Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: phyniks on February 26, 2012, 09:38:44 PM

Title: Malware not blocked by webshield
Post by: phyniks on February 26, 2012, 09:38:44 PM
I m usin avast 7 and I think the version is a big improvement
I m receiving some trojan containing spam (yahoo mail) and every time I want to download the file(testing avast), the webshield warns me that the malware is blocked:

http://www.avast.com/lp-security-information-fp2?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_70_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ww%2Fvirus-alert-challenger2&p_vir=Win32:Ufraie-J&p_prc=&p_obj=&p_var=.%2Ffa%2Fen-ww%2Fvirus-alert-default2&p_pro=0&p_vep=7&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=369&p_lng=en&p_lid=en-ww&p_elm=7&p_vbd=1407

but it s been downloaded and the malware (zipped file) is in the "downloads" catagory of my MY DOCUMENTS
why does the malware get through after the waring and whydoes not  avast webshield  block it ?!!
is it a bug or I should change something in the setting?(it is set by default)
Win 7 home premium
browser:chrome
Title: Re: Malware not blocked by webshield
Post by: DarkRadience on February 27, 2012, 12:32:32 AM
The question I have first is the malicious code still present in the zip?  You could upload it to virustotal.com (http://virustotal.com) for more info, and post the results.
Truly I don't have much of a clue here but can be thinking on it.
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 27, 2012, 04:38:02 AM
yes
the virus containing zipped file is intact
scanning the file with avast shows the malware is there
just after chrome starts to download,avast warning comes up saying the malware is blocked by webshield
but no termination happens and the file is downloaded thoroughly!!!!
it is not harmfull because the file is in a zipped folder but avast webshield does not actually block the download process,it just warns!!!!

is there anyone who can explain why that happens?
i can send the trj containg mail to anyone who wants to see the bug
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 27, 2012, 06:17:48 PM
Update:
I downloaded the file 8 times(its size is 27.3kb)
5 times the webshield warned before the download process and it was blocked properly
3 times the webshield warned after the browser stated to download and the file got through and webshield just warned,no actual blocking!!!
I think this is the bug,I hope avst will fix it
Title: Re: Malware not blocked by webshield
Post by: True Indian on February 27, 2012, 06:19:44 PM
extract the file and it will be caught in file shield  ;D
Title: Re: Malware not blocked by webshield
Post by: logos on February 27, 2012, 06:22:21 PM
extract the file and it will be caught in file shield  ;D

@true indian >>> STOP POSTING USELESS STUFF HERE !!! ... you already advised someone who solved his problem running the uninstall utility to >>> run the uninstall utility  ::) >>> now the problem here is why the web shield doesn't block malware off and on, not what happens if you extract an infected archive and the file shield interferes, is that clear for you now ???
Title: Re: Malware not blocked by webshield
Post by: logos on February 27, 2012, 06:26:22 PM
@the OP now: what are your web shield settings ... I don't like this issue .. did you upload that zip to Avast (from chest) ?
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 27, 2012, 06:30:59 PM
As I said every thing is set by default(avast free 7.0.1407 chrome 17)
I submitted and explained the case, but the file is KNOWN to avast database,the problem is the webshield unability to block the download process
I ve sent the issue to avast center and I hope there will be the fixation
https://support.avast.com/index.php?loginresult=1&group=eng&_m=tickets&_a=viewticket&ticketid=2654986 (https://support.avast.com/index.php?loginresult=1&group=eng&_m=tickets&_a=viewticket&ticketid=2654986)

as I said I can forward the mail to anyone who wants to examin(it is not harmfull because it is zipped)
Title: Re: Malware not blocked by webshield
Post by: lukas.hasik on February 27, 2012, 06:41:48 PM
Could you attach the zip file to the ticket you've submitted?
Title: Re: Malware not blocked by webshield
Post by: mag on February 27, 2012, 07:06:23 PM
I seem to recall vlk saying in a post (years ago) that not all browsers 'respect' the webshield block. Some just keep retrying - and depending on download speed response/reset times they may succeed.

