Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: solcroft on May 17, 2007, 03:01:42 AM
-
Hi,
I'm currently trying to completely wipe clean the exclusions list of the Standard Shield for testing purposes. However, the Standard Shield apparently refuses to let me do that - it re-adds some exclusions back to the list automatically every time I remove them all.
Is there some way to get around this problem? Thanks in advance.
-
There are default exclusions as far I know.
Can you check if into avast4.ini file they're listed there (Exclude value into [Common] section): http://forum.avast.com/index.php?topic=1647.msg10256#msg10256
-
I believe that Tech is absolutely right ... there are certain files that the avast team know it is pointless to scan and that scanning of them can never be of any value to anyone.
Given their expert knowledge - and the experience of the industry in general - I doubt if they have provided a work around.
-
I believe that Tech is absolutely right ... there are certain files that the avast team know it is pointless to scan and that scanning of them can never be of any value to anyone.
Oh please. ::)
Turn off avast!'s resident shields and download a malware file. Scan it with avast! to make sure avast! really can detect it. Now rename the file extension to something avast! excludes, I'll use 1.ini here as an example, and save it. Turn the resident shields back on. Open the command prompt, and type "start 1.ini".
Never, you say? ::)
-
I'm sure the average user must do this all the time - not.
But you ask me to deactivate avast before doing this - why would I be so foolish as to deactivate part of avast's protection to indulge in a way you believe the protection of avast can be circumvented?
If you will (oh) please explain to me how this malware can be downloaded to my system and activated with avast's protection active and in a way an avarage user might employ then I will be more than happy to comply with your scenario.
-
I'm sure the average user must do this all the time - not.
But you ask me to deactivate avast before doing this - why would I be so foolish as to deactivate part of avast's protection to indulge in a way you believe the protection of avast can be circumvented?
Of course average users don't do this. It's the black hat hackers who do.
If you have a piece of malware already renamed to .ini, then you don't even need to disable avast!'s Standard Shield to see it fail spectacularly. The whole point of turning it off in the first place was so you could rename the malware in peace without being interrupted by avast!, because AFAIK most malware don't come in .ini files yet (keyword is 'most', some Hupigon variants HAVE been using the .ini extension to camouflage themselves lately). So you could say that this is largely a theoretical weakness at the moment, but it's only theoretical, not because it's impossible to exploit, but because it's not (very) widespread ATM.
-
I modified my post about the same time as you replied.
I will acknowledge the possibility of your suggestion for a first time user where the system has already been infected.
Please re-read my edited post. With avast on - I will allow you no other gotchas - I offer you my system as a test.
Please show me what you want me to do to test out your theory.
-
I modified my post about the same time as you replied.
I will acknowledge the possibility of your suggestion for a first time user where the system has already been infected.
Please re-read my edited post. With avast on - I will allow you no other gotchas - I offer you my system as a test.
Please show me what you want me to do to test out your theory.
If you acknowledge "the possibility of your suggestion for a first time user where the system has already been infected", then by extension you are also acknowledging that any file with the extensions listed in the Standard Shield exclusions have no problem slipping past it. That was my whole point; what else do you want me to prove?
-
Ah, you are not that slippery you can sneak past.
If you are so sure, show me how this this infection gets in with avast active and then activated in the way you describe.
Anything might happen in an already infected system without avast.
Let's assume it is infected before installing avast. Show us how the activation occurs.
All I am asking is for you not to weasel your way round this in words ... infect my system and prove yourself.
I have publicly given you permission - I will not sue you - go ahead and show how it works.
-
Well, apparently it seems that your aim here is to win the debate. ::)
Tell your friend to find a piece of malware. Rename it to any of the extensions excluded by the Standard Shield. Now write two files: 1) an autorun.inf file, pointing to a batch file
[autorun]
open=insert_name_here.bat
and 2) the batch file itself, which uses the "start" command to launch the malware, which had been previously renamed.
Next tell him to copy the 3 files (the inf and bat file, and the malware) to a USB drive. And, assuming you have autorun enabled on your computer, plug the USB drive into your computer.
I don't know of any malicious drive-by downloads which use this method yet, so you'll have to do it by USB. Theoretically, though, I don't see what's stopping a malicious website from similarly downloading an .exe renamed to .tmp or .ini or something similar, then using cmd.exe to invoke it.
