Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: jockel on October 21, 2004, 11:54:12 AM

Title: running eicar from network/shared drive
Post by: jockel on October 21, 2004, 11:54:12 AM
Hi,

is it o.k. that, while running AVAST!, I can download "eicar.com" from a website,
store it on a networked/shared drive on an other PC and execute it with the
downloading PC ?
If I execute it stored locally I get a warning message, if I execute it from the
network, I get no warning at all.

Does this mean, that files, executed from a network are not scanned ?

Regards
Jo
Title: Re:running eicar from network/shared drive
Post by: igor on October 21, 2004, 12:52:16 PM
You are right - in the Home/Pro version, the network drives are not scanned (on-access) because the avast! service runs under SYSTEM account (i.e. doesn't have access to network).
The network edition of avast! should scan the network drives as well.
Title: Re:running eicar from network/shared drive
Post by: jockel on October 21, 2004, 01:38:48 PM
Hi,
don´t you think this is kind of inacceptable ?
Even using the pro and having your both home PCs protected
with AVAST, you can simply download a virus, store it on a shared
drive and execute it wihtout beeing noticed ?

Or do I miss something ?
Title: Re:running eicar from network/shared drive
Post by: Lisandro on October 21, 2004, 01:58:45 PM
Even using the pro and having your both home PCs protected
with AVAST, you can simply download a virus, store it on a shared
drive and execute it wihtout beeing noticed ?

If you configure avast Pro correctly, it shoul detect the local virus file or trojan in one or the other computer. I think, maybe I'm wrong, that Igor is just saying that if you have avast Pro in one computer, it won't detect (on-access) the virus file in the other computer, but only in the same its installed.
Title: Re:running eicar from network/shared drive
Post by: DukeNukem on October 21, 2004, 02:58:11 PM
Even using the pro and having your both home PCs protected
with AVAST, you can simply download a virus,


I am using avast 4.1 home ed, When i click on the eicar.com on the site below

http://www.eicar.org/anti_virus_test_file.htm

avast immediately says warning virus on your computer.

If you are able to download the eicar.com then you need to configure avast.





Title: Re:running eicar from network/shared drive
Post by: Eddy on October 21, 2004, 03:05:09 PM
In simple words. Avast (home/pro) works on the system it is installed on, not on systems it is not on. So a remote system is not scanned. But av software on the remote system should give a alert.
Title: Re:running eicar from network/shared drive
Post by: jockel on October 24, 2004, 06:59:13 PM
I am using avast 4.1 home ed, When i click on the eicar.com on the site below
http://www.eicar.org/anti_virus_test_file.htm
avast immediately says warning virus on your computer.
If you are able to download the eicar.com then you need to configure avast.

DukeNukem,
this is not what I proposed! Download !to! a network-drive!
Then execute the virus from this network drive. You will see,
that you can download and execute the file !

Jockel  
Title: Re:running eicar from network/shared drive
Post by: jockel on October 24, 2004, 07:36:34 PM
Eddy, Technical,
In simple words. Avast (home/pro) works on the system it is installed on,........
no Eddy, it doesn´t. If it would do, then I would not be able to load a virus
into the memory of the PC it is installed on!

Please, proof me to be wrong if you can:
This behaviour is nothing but the AVAST way of enforcing AVAST installation
(purchase) for every computer. I tried different other scanners, and they all
alert when the eicar file from the network is executed. AVAST also alerts,
when you execute the file from internet resources. AVAST does not alert, while
the file is executed from the local network drive.

My point: I definitely accept the need of AV companies to put in some
limitations in their scanner to help sales to sell a licence per networked PC.
But I think this limitation I see here is nothing a user has to expect while
his PC has the status of "beeing protected with a purchased licence of AVAST".
At least, unless this unusual behaviour of "executing virusses from a network
drive" is not outlined to me on installation.

Can you name me other AV scanners that allow executing a virus from a local
network drive? Do you realy consider it acceptable to use a virus scanner, who
allows to execute an infected file from a local network drive?

Please think about that AVAST! I am certain you can find an other way or better
acceptable limitation ! Beside that I would like to ensure the AVAST team, that I
am very pleased with your software. I can live with that shortfall, now as I know it.
I just think, that this behaviour of your scanner is something you might put some
thoughts on !

