Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: phyniks on February 26, 2012, 09:38:44 PM
-
I m usin avast 7 and I think the version is a big improvement
I m receiving some trojan containing spam (yahoo mail) and every time I want to download the file(testing avast), the webshield warns me that the malware is blocked:
http://www.avast.com/lp-security-information-fp2?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_70_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ww%2Fvirus-alert-challenger2&p_vir=Win32:Ufraie-J&p_prc=&p_obj=&p_var=.%2Ffa%2Fen-ww%2Fvirus-alert-default2&p_pro=0&p_vep=7&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=369&p_lng=en&p_lid=en-ww&p_elm=7&p_vbd=1407
but it s been downloaded and the malware (zipped file) is in the "downloads" catagory of my MY DOCUMENTS
why does the malware get through after the waring and whydoes not avast webshield block it ?!!
is it a bug or I should change something in the setting?(it is set by default)
Win 7 home premium
browser:chrome
-
The question I have first is the malicious code still present in the zip? You could upload it to virustotal.com (http://virustotal.com) for more info, and post the results.
Truly I don't have much of a clue here but can be thinking on it.
-
yes
the virus containing zipped file is intact
scanning the file with avast shows the malware is there
just after chrome starts to download,avast warning comes up saying the malware is blocked by webshield
but no termination happens and the file is downloaded thoroughly!!!!
it is not harmfull because the file is in a zipped folder but avast webshield does not actually block the download process,it just warns!!!!
is there anyone who can explain why that happens?
i can send the trj containg mail to anyone who wants to see the bug
-
Update:
I downloaded the file 8 times(its size is 27.3kb)
5 times the webshield warned before the download process and it was blocked properly
3 times the webshield warned after the browser stated to download and the file got through and webshield just warned,no actual blocking!!!
I think this is the bug,I hope avst will fix it
-
extract the file and it will be caught in file shield ;D
-
extract the file and it will be caught in file shield ;D
@true indian >>> STOP POSTING USELESS STUFF HERE !!! ... you already advised someone who solved his problem running the uninstall utility to >>> run the uninstall utility ::) >>> now the problem here is why the web shield doesn't block malware off and on, not what happens if you extract an infected archive and the file shield interferes, is that clear for you now ???
-
@the OP now: what are your web shield settings ... I don't like this issue .. did you upload that zip to Avast (from chest) ?
-
As I said every thing is set by default(avast free 7.0.1407 chrome 17)
I submitted and explained the case, but the file is KNOWN to avast database,the problem is the webshield unability to block the download process
I ve sent the issue to avast center and I hope there will be the fixation
https://support.avast.com/index.php?loginresult=1&group=eng&_m=tickets&_a=viewticket&ticketid=2654986 (https://support.avast.com/index.php?loginresult=1&group=eng&_m=tickets&_a=viewticket&ticketid=2654986)
as I said I can forward the mail to anyone who wants to examin(it is not harmfull because it is zipped)
-
Could you attach the zip file to the ticket you've submitted?
-
I seem to recall vlk saying in a post (years ago) that not all browsers 'respect' the webshield block. Some just keep retrying - and depending on download speed response/reset times they may succeed.
(I also seem to recall him saying that IE does respect it). this was a long time ago though - I could easily be misremembering)
(and the more I think about that it doesn't seem to make sense - avastSvc should be in the way if it is being used as proxy)
-
Could you attach the zip file to the ticket you've submitted?
I ve just attached
then i download what I uploaded and unfortunately it makes no webshield blocking (no even warning) :'(
what is the matter with the webshild?!!!!
everyone,just DL it and say what happens plz
-
Could you attach the zip file to the ticket you've submitted?
I ve just attached
then i download what I uploaded and unfortunately it makes no webshield blocking (no even warning) :'(
what is the matter with the webshild?!!!!
everyone,just DL it and say what happens plz
support.avast.com runs HTTPS so there's no WebShield...
-
support.avast.com runs HTTPS so there's no WebShield...
what about the case in yahoo mail
why webshield cannot stop google chrome downloading the malware (it said it did)
-
please guys, Vlk and Lukas, let us know in this thread what happened, and if the issue can be reproduced and fixed.
I've seen this happen very long ago, with V5, the web shield behaving strangely off and on, exactly like what the OP reported: downloading the same file (tested that with Eicar archive on plain http at the time with V5), warning and connection aborted as expected, or randomly warning, but the connection isn't aborted and of course the file is still downloaded. Thanks.
-
I m re receiving that virus containing spam with different subjects such as
"THIS PHOTO TELLS YOU ALL",
"THIS PHOTO TELL YOU WHAT",
"YOU GOTTA BE KIIDING ME",
"IS IT REALLY YOU IN THIS PICTURE"
and avast webshield is still missing every other one (one in one out)
and unfortunately here is avast support response by "Petr Bucek,2nd level Technical Support" who seeems not to read the issue carfully: :-\
Hello,
Thanks for the file, which is already being detected by avast! antivirus.