Go ahead. Give it a try. I'm looking to answers to questions here, so hopefully this will keep you busy and away for a while.
-
Whatever happens next, whether you infect my system or not I suspect that you do have a valid point point for consideration and that I hope the avast team will respond to it.
While avast tries to be as efficient as possible in its regular scanning, which I applaud, I have long felt that on first installing avast there should be the option of an intense scan that would scan all files on the system. I have almost a terabyte of disk space on my system, I'm sure many have much more. I can imagine the reluctance of many to have the time taken up by such a scan.
Unless you can make a very clear case for the potential pathway for the infection you describe I doubt that many would go for more lengthy scans, especially on a more regular basis and unless your story is a lot more convincing than so far made.
-
I am looking for answers to questions too ... the questions I have put to you. I am not trying to win a debate or prove a point. It, is after all, you who initiated this as a fault you believe you have detected in avast - I am simply asking you to demonstrate it rather than ask anyone to infect a system to prove your point.
You are asking that malware be deliberately inserted on the system without avast having any chance to detect it.
Please tell me how you imagine that, in normal use, that malware gets onto the system in the first place.
Oh, and I'm not planning to go away anytime soon.
-
Whatever happens next, whether you infect my system or not I suspect that you do have a valid point point for consideration and that I hope the avast team will respond to it.
While avast tries to be as efficient as possible in its regular scanning, which I applaud, I have long felt that on first installing avast there should be the option of an intense scan that would scan all files on the system. I have almost a terabyte of disk space on my system, I'm sure many have much more. I can imagine the reluctance of many to have the time taken up by such a scan.
Unless you can make a very clear case for the potential pathway for the infection you describe I doubt that many would go for more lengthy scans, especially on a more regular basis and unless your story is a lot more convincing than so far made.
Well, you could always, you know, walk the walk and actually TRY it, and then see what happens You're welcome to ask if you don't know how to write the files. Obviously, by asking me to prove to you how this could take place in an everyday scenario, you apparently have no idea how non-P2P worms typically spread. This IS an everyday scenario.
And just FYI, this flaw doesn't exist with manual scans, because you can wipe the exclusions list clean so that avast! scans all files. It's the Standard Shield that insists on not letting users delete some exclusions AND scanning files based on extensions rather than content type, that actually causes this loophole.
-
I admit I had not considered the option of USB drive - for which I certainly would not consider the option of autorun. I will have to defer to the avast team on that one for those foolish enough to do so.
-
solcroft,
I do walk the talk. I have offered my system. Tell me a web site to visit, I will provide you with an email address to send me an infected email. I do not use P2P.
Let me know how I might help you prove the point. You are not depending solely on the 'on acess' scanner to make your case are you?
And you do know that the exclusion lists are not effective in the P2P file scanning?
-
solcroft,
I do walk the talk. I have offered my system. Tell me a web site to visit, I will provide you with an email address to send me an infected email. I do not use P2P.
Let me know how I might help you prove the point.
Well, you could start by stopping the round-the-bush beating and try the steps I have outlined. Waiting to hear your results.
And oh, if autorun doesn't work on batch files for you, try writing a go-between vbs script between the inf and the bat. I'm not sure why, but autorun refused to launch the bat file on my system. Telling autorun to run a script than runs the batch file solves the problem for me though.
-
Sorry I have not yet needed a USB key. I transfer files across the network at home and only with trusted individuals across the net - and even then they are scanned as downloaded.
Is the USB key the only path you can come up with - I have offered other ways.
-
Sorry I have not yet needed a USB key. I transfer files across the network at home and only with trusted individuals across the net - and even then they are scanned as downloaded.
Is the USB key the only path you can come up with - I have offered other ways.
I don't know of any malicious websites that serve malware with .ini filenames at the moment, and I'm not savvy enough to create one on the fly, unfortunately.
Still waiting for your results. Doesn't necessarily have to be a USB drive, that's just what commonly happens. ANY drive will do, including your HDD. I'm waiting.
-
solcroft,
given the thought you have clearly put into this would you not suggest that any system user should not allow autorun and instead perform a thorough scan of a USB drive before using any data/executables on it?
Have you done this with your example of an infected USB drive? Did it get past the avast scan?
-
I'm currently trying to completely wipe clean the exclusions list of the Standard Shield for testing purposes. However, the Standard Shield apparently refuses to let me do that - it re-adds some exclusions back to the list automatically every time I remove them all.