Best regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: Eddy on October 24, 2004, 07:47:07 PM
Quote
This behaviour is nothing but the AVAST way of enforcing AVAST installation (purchase) for every computer.
Definatly NOT true.

And why do you think there are network av's?

I tested here and Avast does alert when you access a virus (eicar) on a network drive. I think you should check your settings.

And do you still have this thing going on with 4.5 Beta?
Title: Re:running eicar from network/shared drive
Post by: Vlk on October 24, 2004, 07:53:41 PM
1. Please calm down everybody.
2. To change the behavior to scan even network drives (on-access) is not difficult. In fact it's pretty trivial. All you have to do is go to Control Panel -> Administrative Tools -> Services -> avast! antivirus -> Properties, and change the account under which the avast service runs, to an account that HAS access to the network resources (e.g. a domain admin account in case of domain setup).

This works in both Home and Pro Editions.

Cheers
Vlk
Title: Re:running eicar from network/shared drive
Post by: jockel on October 24, 2004, 08:35:37 PM
Definatly NOT true.
Hi Eddy,
I am certainly willing to do everything you recommend to check whether this begaviour is my fault. I am not aware, that I did anything else but a default installation of the latest release. I will download and install the beta and check again, romised!

Quote
And why do you think there are network av's?
Well, this does not fit to your previous remarks? I accept
definitely limitations as I see the need for a vendor to earn money.
But this limitations please should not surprise me in the way they work,
as the (probably/possibly) encountered behaviour did!

Quote
And do you still have this thing going on with 4.5 Beta?
Eddy, I will check !

Eddy, please don´t consider me to be some kind of "enemy"(who would dare beeing enfaced with your Avatar  ;) ).
I am extremely pleased with the software and with the responsiveness of this forum and just want to show up something that might be......improvable!

Best regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: jockel on October 24, 2004, 08:49:58 PM
1. Please calm down everybody.
I am calm, promised :)

Quote
......change the account under which the avast service runs, to an account that HAS access to the network resources (e.g. a domain admin account in case of domain setup).
If I understand this right, what I encountered may happen, but depends
on the setting of the network. You are right, the regular account the PC
is running on, is not automatically network enabled. This is probably quite unusual.
So most people (including Eddy) may not see that  behaviour. I will check that !

As I already said, incredible responsiveness !  :)

Best regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: Vlk on October 24, 2004, 09:20:35 PM
Quote
If I understand this right, what I encountered may happen, but depends
on the setting of the network. You are right, the regular account the PC
is running on, is not automatically network enabled. This is probably quite unusual.
So most people (including Eddy) may not see that  behaviour. I will check that !


No, not really.

Let me explain this in a bit more detail. Avast home/pro setup program installs the service to run under the "LocalSystem" account (also known as SYSTEM). This account has unlimited privileges on the local machine but no network access. This is by design (check out e.g. the MS docs for more info on this).

So this is why the avast home/pro on-access scanner (which runs inside the service) cannot access the network shares to scan the files.

If you, however, change the account that the service runs under, the on-access scanner will have the rights to access the remote files and will therefore scan them.

In the Network Edition of avast, the setup program asks the user for the username/password that will be used by the service. The home/pro edition setup program does not ask for this info as our experience shows that most users wouldn't understand what it wants from them and would possibly enter invalid data which would be even worse (the service wouldn't start at all).


Hope this helps,
Vlk
Title: Re:running eicar from network/shared drive
Post by: jockel on October 24, 2004, 11:36:54 PM
Hi vlk,
but the conclusion of all said now is:
Running "AVAST Pro" on your local machine, never execute a file from a network
share, if you are not certain, that the PC "sharing" is running AVAST too, because
the file executed will not (by default) be checked ?
Is this understood right ?

Don´t get me wrong, I do not consider executing files from a network share,
where I am not aware of the security measures there, a good idea.
Probably your design has advantages, but to me this sounds a little risky
and quite a different behaviour from what you see with other scanners.
Maybe AVAST comes to think about that.

Best regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: Lisandro on October 24, 2004, 11:44:30 PM
In simple words. Avast (home/pro) works on the system it is installed on,
no Eddy, it doesn´t. If it would do, then I would not be able to load a virus
into the memory of the PC it is installed on!

