Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Omik on May 17, 2003, 10:09:42 PM

Title: Eicar test file
Post by: Omik on May 17, 2003, 10:09:42 PM
Hi again
Shouldnt the eicar test file be nuked at once by the resident scanner. ???
Im allowed to download it to the desktop, and only when i open it, Avast comes to life.
But its okay too i guess, as long it nicks the bad boys before they run.
Isnt that correct?
Regds.
Omik

Title: Re:Eicar test file
Post by: raman on May 17, 2003, 10:26:21 PM
I do not use the Resident Protection from Avast, but if i remembere correctly you can change the behave of the scanner in the settings.
Title: Re:Eicar test file
Post by: Vlk on May 17, 2003, 10:29:00 PM
raman is right, you can just change the settings of the resident protection.

You can either set the protection level to High, or fine-tune the settings by changing individual properties of the "Standard Shield". To access these settings, click on the a-ball icon, push the 'Details' button and double click on Standard Shield icon.

Hope this helps,
Vlk
Title: Re:Eicar test file
Post by: Omik on May 17, 2003, 10:41:17 PM
Hi & THX for your answere.
But my concern was, shouldnt the eicar file be stopped at once, and not be allowed to download to the desktop.
I run the resident shield on high.
Regds.
Omik :)
Title: Re:Eicar test file
Post by: Vlk on May 17, 2003, 10:43:25 PM
Hey, you run it on high? In this case, it should have been stopped... >:(
Were you running it on high when you were performing the test??

Anyway, what OS are you using?

Vlk
Title: Re:Eicar test file
Post by: Omik on May 17, 2003, 10:46:20 PM
Hi vlk.
Im running Win Me.
The resident shield was on high when i did the test.
Regds.
Omik :)
Title: Re:Eicar test file
Post by: Vlk on May 17, 2003, 10:51:31 PM
Too bad :(.

I'll tell our QA guys to test it (and if it shows up, fix it!) - on Monday!

Thanks
Vlk
Title: Re:Eicar test file
Post by: Omik on May 17, 2003, 11:02:46 PM
Thx Vlk.
I cant be the only one then.
Havent any of the others mentioned it before.?
Anyway , Avast does get it when i open the file, so it does work, in a non resident way ;D ;D, if one can use these words.
We will see on monday.
Regds.
Omik
Title: Re:Eicar test file
Post by: Omik on May 18, 2003, 04:48:36 PM
Vlk.
Just to let you know.
Tried uninstall & reinstall.
Still the same.
Now this is the harmless eicar test virus, but i trust that the resident shield will nick a real virus.
I can see its working, and see the number of files its checked, so there seems to be no probs.
Just wont detect that ..... eicar virus ;D
Regds.
Omik
Title: Re:Eicar test file
Post by: Omik on May 19, 2003, 03:29:09 PM
Hi Vlk.
Just curious.
Any news from the tech guys.
Omik :)
Title: Re:Eicar test file
Post by: Vlk on May 20, 2003, 06:01:08 PM
It was really a bug. Has been fixed today. It only affects Win9x-based machines. The fix will be included in the next update... ;)

Thanks for hammering this bug down,
Vlk
Title: Re:Eicar test file
Post by: Omik on May 20, 2003, 07:14:11 PM
Hi Vlk.
Great 8)
Glad you found out & and thanks for your quick action on this issue :D :D
Regards
Omik
Title: Re:Eicar test file
Post by: Artisan on May 27, 2003, 10:07:19 PM
When will the new program build come out?   :)
Title: Re:Eicar test file
Post by: techie101returns on May 28, 2003, 03:39:06 AM
 8)
Hey Omik,

I know I come in on this late, but want to comment.
The Eicar virus test is designed to test the ability of an anti-virus to protect your system from embedded viruses that infect a system when OPENED...  hence, Avast stoped it right where it is suppossed to.
If the Avast team said it was a bug and it will be fixed, I guess think that they will modify Avast to stop it at an earlier point.
I have used other anti-virus products against Eicar and they also stop it when an attempt is made to OPEN the file.

Hope this helps add something to the explanation given by the Avast team.

AVAST IS THE BEST !!!

Good luck.
Title: Re:Eicar test file
Post by: Omik on May 28, 2003, 05:05:33 PM
Hi tec 101.
It does :)
Regards
Omik
Title: Re:Eicar test file
Post by: Vlk on May 28, 2003, 07:02:06 PM
As I said, the expected behavior is that it is picked immediately (on download) when the resident protection level is set to High, and when executed with the level set to Normal. This is how it works under WinNT/2K/XP/2K3 with build 211, and this is how it will work under Win9x in the next update.

