Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Guilap on September 21, 2010, 12:31:22 PM
-
Pause Avast
Create eicar.com with notepad, by pasting (file should be 68 bytes)
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Enable Avast
Run cmd.exe, go to eicar folder, type eicar.com
Eicar runs! Why is that?
You can try copying the file around also, but nothing happens (no warning, no copying, nor deleting the original file)
Did the exact same test on Avira free (in which is possible to pause on access scanning) and got an warning when trying to run eicar.com on command prompt
There's definitely something wrong here :-\
Avast 5.0.677
Virus Definitions 100921-0
Win XP SP3
-
Well, it's certainly not right - but it's also not how avast! behaves on other computers.
Did you fully uninstall Avira before doing this, for example?
-
I don't see this problem.
avast! alerts on eicar whether it is run from the commmand prompt or just double clicking it.
Have you changed any settings within avast?
-
Thanks for the replies!
Only Avast was running when I did this tests. I uninstalled all antivirus software and installed a clean Avast Free (unless it remembers previous settings, but I don't remember messing the settings before).
Now, I've just booted the PC, waited for everything to be started, and I was able to run eicar.com (in my desktop) with no warnings.
Then I decided to check the settings. File System Shield options were:
- "Scan when executing" screen: all checked
- "Scan when opening" screen: just "Scan Documents when opening" checked
Now, if I check "Scan all files" in the last screen, voilĂ : I receive an warning from Avast and eicar.com doesn't run. But if I disable this option, I can run eicar.com again (I left half a dozen in my desktop for testing).
Is this the expected Avast free behaviour? It appears Avast free thinks eicar.com is a document, not a program (and a document type it shouldn't verify). What are the default settings?
-
No, a .COM file is certainly not considered a document.
Can you post a screenshot of the popup when it was detected?
-
Here you go! (remember, it only appears with "Scan all files" checked)
-
How about exclusions - do you have any set?
-
can't really test that here, downloading the eicar file with fdm gives an Avast file system shield alert (and no need to turn on the "all files" setting), but turning the shields off, and downloading eicar.com, then run it from the command prompt or just clicking on it is a no go as it's not recognized a valid extension on 64 bit Windows.
-
This may be completely unrelated but I'll mention it anyways:
I went and tried out the eicar.com test (I'd never heard of it)
After double-clicking the file, avast! moved it to the virus chest.
I restored the file, clicked it again, same thing.
After restoring and running a third time, avast! and the command prompt kinda formed some sort of endless loop.
The command prompt will not go away, no matter what I do, and I cannot move the file to the chest or delete it.
If I clicked move to chest or delete, the threat warning would pop up again and again.
Though selecting block worked.
-
Just these (attached)
-
When I try this, without 'Scan All files' checked, I get an alert on the eicar file, but with the process ntvdm.exe (the Windows NT Virtual DOS Machine, the exectuable that runs 16 bit programs: http://en.wikipedia.org/wiki/Virtual_DOS_machine)
Possibly something relating to XP? (im using Vista for this)
-
Issue partially confirmed :-\
Once eicar.com is successfully created (with avast disabled), I don't have any alert when executing eicar.com.
However, when I copy eicar.com to other place, alert appears.
I don't check "Scan all files".
P.S. tested on Win7 32bit.
-
Yep. That's because
- COM is not scanned on-open by default
- the execution of COM files is somewhat special (not really execution in the classical sense of Windows).
You can add COM to the list of custom files in the "Scan when opening" section, this should help.
Thanks
Vlk
-
Yep. That's because
- COM is not scanned on-open by default
- the execution of COM files is somewhat special (not really execution in the classical sense of Windows).
You can add COM to the list of custom files in the "Scan when opening" section, this should help.
Thanks
Vlk
Alert appears, working confirmed. :)
Off topic: it seems we should have new "eicar", which is native Win32 binary :P
-
You can add COM to the list of custom files in the "Scan when opening" section, this should help.
Did that. Then if I try to run eicar.com from cmd window I receive "Access is denied" and eicar is deleted. If I try running eicar from the desktop, the eicar file simply disappears. Either case there are no warning messages from Avast (though it is shown in shield traffic screen as the "last file infected").
Ok, eicar.com prevented from running, but it feels somewhat strange...
- COM is not scanned on-open by default
- the execution of COM files is somewhat special (not really execution in the classical sense of Windows).
But don't you think this could be exploited by an attacker? I mean, if you somehow manage to create a .com file in the target computer's filesystem, you could run malicious code without any warning from Avast. (as long as it is a 32-bit OS)
-
.com files because of their nature (basically exe files) should be scanned as part of the avast default file set.
-
If it were a normal (Windows) executable it would get scanned on-exec not matter what the filename extension is.