Are you using Professional version or Home version?
How is set your sensibility, High or Normal?
I tried to download a few minutes ago and the eicar file was alerted by the system. I can't try in a network, sorry.
Title: Re:running eicar from network/shared drive
Post by: jockel on October 24, 2004, 11:53:39 PM
Hi Technical,
I am new to AVAST an run a home edition still in demo time.
If you are downloading to your local drive the eicar is detected without any
problem. But rightclick on the www eicar link, select a network drive to store to,
save, then execute from the network drive and it is not detected.
You can not see the problem I am talking about if you do not have a network drive
available to store the eicar file to.

Best regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: Lisandro on October 24, 2004, 11:59:14 PM
I am new to AVAST an run a home edition still in demo time.

Are you sure?
The trial version is, the most time, the Professional one.
Home version is for free, just register, and does not need to be used only like a trial.

Professional version has on-access detectiong very higher than Home. The on-demand could be the same but not on-access. You should properly configure avast.
Title: Re:running eicar from network/shared drive
Post by: jockel on October 25, 2004, 12:12:09 AM
Hi technical,

- the "about avast" window says "home edition 4.1"
- the residential protection is set to "high"
and, most important:
- if I understand vlk right, the behaviour I explain exists

You need a network(shared) drive to see it.
But I will install the pro now, just to make certain.

Best regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: Lisandro on October 25, 2004, 12:38:27 AM
The "about avast" window says "home edition 4.1"

If you're not using the trial version for more than 60 days, you can go to Control Panel > Add/Remove programs > avast! antivirus > Remove
Then choose Change function in the popup window and add the Professional version items. You do not need to uninstall your actual version.

if I understand vlk right, the behaviour I explain exists

I will never discuss with him  ;D
He's the boss.
Title: Re:running eicar from network/shared drive
Post by: jockel on October 25, 2004, 12:51:59 AM
to late :-)

I uninstalled, installed the pro, it states "pro" clearly in the about window now.
Up to date, protection level is set to "high".
Went to www.eicar.org, downloaded the "eicar.com" with "right mouseclick",
"save to" onto a network/shared drive without any intervention.
Then "doubleclick/executed" the "eicar.com" directly from the network/shared drive,
no intervention from on access scanner.

Best regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: Vlk on October 25, 2004, 09:58:30 AM
And after changing the Log On account for the "avast antivirus" service?
Title: Re:running eicar from network/shared drive
Post by: jockel on October 25, 2004, 11:00:43 AM
Hello vlk,
this is not that easy, as I have no single account that has access rights locally and for
the network.  If I want to have access to the Network, I have to login manually and I think
it does not make sense, if I try to set the rights of AVAST service to this network only account ?

But I will make the changes required, then set the new properties.

Best regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: whocares on October 25, 2004, 11:11:21 AM
change the account under which the avast service runs, to an account that HAS access to the network resources (e.g. a domain admin account in case of domain setup).

Hi Vlk,

I don't have a network available right now, but if I changed the avast-logon-account to (some) Admin, are there any problems with local protection, e.g.:
- when using an Admin-User, but not the REAL"Administrator" on Win2000 (Prof/WS) or
- when using the Main/Admin-User with XP-HOME ?
iirc in XP-HOME you can only log-in to real "Administrator" in SafeMode (although the resp. differences in user-rights are much less than with W2k)

Title: Re:running eicar from network/shared drive
Post by: DukeNukem on October 25, 2004, 11:40:12 AM
to late :-)

I uninstalled, installed the pro, it states "pro" clearly in the about window now.
Up to date, protection level is set to "high".
Went to www.eicar.org, downloaded the "eicar.com" with "right mouseclick",
"save to" onto a network/shared drive without any intervention.

I do agree with you that if the eicar.com is on a network share then you can simply execute it and avast wont do a thing.

Tried it myself.

(A different issue)

You can manually configure avast so that you cannot download the eicar.com from your pc to a network drive or to your own drive. If you do this then avast will pop up saying virus detected before you can choose where to save the file.

Are you aware of this?

From your earlier post it seems unlikely.


DukeNukem,
this is not what I proposed! Download !to! a network-drive!
Then execute the virus from this network drive. You will see,
that you can download and execute the file !

