i doubt that. This must be ivestigated by the vendors of Avast.
These 2 reasons for the possibel worm infection Lars-erik got ,gives more strenght again to the thingy i always say : layered defence !
It's correct that Avast shoudn't let virusses & worms run (especially well known worms) but i don't believe this ever happended in the past.
If you had had the freeware Abtrusion protector nothing would have happendend (if you by mistake pressed the wrong button):
http://www.abtrusion.com/
or :
http://maxcomputing.narod.ru/ssme.html
or some commercial Anti-trojan with memory/process scan (resident guard).
Waldo
-
These 2 reasons for the possibel worm infection Lars-erik got ,gives more strenght again to the thingy i always say : layered defence !
If you had had the freeware Abtrusion protector nothing would have happendend (if you by mistake pressed the wrong button):
http://www.abtrusion.com/ or http://maxcomputing.narod.ru/ssme.html
or some commercial Anti-trojan with memory/process scan (resident guard).
Waldo
Nice links! Thanks Waldo. We are also joined to layered defences!
-
A few notes to the original question:
I'll check the corresponding code when I get back to work, but I believe avast! would never allow an infected program to execute. Of course, it may fail detecting a (new) virus, but if it detects the virus, it will deny access to it. There's no "Continue" button that would allow it.
I can check if this "Agent" client (where can it be downloaded from, btw?) doesn't use some special method to execute its attachments, but I really doubt it (I think all the possible methods are covered now; and even if they weren't, avast! wouldn't detect the virus - and it did).
To me, it seems more likely that the Swen worm was active before (it could have been started before avast) - and the warning was given by avast! at the moment it was trying to spread (execute another instance of itself, maybe?)
That wouldn't explain how Swen could have got to the computer in the first place, of course... ???
-
Lars,
This might help clarify things a bit. The worm activates when a victim launches the infected file (double clicking on the file attachment) or when a victim machine's email application is vulnerable to the IFrame.FileDownload vulnerability (also exploited by the Internet worms Klez and Tanatos). Once run, Swen installs itself in the system and begins its propogation routine. You can download the patch released in March 2001 for the IFrame vulnerability: Microsoft Security Bulletin MS01-20.
The worm blocks many anti-virus programs and firewalls. Its algorithm and parts of the code text are almost identical to that of another Internet worm called I-Worm.Gibe, although the programming language used is different.
From your posts, the swen was activated and starting propagating almost immediately, even as Avast sounded the alarm. The "delete" worked, however, if you study the characteristics of Swen, then you will realize that it spreads quickly, mutates, and can disable some AVs, or "hide" themselves from the AV by changing the format coding.
I also noticed that you said you do not use the Avast mail scanner?
Is this correct? Why don't you use it? It is one of the best protection features of Avast.
techie
-
1) I use Agent as my mail-client. It doesn't do any preview or in any other way open attached files until they are saved to disk. So when someone chose to open the attachement it was saved to WINDOWS\TEMP, and that triggered avast! (as it should). After an attachement is saved then the mail-program will try to execute it. But we should have gotten this far, should we. As avast! was triggered when the file was saved. And even if it got saved it should trigger avast! when it was opened again too (I scan on both "write" and "open"). So to start it had to get passed TWO times (if the file was not allowed to be saved AND open even after avast! showed the warning).
2) The "Delete" option DID NOT work. It just gave an error message (because by then the file had been executed and was locked). But how could it be exectuded WHILE avast! was showing the virus warning and no one cliked anything.
3) Mail-scanner might be nice, but it will only stop mail coming through a configured pop3/smtp client. My girlfriend use web-mail. And then this would have happend anyway if se clicked an executable attachment (it would first be saved in "temporary internet files" and then run from there. And if the same had occured then it would not have been stopped.
I'm not trying to be unfriendly towards avast! I'd just like to figure out how the virus could start when the file was BOTH saved to disk AND THEN opened from disk (to be executed). avast! shoud have stopped both those operations, right?
Only explanations I have is that the saving and opening for executions continued in the background while avast! was waiting for us to choos an action in the virus warning box. An that scares me - every file i/o should be stopped then.