The problem is caused by the fact that Eicar is not a Windows executable file.
-
The problem is caused by the fact that Eicar is not a Windows executable file.
Why don't you develop a always-block-eicar-test system to let the users calm down and trust avast: ;D
I mean, a placebo-proof antivirus :)
-
Unfortunately, the eicar test is the only one I know it's safe to try :-\ If I were to test with real infected files, I should do it in a controlled environment.
Besides that, Avira free passed this exact same test.
A third set of requests [for viruses] come from exactly the people you might think would be least likely to want viruses: "users of anti-virus software".
They want some way of checking that they have deployed their software correctly, or of deliberately generating a "virus incident in order to test their corporate procedures, or of showing others in the organisation what they would see if they were hit by a virus".
(...)
Using real viruses for testing in the real world is rather like setting fire to the dustbin in your office to see whether the smoke detector is working. Such a test will give meaningful results, but with unappealing, unacceptable risks.
-
Unfortunately, the eicar test is the only one I know it's safe to try :-\ If I were to test with real infected files, I should do it in a controlled environment.
Spycar (http://www.spycar.org/Spycar.html) will try to do real "damage' (and repair it with 'Tow Truck' if necesary).
Out of interest, I also have XP SP3 on 7 PCs and AIS/APro stops 'eicar.com' on each as indicated.
-
Unfortunately, the eicar test is the only one I know it's safe to try :-\ If I were to test with real infected files, I should do it in a controlled environment.
How about "Hikaru" (a Joke software) ;D
http://www.virustotal.com/file-scan/report.html?id=3c13e6169994f9e5eab10642200b5e91457b93676c73e1695caee530623d4f0b-1277110749
Download:
http://www.vector.co.jp/download/file/win95/amuse/fh217070.html
A few minutes after executing, screaming women's voice / women's face appears. Reboot or kill the process via TaskManager fixes this.
Win32:Hikaru is a PUP detection, so you have to enable PUP option.
-
Same as me.But you should try another method to test Avast! detect this virus(Refer to 13thSlayer's post.http://forum.avast.com/index.php?topic=63733.msg538709#msg538709 (http://forum.avast.com/index.php?topic=63733.msg538709#msg538709)
-
Same as me.But you should try another method to test Avast! to detect this.(Refer to 13thslayer's post.)http://forum.avast.com/index.php?topic=63733.msg538709#msg538709 (http://forum.avast.com/index.php?topic=63733.msg538709#msg538709)
-
Out of interest, I also have XP SP3 on 7 PCs and AIS/APro stops 'eicar.com' on each as indicated.
Yes, yours are the exact screens I get, but only if I add com files as custom extensions on "Scan when opening". Maybe this is a bug present only on Avast Free. Anyway, even when Avast blocks it, I miss the warning screen.
Thank you all for the suggestions of Spycar and Hikaru, they where the missing win32 eicar ;D All of them got blocked and removed when they were already in the filesystem (but, again, no warning screen).
Same as me.But you should try another method to test Avast! to detect this.(Refer to 13thslayer's post.)http://forum.avast.com/index.php?topic=63733.msg538709#msg538709 (http://forum.avast.com/index.php?topic=63733.msg538709#msg538709)
I believe every method should by valid. What if the infected file was on a USB stick that was already inserted when I booted?
-
What if the infected file was on a USB stick that was already inserted when I booted?
Then you need something to disable autorun.inf in your machine and USB/flash drives like Panda USB Vaccine:
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/ (http://www.pandasecurity.com/homeusers/downloads/usbvaccine/). It gives you the option to "vaccine" your machine, which means it disables autoruns.inf, but with a simple click, you can enable it again. And you can vaccinate any removable drive including USB sticks. It does not conflict with Avast as I've been using it with no problems.
There are other companies as well: Flash_Disinfector.exe by sUBs: http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/ (http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/), AutoRun Eater http://www.softpedia.com/get/Security/Secure-cleaning/Autorun-Eater.shtml (http://www.softpedia.com/get/Security/Secure-cleaning/Autorun-Eater.shtml).
-
All of them got blocked and removed when they were already in the filesystem (but, again, no warning screen).
Is "SILENT/GAMING MODE" disabled?
Try to uncheck Settings -> Silent/Gaming mode -> Silent if a full-screen application is running.
(Just in case, avoid mis-recognized as full-screen)
-
Thank you for the tips, SafeSurf!
Try to uncheck Settings -> Silent/Gaming mode -> Silent if a full-screen application is running.
You're right, I forgot that. Running a file from desktop counts as full-screen. Worked as expected for spycar and hikaru files.
But no matter if this setting is unchecked or not or if I try to run from desktop or cmd window, trying to run eicar.com never triggers a warning (even when Avast blocks and deletes it).