Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Dileep on April 22, 2010, 04:15:41 AM
-
i placed an eicar antivirus test file(test code saved as a notepad file) in one of the folder in my pc. i first scan the system with 'Full system scan' option of avast,but unfortunately it doesn't detect the file as a 'threat'
when i scan the system with 'Select folder to scan' option,avast detect it as a 'threat'
(http://i39.tinypic.com/mcxabt.jpg)
i want to know that why avast didn't detect eicar test file as a 'threat' in 'Full system scan' mode...?
-
See this extract from the avast help file on the Full System Scan (I have highlighted the relevant parts):
Full System Scan - This performs a more detailed scan of all your computer's hard disks and by default, all files are scanned according to their content, in other words, avast! looks inside every file to determine what type of file it is and whether it should be scanned. The whole file is tested, not just those parts of the file at the beginning or at the end where infections are normally found.
From this only files that present a risk, e.g. are executable, or targets for infection, etc. (a text file is effectively inert) so for those files considered at risk the complete file is scanned not just a small part of it.
There are less variables you can change in this scan, e.g. it sensitivity, etc. as it is a pre-defined scan. The Select Folder scan offers a few more variables and most notably the Scan, File Types, (Scan all files types is the default) and the Sensitivity can be increased. It is this first setting Scan all file types that will pick up the eicar.txt file.
-
See this extract from the avast help file on the Full System Scan (I have highlighted the relevant parts):
Full System Scan - This performs a more detailed scan of all your computer's hard disks and by default, all files are scanned according to their content, in other words, avast! looks inside every file to determine what type of file it is and whether it should be scanned. The whole file is tested, not just those parts of the file at the beginning or at the end where infections are normally found.
From this only files that present a risk, e.g. are executable, or targets for infection, etc. (a text file is effectively inert) so for those files considered at risk the complete file is scanned not just a small part of it.
There are less variables you can change in this scan, e.g. it sensitivity, etc. as it is a pre-defined scan. The Select Folder scan offers a few more variables and most notably the Scan, File Types, (Scan all files types is the default) and the Sensitivity can be increased. It is this first setting Scan all file types that will pick up the eicar.txt file.
Thanks for the info...
while considering the above measures 'Select folder scan' is better than 'Full system scan'...? :o
-
No, it entirely depends on what you want to do.
As I said only files that present a risk are scanned:
From this only files that present a risk, e.g. are executable, or targets for infection, etc. (a text file is effectively inert) so for those files considered at risk the complete file is scanned not just a small part of it.
So to me to scan anything else is a waste of time and processing effort, to you that might not be the case. I go even further I only do a Quick scan once a week and very occasionally a Full scan (normally to use it as an example in the forums) and that scans even less. Essentially it still scans only those files that present a risk, as that is what the other resident (on-access) elements of the antivirus are also looking out for.
You can use the Custom Scan button and set even more variables if you want to get into downright paranoid scan mode.
So there are more options than you can shake a stick at, it is up to you to choose what is best for you.
-
Hello,
i have copied the string from eicar-testfile to RAM. Shouldn´t avast5 scan the RAM also, for to notice there is a virus-string ?
Or does avast 5 only notice that virus, if i scan the eicar-testfile (X5O!P%@AP[4\PZ........)directly? ???
Or in other words: How i have to setup my avast for to scan the RAM continously ?
Currently i use avast 5 freeware 5.0.507
Thanks for your kindly response.
Firefox012
-
"Scan RAM continuously"? I'm not completely sure how you imagine it might work, but it's basically impossible (and if it weren't, it would slow down your machine incredibly).
-
Hello Igor,
so i understand you well, any virus could not discovered bei avast, if the string is only in RAM memory. But couldnt any virus´infect my system when it runs in RAM-memory? So for my understanding, any virus needs to have access to RAM for to "work".
If i copy the content of the infected file to RAM (in this special case the content of the eicar-testfile), avast have to notice that and have to alarm.
Thank you for explanation to me, for a better understanding!
Firefox012
-
I have hard time understanding what are you after here. Merely copying a virus into RAM doesn't execute the virus, it just wastes some RAM. ???
Also, from where are you going to copy that virus into RAM? Thin air? It's already gonna be detected once it lands on your HD or whatever other media.
-
so i understand you well, any virus could not discovered bei avast, if the string is only in RAM memory.
I did not say that. Sure, memory can be scanned, by avast! as well - I just don't know how to scan memory continuously.
But couldnt any virus´infect my system when it runs in RAM-memory?
If it runs, as you write, you're already infected. The virus has to get into the memory from somewhere in the first place - and the sources (e.g. files) are scanned by avast!, so scanning memory should not be necessary.
If i copy the content of the infected file to RAM (in this special case the content of the eicar-testfile), avast have to notice that and have to alarm.
Not really. First, "copying into RAM" doesn't necessarily mean "execution". avast! distinguishes between scanning files "on execute" and "on open" (you can configure it in the File System Shield settings). While the first one is certainly very important because it prevents malware from being executed, the second one - simple reading the data into memory, e.g. to view them in Notepad, is just a waste of time (read: "slows down the computer without any significant security improvement"). Second, it doesn't really matter whether the source of the "copy" (i.e. the file, for example) or the target (the RAM, as you say) is scanned - so it's the first one, because the later would be technically rather hard to do.
Third, Eicar is not a good test file in this respect - it's supposed to be a file, and if you read the exact specification on eicar.org, you'll find out that this signature has to be in the very beginning of the file - otherwise it should not be detected. So, Eicar would not be detected during a memory scan even when other (real) malware would - because its specification says it shouldn't be.