Quote
When will the new program build come out?

I don't want to promise, but I'd say less then a week.

Vlk
Title: Re:Eicar test file
Post by: NuffSaid on June 05, 2003, 03:21:21 AM
Just came from the TrendMicro website.

Went to dl Eicar test file and Avast picked up on it immediately.

Jeeze I love this program...   :D

Job well done!
Title: Re:Eicar test file
Post by: Vincent on June 08, 2003, 08:44:52 PM
Just to be sure we are talking about the same thing: I went to
http://www.thepcmanwebsite.com/virus_test.shtml (http://www.thepcmanwebsite.com/virus_test.shtml) to check avast against Eicar test files.

I selected the first one, i.e. eicar.com and avast triggered an alarm before the file was opened: I could delete the file from my temp directory from avast and after this cancel the download operation from Mozilla.

For the second file, I could download it, save it to disk and when I tried to open it, then avast blew the siren.

With the zip files, XP automatically opens a dialog displaying the content of the archive and when trying to extract this content, then avast warns you.

As far as I'm concerned, this looks quite good to me, I don't know how other anti-virus programs behave, but just for my own knowledge: wouldn't it be possible to make avast behave in all cases as it does for the first file ? Just asking...
Title: Re:Eicar test file
Post by: Vlk on June 08, 2003, 10:15:18 PM
Vincent, as I said, it should be enough to switch the resident protection level from Normal to High (in a window that appears when you double-clicj the avast a-ball tray icon).

Vlk
Title: Re:Eicar test file
Post by: Vincent on June 09, 2003, 01:14:06 PM
No, my resident protection level is high, and the behavior of avast! is what I mentionned before.
Title: Re:Eicar test file
Post by: Vlk on June 09, 2003, 03:29:54 PM
Vincent, sorry. You're right. I thought you were refering to a different site.

Anyway, you can set up avast to trigger the alarm automatically in all four cases - no problem. The way you'd do it depends on whether you have the Home or the Professional Edition. In Professional Ed., it's quite easy: start the Enhanced User Interface, edit the resident task, in the Standard Shield Settings, move the slider to Custom, on the second page of Standard Shield enable scanning of created/modified files and insert the asterisk (*)  to the box with file extensions - to scan all files. Also, turn on ZIP file scanning (or any other archives you want) on the Packers page.

If you have avast Home, the first thing can be done by clicking on the avast a-ball tray icon, clicking "Details", double-clicking the Standard Shield, and changing the settings on the second page as described above. To turn on the packers is sligtly more complicated - you'll need to edit the file called deftasks.xml - for more info, see http://www.avast.com/forum/index.php?board=2;action=display;threadid=15;start=0 .

Hope this helps,
Vlk
Title: Re:Eicar test file
Post by: Vincent on June 09, 2003, 07:21:44 PM
I'm impressed: it works perfectly !

A small detail, though: for three of the files eicar.com and the ZIP files, avast! now triggers an alarm just after clicking on the file, as you said.
But in the case of eicar.com.txt, when I click, the content of the file is displayed in my browser. Now if I save it to disk, avast! detects the "virus" string.

I have no idea if this is a potential weakness that viruses could take advantage of, and again, I'm already very impressed by avast!, but I wanted to mention this for completeness...

Thanks for quick help !
Title: Re:Eicar test file
Post by: Vlk on June 11, 2003, 08:47:39 AM
Quote
But in the case of eicar.com.txt, when I click, the content of the file is displayed in my browser. Now if I save it to disk, avast! detects the "virus" string.

Yes, this is because IE downloads the "page" (the text file, in this case) and directly displays to for you - no disk involved. Only when IE puts the file to the cache avast starts the alarm - it has no chance to do it any sooner. But this is zero security risk.

Anyway, both of the options you set may quite slow down your computer (as avast is much much busier now) - have you noticed any slowdowns?

Vlk
Title: Re:Eicar test file
Post by: Vincent on June 11, 2003, 12:03:40 PM
Yes, maybe it's a bit slower now with these settings, but nothing that I can't bear (although I don't have much memory - 256Mb - I have quite good CPU - AMD XP 2000+ - and ADSL: maybe this is why the slowdown is not so much noticeable...)