Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Jeronim0 on September 08, 2008, 09:04:37 PM
-
Hello,
I have an issue, that a file contains a virus and it is not found. I downloaded an nzb-file from the Internet and used Alt.binz to download the related rar-file. I had doubts about the file I downloaded, but Avast made no mention of any virus. Not even when extracting the exe-file from the rar-file. However when I scan the exe-file Avast noticed the virus, it also does when scanning the rar-file (archive).
[Embedded#XORER]
Win32:Trojan-gen {Other}
Virus/Worm
Now I know I have the standard shield enabled at standard level (it also did not alarm me when setting was at high). Also the Log does not make notice of the virus (log level at Error).
I am using Windows Vista x64 SP1 Dutch Home Basic. I did use vLite to remove some components from Windows prior to installation, but I do not think they are dependant or are there critical part of Windows that without it Avast will not function (but will also not report this to the user)?
I can post any file-related information, but I asume this will be handled through Private Message?
-
I know this is not what you are after but such this a -gen hit can you upload to virus total so we can see exactly what this is and upload to virus @ avast.com with a link to the virus total results?
great question
I'd be interested to see if it misses on the highest setting
-
Beware the attached file contains a virus!
I could post the file here, but it is 1.5MB in size. If you are familiar with downloading from newsgroups I can give you a link to the nzb-file.
I am not quite sure what you mean by "a link to the virus total results".
-
Please submit it to VirusTotal (http://www.virustotal.com/xhtml/index_en.html) and let us know the result (i.e., post the link of the analysis page after the scanning finished).
Also, you can send the file to virus@avast.com for analysis (maybe mentioning in the body a link to this thread).
-
I ran it through VirusTotal (thanks for the tip)
http://www.virustotal.com/nl/analisis/1050544f022998945f931fed23378ef1 (http://www.virustotal.com/nl/analisis/1050544f022998945f931fed23378ef1)
I also checked a few other things, with the eicar-testfile asmongst others and it seems that the Webshield is functioning. However when I disable it, remove the proxy-settings and download the files and make a copy, then the virus/testfile is not detected/recognized at all.
-
@ Jeronim0
Here is why the standard shield didn't detect anything initially.
Archive (zip, rar, etc.) files are by their nature are inert, you need to extract the files and then you have to run them to be a threat. Long before that happens avast's Standard Shield should have scanned them and before an executable is run that is scanned.
So with the standard shield on the Normal sensitivity doesn't scan archive files by default as at that time they aren't an immediate risk.
With a view to the eicar test file again there are many types and like the above statement only those with an immediate, executable risk would be scanned by the standard shield (the web shield differs in that it scans 'all' http traffic), e.g. eicar.com and eicar.exe, etc. but not a zipped version of it nor non-executable file formats like eicar.txt.
However, you don't say what the file type was that you downloaded ?
-
I downloaded the 2 zip-versions through http (no ssl). I also just redid a test with my original virus and with the standard shield at high (webshield disabled) and when I open the archive and extract the file I do not get a message.
Corrrect me if I am wrong, but I would like to know when I write a virus to disc not when I execute it. I also do not believe that other Anti-Virus program with real-time scanning work in such a way.
-
If the file format doesn't present an immediate risk and an archive file doesn't then it doesn't need to be scanned at that time.
Files that are executable present an immediate risk and as such are scanned like eicar.com, just downloaded.
I downloaded both zip files and on extraction they both alerted and my standard shield is set to Normal. So I don't know what is going on with your set-up.
-
I understand, however the file within the rar-file is an exe-file and with standard shield at high, I can not understand why it remains undetected.
-
It's caused by the setting of unpackes. The extractor of the embedded files belongs to the "Installer" packer - which is not enabled by default for the Standard Shield. That's why it's not detected immediatelly.
There are some plans to improve that behavior in the (near) future - however, the installers extract the contained files to disk first (i.e. the code is not executed directly like in runtime [WinExec] packers) - at which moment they would be detected & blocked anyway.