If I can be of any further assistance, please do not hesitate to contact me again.
With Kind Regards,
Petr Bucek
2nd level Technical Support
AVAST Software a. s.
Budějovická 1518/13A
140 00 Prague, Czech Republic
-
I take it you have contacted him again ?
The problem being is as you have said, initially the web shield alerts, it attempts to abort the connection, but n the background that may have completed. So essentially avast is detecting it (as confirmed in the support reply). I don't know if in your contact with support you made it clear that the web shield was detecting it, but the real problem is that it isn't blocking it from being downloaded.
Generally the web shield will abort the connection to stop the content being downloaded, but some browsers may disregard the abort connection and complete it. I think I recall something like that before in relation to chrome in the forums.
The secondary problem is that the file system shield doesn't scan zip files by default (as they are inert), so it isn't being picked up when the abort connection doesn't drop the connection or the browser disregards the abort and tries to complete the download.
You could of course change the file system shield, expert settings, Scan when writing and check the Scan all files. This would effectively be scanning 'all' newly created/writing files and this would include files written to the hard disk. However this could have an impact on system performance
-
Dear David
I tried all my best to explain the case,but as I said he might not read it carefully
here is my firt expression:
I have received a spam in my yahoo mail which contained a virus
while downloading(chrome as the browser) the webshield warned and said the malware is blocked:
http://www.avast.com/lp-security-information-fp2?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_70_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ww%2Fvirus-alert-challenger2&p_vir=Win32:Ufraie-J&p_prc=&p_obj=&p_var=.%2Ffa%2Fen-ww%2Fvirus-alert-default2&p_pro=0&p_vep=7&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=369&p_lng=en&p_lid=en-ww&p_elm=7&p_vbd=1407
but surprisingly the download process was not terminated and the malware(which was in a zipped file)come through my MY DOCUMENTS!!!
scanning the file showed the virus was there,it was not harmful because it was in a zipped file but the webshield could not block the download process
I dont know if it is a bug or I have to change the setting(set by default)
I m using avast 7 free 7.0.1407 and my system is hp laptab dv6000se,amd,quadcore,win7 home premium,browser is chrome 17
after his firs response I explain it again this way:
Oh sir
pleaze...
did you read the problem carefully?!!
offcourse it was in your database,my problem was avast webshield unability to stop the download process by google chrome
in 50% cases it just warns and says it is blocked,but it does not terminate the downloading and the file come to MY DOCUMENTS
(sometimes avast warning is before the download and it is fully blocked,but sometimes it started after the dl process and it does not terminate it)
Let's hope he get the case. . .
all the story is here (I dont know if you can access):
https://support.avast.com/index.php?_m=tickets&_a=viewticket&ticketid=1996615
-
I can't access the support tickets, I'm an avast user like yourself.
In the meant time if your system isn't lacking in resources you could try what I suggested and see if any file that isn't aborted is subsequently detected by the file system shield; plus check if there is an appreciable performance hit with that setting.
-
But the advantage of webshied(if works properly) is that the malware is blocked before they get through
I mean this kind of protection is one step superior
I dont wanna compare products but the advantage of Avast Free over Avira Free (for example) is the shields,otherwise,even avira can detect and catch the zipped file just after being downloaded (if you change its setting to scan archived files)
-
Update
I change the setting this way:
file system shield, expert settings,packers..........tick "all"
first,dl process started,then webshield warned,dl was finished completely,then file shield warned and quarantined the file
as you see the webshield was bypassed....
-
OK, my bad, forgot it isn't all packers that are scanned by default only selective ones (executable ones, self-extracting).
-
OK, my bad, forgot it isn't all packers that are scanned by default only selective ones (executable ones, self-extracting).
default is "all packers" for the web shield.
-
OK, my bad, forgot it isn't all packers that are scanned by default only selective ones (executable ones, self-extracting).
default is "all packers" for the web shield.
But we are talking about the file system shield settings, as the file is not aborting as it should it isn't being blocked by the web shield. So the intention is to provide a second line of defence for archives that get past the web shield abort connection.
-
oh okay ... but I tell you, the user is gonna go nuts if he sets all packers for the file shield. I gave it a shot once for fun years ago, that slows down the whole system, especially install and uninstall operations, just don't do it ;)
ps: not sure, but I think MIME and "installer" archives are the worse to scan
-
The user has been made aware of the possible performance hit.
But what I want to know is why when the abort connection is the only option, why Chrome is completing the download.
-
noticing something strange here while testing with Eicar in Chrome: connection instantly aborted with the eicar files, while it takes a little while until the web shield takes a decision with archived eicar files, like 15-20 seconds (spinning annimation in tab) and then the alert comes ... this delay to react with archives here isn't normal at all, especially when one considers the size of an Eicar archive.