Is there some way to get around this problem? Thanks in advance.
Basically, the questions already contains the answer. Yes, avast! puts the default set of exclusion back when all the exclusions are removed. So, if you keep one exclusion at least (could be your own one, pointing to an non-existend folder maybe, it should be kept intact.
some Hupigon variants HAVE been using the .ini extension to camouflage themselves lately
Any more info on these?
-
You and Igor appear to be in much closer time zones than I am to you (it is 1.20 am here in California). I will leave you to chat with Igor and review the thread when I am around again and see what has transpired in the discussion.
Maybe it is time I got a USB drive.
-
Basically, the questions already contains the answer. Yes, avast! puts the default set of exclusion back when all the exclusions are removed. So, if you keep one exclusion at least (could be your own one, pointing to an non-existend folder maybe, it should be kept intact.
Thanks for the tip, I'll try it out. Still, I think this is an issue that warrants attention; I'd never have realized avast! re-added the exclusions by itself if I hadn't renamed a few malware file extensions purely on a whim.
Any more info on these?
It depends on what you're after. They're just fairly standard Hupigon samples, with (I'd imagine) some tweaks to the code here and there, maybe an extra packer or two, and, of course, dropping fake .ini files (which were actually simply renamed executables) instead of .exe files as they used to do.
solcroft,
given the thought you have clearly put into this would you not suggest that any system user should not allow autorun and instead perform a thorough scan of a USB drive before using any data/executables on it?
Have you done this with your example of an infected USB drive? Did it get past the avast scan?
That wasn't what I asked. You were the one who claimed never, and then threw out a challenge to me to prove you wrong. So go ahead. Try it. Walk the talk, like you claim you do. I'm waiting for your results.
-
A final couple of thoughts before I sleep.
This is a two way street, neither of us jumps to the others commands. I have made several offers to assist you to try to show me how the infection would get onto my system with avast up and running and where avast has the opportunity to scan the data being added to my system. You seem to have ignored my questions about whether you are relying solely on the 'on access' scanner as the only protection in avast and my comment about P2P scans.
Your point still appears to be that the infection must be deliberately introduced onto the system before avast can scan it.
It may well be that, in scanning the conversation, Igor may tell you that you have found a way round the defenses of avast. If he does then I need to perform no test. On the other hand, if later today the issue is still under discussion I will go ahead and test with your deliberate infection suggestion.
-
A final couple of thoughts before I sleep.
This is a two way street, neither of us jumps to the others commands. I have made several offers to assist you to try to show me how the infection would get onto my system with avast up and running and where avast has the opportunity to scan the data being added to my system. You seem to have ignored my questions about whether you are relying solely on the 'on access' scanner as the only protection in avast and my comment about P2P scans.
Your point still appears to be that the infection must be deliberately introduced onto the system before avast can scan it.
It may well be that, in scanning the conversation, Igor may tell you that you have found a way round the defenses of avast. If he does then I need to perform no test. On the other hand, if later today the issue is still under discussion I will go ahead and test with your deliberate infection suggestion.
All I can say is, the one who's trying to weasel around now looks very suspiciously to be you. ;)
You claimed to be a man of action, yet for one who accused people of trying to weasel around you seem to be quite wordy and articulate now, and with precious little to be seen in terms of real action; none at all, in fact. So go ahead. Pretend that you believe the USB drive is malware-free, and stick it into your autorun-enabled computer, leaving avast! on all the time. Still waiting for your results here.
-
Result is : let's take a walk Solcroft. You outsit too long in front of monitor and radiation etched your nerve cells maybe a second head starting grow up. (it could be serious u should do something with it) :-[
-
Hi solcroft,
thanks for reporting this - it's indeed an interesting issue. Well in fact two issues. The first being the inability to prune the default exception list (of which we were sort of aware) and the second, more serious, the one with the "start" command being able to launch a file with arbitrary extension. This is indeed an oversight on our part, and should be fixed.
We'll try to think of a viable solution for the next update.
Cheers
Vlk
-
Even though Vlk has noted the potential of this threat and the need for improved detection of it I thought I would still perform the test.
While I was drifting off to sleep it occurred to me that this threat must have existed since the year dot.
Before I proceed let me advise others reading through this ... don't do this at home.
Anyway ...
1) I turned off all avast protection.