-
It's caused by the setting of unpackes. The extractor of the embedded files belongs to the "Installer" packer - which is not enabled by default for the Standard Shield. That's why it's not detected immediatelly.
There are some plans to improve that behavior in the (near) future - however, the installers extract the contained files to disk first (i.e. the code is not executed directly like in runtime [WinExec] packers) - at which moment they would be detected & blocked anyway.
I would like to have it (scanning of "Installer" packer files) enabled and from your message I understand that this should be possible. I am using the Dutch version so I might have overread where I can enable it, as I can not find the setting. Also the "Understanding avast.ini file" did not show, I only found this post (http://forum.avast.com/index.php?topic=1647.msg30176#msg30176) which could be what you mean. Could you confirm this or point me towards the setting.
-
The option you appear to want is not currently available as a default in the Home edition (regardless of language choice).
If you use a download function that allowed you to specify an anti-virus scan of downloaded files and had you used the appropriate avast function (ashquick.exe) which provides a thorough scan of downloaded files (archive files included) then I believe that your problem file might have been immediately revealed on download.
-
Well I am using Firefox and I have no possibility to add scan of downloaded files, however they have something that allows automatic scanning, because there is a setting Browser.download.manager.scanWhenDone (http://kb.mozillazine.org/Browser.download.manager.scanWhenDone) for it.
-
Sorry but ... .nonsense!
I use Download Statusbar and many others in this forum use other Firefox Add-ons.
-
Sorry but ... .nonsense!
I use Download Statusbar and many others in this forum use other Firefox Add-ons.
Bit of a harsh reaction, but you are correct non the less. I did a search on add-ons with text "virus scan" and it only came up with "Dr. Web". I knew the Download statusbar add-on, but I did not know it allowed for virus scanning after download. I wil try it, thank you.
(beside that, that I thought "commandline scanning" was for the commercial version of Avast, but I am grateful non the less for ashquick).
-
Lets not lose sight of the fact that with the web shield enabled these files should be scanned. The reason this all came to a head was when you disabled the web shield to download and test using eicar.
Though as Alan said there are other downloaders (that do a better job than the default firefox download) and allow for the inclusion of a scan by avast. The string to enter to have avast scan those downloads is C:\Program Files\Alwil Software\Avast4\ashQuick.exe this is the most thorough of all the avast scans as it uses all avast unpackers (as required).
-
Yes I have a work-a-round and know that the core issue is that not all packers are used even if the standard shield is set to high.
If I would download the file directly from the web, then I would have no issue because WebShield would probably rport the virus.
However I am using an external program Alt.Binz for downloading from newsgroups and although there are engines for p2p and IM, there is none for usenet. When I download the file in that application, then I might also be able to set a virusscanner. I would need to check. Maybe I can set up a proxy for that as well for downloading from usenet within Alt.Binz. I will check.
I now know what my options are, thanks for the help and really quick responses. That is much appreciated!
-
Usenet uses NNTP port 119 and as such should be scanned by the Internet Mail provider, assuming you are using an email client (I use OE when viewing usenet, not very often) or nntp client (as you say alt.binz) that uses port 119 and standard NNTP protocols.
-
I will check it in the near future as I am going not going to be at home for a few days. I use nnttp via ssl (port 563) and did not use Internet Mail module of Avast, because I use Gmail only (and at work I sync it through imap, where we use a differen AV-product).
-
If SSL and or a different port, 563, enter the equation then the Internet Mail provider wouldn't scan it, the whole idea of SSL is to keep prying eyes out, including AVs.
Though from avast version 5 it is going to be added so it can be scanned (not much use in the short term though).
-
I am guessing that you are using an application for NNTP secure downloads ... please check to see if it provides a way to have your completed downloads scanned by avast and if so then use ashquick.exe as the scanning program.