Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: XMAS on June 03, 2006, 07:47:45 PM
-
Hello to all :)
I've just noticed one very strange thing. While I was browsing one site with virus collection ( I was collecting virus samples that avast! do not detect - and unfortunately from 60 viruses that I've tested avast! detected only 50, I'll send the samples later today ) I've found 2 viruses that the Web Shield doesn't detect, but when I do a manual scan when the file is downloaded avast! detects the virus. How is this possible - avast! Quick Scanner detects the sample, but the Web Shield do not detect it?
Here is the link to the folder with the samples ( the link is not direct link to the virus and the link is with spaces, so that nowone can click it by misstake)
http:// www. vx.netlux.org /vl.php?dir=Trojan-Dropper.Boot.InstallDisk - the folder contains 4 samples, the first two and the last are not detected from the Web Shield. Can anyone confirm this or it's only happening to me. :-\
BTW I am using Firefox 1.5.0.4
-
I believe it's caused by the fact that the quick scanner scans as thoroughly as possible (it has the "Ignore virus targetting" flag set, for example).
Web Shield, on the other hand, scans only for the relevant viruses in the downloaded files... and since the link you posted leads to some boot viruses... it's rather unlikely to get infected by a boot-virus using a web browser :)
It's just a theory, I didn't really check the code.
-
I believe it's caused by the fact that the quick scanner scans as thoroughly as possible (it has the "Ignore virus targetting" flag set, for example).
Web Shield, on the other hand, scans only for the relevant viruses in the downloaded files... and since the link you posted leads to some boot viruses... it's rather unlikely to get infected by a boot-virus using a web browser :)
It's just a theory, I didn't really check the code.
OK, thanks for the answer Igor :)
But for example the 3th sample in the folder is a boot-virus too and it's detected by the Web Shield.
-
Might be a hybrid variant (a boot-virus that also infects files)...
-
Might be a hybrid variant (a boot-virus that also infects files)...
OK, thanks again ;D
-
Web Shield, on the other hand, scans only for the relevant viruses in the downloaded files...
Does this mean that Web Shield does not make use of the entire signature database that avast! has, instead using only a limited amount of those signatures?
-
It is not about Web Shield; avast! tasks have various sensitivity options (you can change them for custom tasks in the Enhanced User Interface). One of the options is to "Ignore virus targetting" - which means to look for everything everywhere. By default, however, avast! scans the particular object for the malware that may infect it (or rather, it doesn't scan for the malware that certainly cannot infect it). For example, it doesn't have much sense to scan .COM files for macroviruses, does it? Similarly, scanning files (e.g. those checked by the Web Shield) for boot viruses that can exist on the boot sector only... is not really necessary.
So, I'm trying to say that it's not a limitation... but rather some kind of optimization of the scanning process.
-
Igor, maybe this should be the difference between Normal and High mode (slider in Web Shield). Normal with virus tarhgeting and High without it for a bit more thorough scan. Just a thought to make use of those sliders ;)
-
It is not about Web Shield; avast! tasks have various sensitivity options (you can change them for custom tasks in the Enhanced User Interface). One of the options is to "Ignore virus targetting" - which means to look for everything everywhere. By default, however, avast! scans the particular object for the malware that may infect it (or rather, it doesn't scan for the malware that certainly cannot infect it). For example, it doesn't have much sense to scan .COM files for macroviruses, does it? Similarly, scanning files (e.g. those checked by the Web Shield) for boot viruses that can exist on the boot sector only... is not really necessary.
So, I'm trying to say that it's not a limitation... but rather some kind of optimization of the scanning process.
Perfectly understood. I appreciate you taking the time to explain that. I knew the difference between scanning by file extensions and all, but never knew it was optimized quite like that. And it does make perfect sense to me. No point in wasting resources.
Thanks,
Dave
-
Scanning by file extensions
In fact, avast recognize the contents and not just 'read' the extension, it identifies the content ;)