-
This is exactly what we have been trying to find out why. It is almost that Chrome ignore the abort connection or if it does abort it, it then re-establishes the dropped connection and concludes the download.
Edit: just tested with firefox 10.0.2, whilst there was a delay that you mentioned I got the alert (mine is set to ask though) and aborted the connection, I got a second web shield alert (aborted again). I checked my downloads folder and no eicar_com.zip.
So working as expected in firefox.
EDIT2: I just wonder if the delay we are experiencing between the clicking the download and the alert is down to the File Rep cloud check (as presumably because this is a download it would be checked) ?
-
Unfortunately the incompatible browser (chrome) is suggested by Avast installer and is my favorite :-[
-
Update
I change the setting this way:
file system shield, expert settings,packers..........tick "all"
first,dl process started,then webshield warned,dl was finished completely,then file shield warned and quarantined the file
as you see the webshield was bypassed....
Do you think is a good idea to let tick the RAR and ZIP files all the time?
-
tested with eicar_com.zip & eicarcom2.zip through http with google chrome, both blocked before download
dunno if it is my settings which helped in the blocking
also check if u have docs pdf/powerpoint viewer by google in ur extensions i found out if i enabled it, the webshield fails to block completely
google chrome v17.0.963.56
-
I also tested with eicar zip blocked instantly no delay faced...i have even been playing with downloading malware in chrome on another machine but havent seen a piece of malware that gets past the web shield even after it aborted the connection atleast with version 7
Thats why i have been suggesting avast team to make file shield to scan many more packers like RAR And ZIP packers where malware can be hiding[if not all] as we can get the chance of detecting something earlier and not waiting till the last moment of the file being extracted or something like it....
More ever,i feel that chrome is in some way incompatible with web shield.But i do know its very rare that malicious downloads complete even after web shield blocks them but are eventually blocked by file shield[however in this case the file shield doesnt react due to the packer setting]thats why i hope avast team will make some changes to the default packers to be scanned of file shield otherwise web shield is always perfect in its job and i find it very accurate in blocking and aborting connection.I also know that chrome is very sensitive and very granular as if u visit a malicious site with an iframe redirection in chrome avast will block the site but still chrome will say the site is loading and it results in blank page....this doesnt happen in IE as if the same is done in IE as soon as u see the web shield alert u can see IE saying site not found.
Thanks.
-
isn't this issue for avast web shield suppose to be quiet normal? as sometimes the alert is given by the webshield but the file was dropped at the last second and the alert kicked in? this actually happens sometimes.... it should be pretty normal though :/
-
Hi, WebShield blocks the connection as soon as the virus is detected. In ZIP files, where the directory of the zip container is at the end and the end of the file is needed for unpack, the detection is actually only possible once almost whole archive has been downloaded.
When the file is small, all works as you expect, the content is found and stopped. When the file is larger, the start might have already been delivered to the browser.
Have you tried to open the zip? Since not whole file is downloaded by the browser, the content should actually be corrupted and impossible to open as a zip file. Some browser is such case (aborted download) don't save anything - since it was aborted before the end, other browsers save what they have. In any case, the file saved shouldn't be complete.
-
To activate the malware, you have to unpack it from the archive anyway - and it would be detected at that moment.
Yes, you can save an archive containing some malware to your disk (though it normally shouldn't happen with WebShield active) - but we won't change the defaults, because it would have a very negative impact on your machine, without real security benefit (as the first sentence says).
You can enable the unpackers for your installation, it's up to you - but don't be surprised if you copy an archive from one folder to another and your machine freezes for a minute.
-
Hi, WebShield blocks the connection as soon as the virus is detected. In ZIP files, where the directory of the zip container is at the end and the end of the file is needed for unpack, the detection is actually only possible once almost whole archive has been downloaded.
When the file is small, all works as you expect, the content is found and stopped. When the file is larger, the start might have already been delivered to the browser.
Have you tried to open the zip? Since not whole file is downloaded by the browser, the content should actually be corrupted and impossible to open as a zip file. Some browser is such case (aborted download) don't save anything - since it was aborted before the end, other browsers save what they have. In any case, the file saved shouldn't be complete.
yes I tried to unzip the file and it was intact (fileshield picked the malware inside on extraction)
Do you think is a good idea to let tick the RAR and ZIP files all the time?
NO ,because zipped file are not harmfull (till this time!!!) and activating this option will impact system performance,it was just a test to show webshield download bypassing by google chrome
I also tested with eicar zip blocked instantly no delay faced...i have even been playing with downloading malware in chrome on another machine but havent seen a piece of malware that gets past the web shield even after it aborted the connection atleast with version 7
I have an idea,someone(valounteer)gives me an email of his,I ll forward the spam to him,he checks it(downloads it 8 times using chrome) and tells us the results
-
Do you have the link for the infected zip file?