-
Lars,
So when someone chose to open the attachement it was saved to WINDOWS\TEMP, and that triggered avast! (as it should).
And also the Swen32 virus!
Yes, I can yield to your view. However, just keep in mind that the Swen32 is a nasty little thing that CAN activiate even when not opened by the user. This is fact! All it needs is to be downloaded and saved. Avast did detect it, however, when you deleted the virus (and it is only conjecture on my part) the Swen had already started to spread and mutate. Avast stopped the original exe coded virus but some of the little buggers got out. You said Avast alerted you when the virus was saved. That is correct. It would not alert you again because Avast will not let you execute an infected file. You stated that you got the "locked file" message.
I know you want to go round and round with this, but I have had Avast for some time now and it has stopped viri on many occasions without any compute damage or corruption. Sometimes a file will not "delete" for different reasons: passworded, active, locked, in the Restore directory and others. But until you can figure out HOW to delete the virus, Avast will not let it do damage.
Also, you are also correct about webmail. Unfortunatley, Avast cannot scan an email client not configure by POP3 and SMTP.
I wish I could offer a better explanation, but maybe there really isn't any!
Thank you for your input,
techie
-
I think the "Created/modified files scan" works a little different than you expect. As I already explained somewhere, the scan is performed after the file is written (can't be reasonably done better) and it's probably non-blocking (not completely sure about this one - Vlk may have some more info). I.e. the virus warning is rather informative-only in this case.
The other ones (scanning on open/execute) do deny the access to the file, however, so the file should never be executed, if infected.
As I said... I'll check it later, but I believe the original scanario went a little different than it appeared.
techie: Having unfixed Outlook is bad (though it wasn't the case here), but I think the executed attachment should be caught anyway, and not allowed to be started.
-
>Yes, I can yield to your view. However, just keep in mind that the Swen32 is a nasty little thing that CAN activiate even when not opened by the user. This is fact!
How? The code is NOT executed when a file is saved. And we are not talking Outlook Express here either. When I save an attachement from Forte Agent, the code is written from the mail database (where it cannot be executed) and written to a file (that is not executet yet). Where should the virus code have been executed (I'm, a bit curious, this is really interesting). Do you mean it executed while coming through the POP3 port allready, and if yes - how, and how do you protect against that (even a mail scanner would be to late to catch that, but this seems a bit far fetched).
I have received virus by mail before, and saved them (to test, only save - not save & execure) without any trouble (stopped by McAfee). And this includes several worms as well. So I'm not convinced. If I have had the mail still I would have tried to save it once more (only "save", no "open") to see - well, they keep coming from time to time so :-)
I would very much like to contribute to making avast! even better by finding out what really happend here so if there is anything I could test or do to revael more detail - say so.
Anyway, avast! did a godd job cleaning up the virus though.
-
It is indeed easy to make a mistake and press "the wrong button" when alerted for a possibel virus. Everybody gets scared from a mesage like that.
It's also possibel that AVAST did detected it, but ley it run anyway...also, i doubt that. This must be ivestigated by the vendors of Avast.
These 2 reasons for the possibel worm infection Lars-erik got ,gives more strenght again to the thingy i always say : layered defence !
It's correct that Avast shoudn't let virusses & worms run (especially well known worms) but i don't believe this ever happended in the past.
If you had had the freeware Abtrusion protector nothing would have happendend (if you by mistake pressed the wrong button):
http://www.abtrusion.com/
or :
http://maxcomputing.narod.ru/ssme.html
or some commercial Anti-trojan with memory/process scan (resident guard).
Waldo
Is there anything like the freeware Abtrusion Protector that is for Win98 also. The Abtrusion website states it is for Win NT, XP and 2000.
-
BTW: I'd like a new check-box in advances. Under "Scan files on open" I'd like the "Default extension set" here as well (so that all common file types can be scanned on open too, it's not obvoius what files are scanned on open today)
Second the motion...!!
(Although in the board there are numerous postings as to the default list, which you could just copy and paste in the "scan on open" fields) ;)