Jockel  



Title: Re:running eicar from network/shared drive
Post by: jockel on October 25, 2004, 11:57:41 AM
And after changing the Log On account for the "avast antivirus" service?
Hello vlk,
I changed the AVAST service logon account to an administrator account which exists
localy and on the shared networked PC too. I additionally logged on the local PC with this
account:
- now I can no longer save the file from www to the shared network drive, I get an AVAST alert!
- but I can still execute an existing eicar.com located on the shared network drive.

Best regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: jockel on October 25, 2004, 12:03:03 PM
I do agree with you that if the eicar.com is on a network share then you can simply execute it and avast wont do a thing.
Hi DukeNukem,
now we come extremely close to talking about the same basic subject :)
Quote
You can manually configure avast so that you cannot download the eicar.com from your pc to a network drive or to your own drive. If you do this then avast will pop up saying virus detected before you can choose where to save the file.
Are you aware of this?
If this is not the same thing as covered by the proposal of vlk (see my previous answer)
then please give me a hint where to read about it and I will check!

Jockel

Title: Re:running eicar from network/shared drive
Post by: DukeNukem on October 25, 2004, 12:27:46 PM
Goto the standard shield provider
click 'customize'
click on 'scanner (advanced)'
tick 'scan created/modified files'
make sure 'All files is selected'

If you do this then you wont be able to download the eicar.com.

Title: Re:running eicar from network/shared drive
Post by: whocares on October 25, 2004, 12:34:15 PM
Imho this not really adresses the issue;
you can still execute it from the network-PC, e.g. if it's downloaded there/externally

 ;)
Title: Re:running eicar from network/shared drive
Post by: DukeNukem on October 25, 2004, 01:01:07 PM
Whocares,

try reading my other posts.

You will see that I didnt intend to provided a solution to the problem about executing files from a network share.

I was only trying to provide some advice on how to configure avast to prevent the downloading of the eicar.com.

Title: Re:running eicar from network/shared drive
Post by: jockel on October 25, 2004, 01:26:06 PM
Goto the standard shield provider
click 'customize'
click on 'scanner (advanced)'
tick 'scan created/modified files'
make sure 'All files is selected'
If you do this then you wont be able to download the eicar.com.
Hi DukeNukem,
no this does not help. I also see no reason why it should, as the extension
*.com is already included with the files to be scanned if you use the
standard settings. I still can download to a network drive and execute from there.

Regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: Eddy on October 25, 2004, 01:33:00 PM
Basicly a file you download directly to a network drive other than on your own system, will not come to your system and therefor will normally not be scanned by most av applications (home use).

IMHO, av applications for home use are normally not designed/mentioned for network protection. If you can initiate the download from system-A and put the file directly on system-B, your network security is not properly setup.
Title: Re:running eicar from network/shared drive
Post by: jockel on October 25, 2004, 02:20:22 PM
Hello Eddy,
Basicly a file you download directly to a network drive other than on your own system, will not come to your system and therefor will normally not be scanned by most av applications (home use). IMHO, av applications for home use are normally not designed/mentioned for network protection.
I don´t think so! All other scanners (all home use) I tried, either alerted when downloading to the shared drive or when executing from the shared drive. At least one scanner alerted on download as well as on execution.
Quote
....If you can initiate the download from system-A and put the file directly on system-B, your network security is not properly setup.
Eddy, what do you expect specially from home users when it comes to "setting up network security"? They share their drives and and expect a scanner to alert if an infected file is executed by a protected computer. I think a simple shared driveletter is nothing that sophisticated, that it is unusual for a
simple home environment. The file is executed in the RAM of the protected PC, this is not o.k.! If a file is executed but not scanned, even if this is by design, then you have to line this out to the user on execution. Why should it come to users mind, that he is not save in that moment ? Because he did not purchase the multi-hundred-EUR-network-version of the very scanner?

Best regards
Jockel
Title: Re:running eicar from network/shared drive
Post by: Lisandro on October 25, 2004, 03:56:29 PM
Eddy, what do you expect specially from home users when it comes to "setting up network security"? They share their drives and and expect a scanner to alert if an infected file is executed by a protected computer. I think a simple shared driveletter is nothing that sophisticated, that it is unusual for a simple home environment. The file is executed in the RAM of the protected PC, this is not o.k.! If a file is executed but not scanned, even if this is by design, then you have to line this out to the user on execution. Why should it come to users mind, that he is not save in that moment ? Because he did not purchase the multi-hundred-EUR-network-version of the very scanner?

I agree with you... terrible lack of security  :-\