-
Do you have the link for the infected zip file?
No,it is in a spam mail
-
Maybe I'm just tired at the moment. Is there a way to add archive formats for Avast to scan inside those as well? I think it should be a feature to scan inside before user opens the file. If I have half the files archived on my system holding infected files and someone elses machine does not have good enough anti virus software to find it when they open it. This is a problem when passing files around.
Even as an option this just makes sense to keep adding many archive formats, even as an option. Not having such a feature is rather lazy because it doesn't slow anything down if it is an optional turn on/off at user discretion based upon the user behavior.
-
This might have something with the corrupted installer. Idk, but search fix update for avast! 6x or 7x if it is the case.
-
This might have something with the corrupted installer. Idk, but search fix update for avast! 6x or 7x if it is the case.
nope, absolutely unrelated :D
-
Virus Total didn't detect anything with that site. I went to that site and avast! blocked it.
-
After all these downloading,first i scanned MY Documents(downloads) with avast and removed all the malwares missed by webshield, then I disabled avast and scan my system with ESET 5
the software found 4 malwares in chrome cash!!!
I scaned them with jotti (virus total has blocked my cuntry) and here is the result:
http://virusscan.jotti.org/en/scanresult/5c595911894ba767c67c37047d4e43a006ed49ad (http://virusscan.jotti.org/en/scanresult/5c595911894ba767c67c37047d4e43a006ed49ad)
http://virusscan.jotti.org/en/scanresult/449bde9a447fb09e6032fc58594276b525773ee8/10b8a707edfe449282dd3e755a6936468de99731 (http://virusscan.jotti.org/en/scanresult/449bde9a447fb09e6032fc58594276b525773ee8/10b8a707edfe449282dd3e755a6936468de99731)
http://virusscan.jotti.org/en/scanresult/449bde9a447fb09e6032fc58594276b525773ee8/a47a5a51087b6e156528c7ab69c00efbf7df1838 (http://virusscan.jotti.org/en/scanresult/449bde9a447fb09e6032fc58594276b525773ee8/a47a5a51087b6e156528c7ab69c00efbf7df1838)
http://virusscan.jotti.org/en/scanresult/a5874318f3fdb8e5141fa74748bca29ede05babe/36100f7e4e10e19c58ed5934780987ab1e88cc7e (http://virusscan.jotti.org/en/scanresult/a5874318f3fdb8e5141fa74748bca29ede05babe/36100f7e4e10e19c58ed5934780987ab1e88cc7e)
as you know jotti is not updated so I zipped them and sent the packed file to avira online sample submission and here is the result:
we received the following archive files:
File ID Filename Size (Byte) Result
26609062 New_folder_3_.zip 175.37 KB OK
A listing of files contained inside archives alongside their results can be found below:
File ID Filename Size (Byte) Result
26602678 IMG04958.exe 35.5 KB MALWARE
26609006 n31.exe 210.5 KB MALWARE
26607534 unp2335604128.tmp 42.5 KB MALWARE
Please find a detailed report concerning each individual sample below:
Filename Result
IMG04958.exe MALWARE
The file 'IMG04958.exe' has been determined to be 'MALWARE'. Our analysts named the threat Worm/Gamarue.E.4. The term "WORM/" denotes a worm that is able to spread itself for instance over the Internet (using eMail, peer-to-peer networks, IRC networks etc.). Detection is added to our virus definition file (VDF) starting with version 7.11.21.116.
Filename Result
n31.exe MALWARE
The file 'n31.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/Delphi.Gen. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system. This file is detected by a special detection routine from the engine module.
Filename Result
unp2335604128.tmp MALWARE
The file 'unp2335604128.tmp' has been determined to be 'MALWARE'. Our analysts named the threat TR/Yakes.VB. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system. Detection will be added to our virus definition file (VDF) with one of the next updates.
this is microsoft analysis:
Analysis of the file(s) in Submission ID MMPC12030214442183 is now complete.
This is the final email that you will receive regarding this submission.
The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 3/2/2012 2:16:09 AM Pacific Time.
Below is the determination for your submission.
========
Submission ID MMPC12030214442183
Submitted Files
=============================================
New folder (3).zip [Worm:Win32/Gamarue.E]
+---n1.exe [PWS:Win32/Zuler.B]
+---f_000070 [Worm:Win32/Gamarue.E]
+---IMG04958.exe [Worm:Win32/Gamarue.E]
+---unp233560128.tmp [Worm:Win32/Gamarue.F]
three of these 4 are in avast database (they are not in" jotti scan" result because of its uotdating)
As you see there were malwares in chrome cash so maybe the webshield is not working properly