2) I recovered from my store a piece of malware.
3) I renamed the malware to 1.ini (as requested by solcroft)
4) created the bat file to start 1.ini
5) placed the files on a USB drive
6) I turned back on avast protection
I could have gone to the trouble to make it autorun - I did not - I will return to it in a moment.
7) I started the bat file from the USB drive.
The result was the malware file (1.ini) was opened (without any warning from avast) and - on my system - was instantly displayed as a screenful of hex characters in my favorite text editor.
After that I then made a "right click" on the USB drive and selected the avast scan from the context menu. avast immediately produced its warning popup window and alarm reporting the infected 1.ini file.
Why did it not perform as solcroft expected? I had to go lookup the start command to find out why.
To be fair to solcroft in most systems it probably would. In my system I have associated .ini files with my favorite text editor since it recognizes the format of .ini files and gives me a nice color coded display of them. However, anyone could avoid the specific .ini file issue by simply associating the .ini file with Notepad.exe. The start command simply opens up the program specified for the filetype ... so as it says in the help file ...
start WORD.DOC
would open up the program associated with .DOC files. In my case, for 1.ini, it opened my text editor.
The autorun issue.
As I noted earlier in the thread this test required me to turn off avast protection in order to introduce the malware into my system. As reported above, avast's quickscan picked up the infected 1.ini file. solcroft did specify that the USB device should be autorun. With this there would be no chance for the user to scan the device before it started executing whatever was on it. I believe that the malware filetype would have to be one that was considered innocuous by avast and not have a managing program associated with the filetype - solcroft may have done more research on other filetype exposure.
This exposure has existed since autorun came along - it could even have been done with a diskette (if the user did not bother to scan the diskette). I am a little surprised that it has not been closed yet.
This is not the first concern that has been raised with autorun and USB devices. Were I running a home system where my children were inviting friends over and sharing information on USB devices I suspect I would not permit autorun on the system.
I am glad to see the response from avast that they will be seeking a solution and I look forwarding to seeing it in the next release.
In the meantime - the other avast shields, the Webshield, the P2P scanner and the Internet Mail scanner can all help prevent the malware getting into our systems in the first place - along with using quickscan.exe on all files downloaded. Still best to be very wary about whose USB keychain devices you allow on your system.
-
The result was the malware file (1.ini) was opened (without any warning from avast) and - on my system - was instantly displayed as a screenful of hex characters in my favorite text editor.
Interesting... but not very honest of you. The "start" command checks the content type of the file being launched, instead of its extension type. If you rename a real .exe file with a PE file header to .ini, .tmp or any other extension you care to think of, the "start" command will STILL launch it as an .exe file, instead of checking its associations as you claim it does.
Eagerly awaiting the next version of avast!.
-
Sir,
at best you are unforgiving to question my honesty. I will refrain from further description of your honor, though I will question your capacity in software testing.
I have just, from the start, repeated my tests that followed your requests to the letter. The results are identical.
I see nothing in the documentation that says the start command checks the content type as priority. I have reported precisely as my Windows XP fully up to date SP2 system has responded.
-
I will refrain from further description of your honor, though I will question your capacity in software testing.
So will I, mine good sir, so will I. ;)
Would you mind sending the afore-mentioned file to me, by any chance?
-
I believe that my participation in this forum speaks more for my willingness to test many conditions with avast (and thereby to risk my system) and to report the results with veracity than anything this individual can question with any degree of belief.
Rather than indulge in any further barbs with this person and to try to retain this forum as a place of friendly debate I will leave the field open to the original poster - come what may.
-
Further to the last post of solcroft I will provide to the avast team - should they request it - every scrap of my system details, settings, logs etc and every piece of testing I have done in connection with this thread.
-
I'm afraid I have to agree with solcroft on this one. The way start seems to behave is that:
1. normally, it uses the program associated with the file extension (and if there's none associated, it asks the user what program should it open it in)
2. however, if the file is a valid DOS/Win16/Win32 application (i.e. has a MZ header), it really executes it regardless of the extension, and its association settings.
This doesn't seem to be documented anywhere (in official MS documentation - or did I miss something?), but I was able to verify this behavior by analysing the implementation of the start command; it first uses the CreateProcess API function, used to execute applications; only if this call fails, it tries to use the ShellExecute function which uses the extension association settings.
BTW alan, one explanation of the fact that it didn't work on your machine would be that (maybe) you used a COM file virus (and not EXE) [e.g. eicar.com] - as COM files don't have any recognizable headers, it would behave exactly as you described.
Thanks
Vlk
-
Vlk,
you have hit on it in one ... the virus I used was a com file ... sorry that I didn't comply with the unspecified parameters of the original poster ... I must try harder.
-
Thanks for confirmation - I'm glad it's at least consistent.
BTW solcroft, how'd you find out about this behavior? I have to confess I was not aware of this, and it IS an important detail... :-[
Cheers
Vlk
-
Thanks for confirmation - I'm glad it's at least consistent.
BTW solcroft, how'd you find out about this behavior? I have to confess I was not aware of this, and it IS an important detail... :-[
Cheers
Vlk
No particularly clever methods involved, to be honest. It was just by chance.
-
BTW the way we plan to fix this is that each entry in the exception list would also have a bit mask RWX (read, write, execute) and this way it would be possible to choose on which of these actions will the exclusion take place.
The default extensions would be RW only.
-
Good move!
Next point release or next big release?
-
Thanks for the update. If only the virus analysts at Alwil respond this fast to malware submissions... :-[
Just out of curiosity, why not do it the way many other vendors do, and include an option to scan files based on content-type rather than extension? Is there any particular reason why the "regular" solution isn't adopted in this case?
-
The scan itself is somehow content based - but the exclusion list is meant for excluding; if you want to exclude a known "grey-area" program, or even a false alarm - you want to exclude it even when it's an executable file.
-
Just out of curiosity, why not do it the way many other vendors do, and include an option to scan files based on content-type rather than extension? Is there any particular reason why the "regular" solution isn't adopted in this case?
First, which "other vendors" are you refering to, exactly?
Now, there's no "content-type" concept in Windows, really. To determine a file's content-type the AV would need to open the file, read a chunk of its data and based on what's read, decide of what type it is. This is generally not too fast (but in fact, it is done by avast in certain cases, e.g. while recognizing on-exec (looking for the MZ header) and OLE files on-open (looking for the OLE "d0cf11e" signature)).
But how would that help in the context of scan exceptions?
-
Thanks for the update. If only the virus analysts at Alwil respond this fast to malware submissions...
I wasn't sure at the beginning, but now I'm positive this is solcroft from Wilders' ;D
But of course, this is a valid point, too. I sometimes keep asking the same question myself. :-\ Things are moving forward, though. Infrastructure changes are on the horizon and I believe the improvements it eventually brings will be quite dramatic.
-
First, which "other vendors" are you refering to, exactly?
But how would that help in the context of scan exceptions?
AFAIK, KAV and Avira do this, for one. As for how it would help in the context of scan exceptions, though... my bad, I was thinking of something else when I was typing that post. Guess I got a bit mixed up.
-
OK.
As for specification of what to scan - avast uses the content-type concept, too, of course.
This is what the "Normal" scan sensitivity does.
Quick = based on extensions (no other files are opened)
Normal = based on content-type (all files are opened, content-type is determined and potentially infectable files are scanned)
Thourough = all files are scanned (no matter of extensions and content-types)
Cheers
Vlk
-
OK.
As for specification of what to scan - avast uses the content-type concept, too, of course.
This is what the "Normal" scan sensitivity does.
Quick = based on extensions (no other files are opened)
Normal = based on content-type (all files are opened, content-type is determined and potentially infectable files are scanned)
Thourough = all files are scanned (no matter of extensions and content-types)
Cheers
Vlk
Aha, so that's what that slidebar does.
I've always wondered that myself. ;D Personally I've always preferred my applications tell me exactly what their options mean, like "scan extensions only", "scan by content" and "scan all files", but I suppose it's not as "user-friendly", so to speak...
-
Yep, we somehow expected the average Joe to hit F1 in case of doubt... :)
Plus, the Enhanced UI (available in Professional Edition only) lets you customize just about everything...
-
I think that it is worth adding for solcroft's information that the avast scanner provided for a "quickscan" in the context menu for a device/folder/file is in fact a thorough scan as defined by Vlk.
In the case, for example, of a USB device added to the system and thus scanned it would detect a malware signature in a file named 1.ini (agreed it would be bypassed as noted in the autorun case).
This is also the scanner recommended to avast users for scanning all downloads.