(I also seem to recall him saying that IE does respect it). this was a long time ago though - I could easily be misremembering)

(and the more I think about that it doesn't seem to make sense - avastSvc should be in the way if it is being used as proxy)
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 27, 2012, 07:15:13 PM
Could you attach the zip file to the ticket you've submitted?
I ve just attached
then i download what I uploaded and unfortunately it makes no webshield blocking (no even warning)  :'(
what is the matter with the webshild?!!!!
everyone,just DL it and say what happens plz
Title: Re: Malware not blocked by webshield
Post by: Vlk on February 27, 2012, 07:18:47 PM
Could you attach the zip file to the ticket you've submitted?
I ve just attached
then i download what I uploaded and unfortunately it makes no webshield blocking (no even warning)  :'(
what is the matter with the webshild?!!!!
everyone,just DL it and say what happens plz

support.avast.com runs HTTPS so there's no WebShield...
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 27, 2012, 07:23:05 PM
support.avast.com runs HTTPS so there's no WebShield...

what about the case in yahoo mail
why webshield cannot stop google chrome downloading the malware (it said it did)
Title: Re: Malware not blocked by webshield
Post by: logos on February 27, 2012, 11:25:07 PM
please guys, Vlk and Lukas, let us know in this thread what happened, and if the issue can be reproduced and fixed.

 I've seen this happen very long ago, with V5, the web shield behaving strangely off and on, exactly like what the OP reported: downloading the same file (tested that with Eicar archive on plain http at the time with V5), warning and connection aborted as expected, or randomly warning, but the connection isn't aborted and of course the file is still downloaded. Thanks.
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 28, 2012, 03:33:26 PM
I m re receiving that virus containing spam with different subjects such as
 "THIS PHOTO TELLS YOU ALL",
"THIS PHOTO TELL YOU WHAT",
"YOU GOTTA BE KIIDING ME",
"IS IT REALLY YOU IN THIS PICTURE"
and avast webshield is still missing every other one (one in one out)
and unfortunately here is avast support response by "Petr Bucek,2nd level Technical Support" who seeems not to read the issue carfully: :-\



Hello,

Thanks for the file, which is already being detected by avast! antivirus.

If I can be of any further assistance, please do not hesitate to contact me again.

With Kind Regards,


Petr Bucek
2nd level Technical Support

AVAST Software a. s.
Budějovická 1518/13A
140 00 Prague, Czech Republic
Title: Re: Malware not blocked by webshield
Post by: DavidR on February 28, 2012, 04:24:19 PM
I take it you have contacted him again ?
The problem being is as you have said, initially the web shield alerts, it attempts to abort the connection, but n the background that may have completed. So essentially avast is detecting it (as confirmed in the support reply).  I don't know if in your contact with support you made it clear that the web shield was detecting it, but the real problem is that it isn't blocking it from being downloaded.

Generally the web shield will abort the connection to stop the content being downloaded, but some browsers may disregard the abort connection and complete it. I think I recall something like that before in relation to chrome in the forums.

The secondary problem is that the file system shield doesn't scan zip files by default (as they are inert), so it isn't being picked up when the abort connection doesn't drop the connection or the browser disregards the abort and tries to complete the download.

You could of course change the file system shield, expert settings, Scan when writing and check the Scan all files. This would effectively be scanning 'all' newly created/writing files and this would include files written to the hard disk. However this could have an impact on system performance
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 28, 2012, 06:45:12 PM
Dear David
I tried all my best to explain the case,but as I said he might not read it carefully
here is my firt expression:


I have received a spam in my yahoo mail which contained a virus
while downloading(chrome as the browser) the webshield warned and said the malware is blocked:

http://www.avast.com/lp-security-information-fp2?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_70_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ww%2Fvirus-alert-challenger2&p_vir=Win32:Ufraie-J&p_prc=&p_obj=&p_var=.%2Ffa%2Fen-ww%2Fvirus-alert-default2&p_pro=0&p_vep=7&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=369&p_lng=en&p_lid=en-ww&p_elm=7&p_vbd=1407

but surprisingly the download process was not terminated and the malware(which was in a zipped file)come through my MY DOCUMENTS!!!
scanning the file showed the virus was there,it was not harmful because it was in a zipped file but the webshield could not block the download process
I dont know if it is a bug or I have to change the setting(set by default)
I m using avast 7 free 7.0.1407 and my system is hp laptab dv6000se,amd,quadcore,win7 home premium,browser is chrome 17


after his firs response I explain it again this way:

Oh sir
pleaze...
did you read the problem carefully?!!
offcourse it was in your database,my problem was avast webshield unability to stop the download process by google chrome
in 50% cases it just warns and says it is blocked,but it does not terminate the downloading and the file come to MY DOCUMENTS
(sometimes avast warning is before the download and it is fully blocked,but sometimes it started after the dl process and it does not terminate it)



Let's hope he get the case. . .

all the story is here (I dont know if you can access):
https://support.avast.com/index.php?_m=tickets&_a=viewticket&ticketid=1996615
Title: Re: Malware not blocked by webshield
Post by: DavidR on February 28, 2012, 06:55:07 PM
I can't access the support tickets, I'm an avast user like yourself.

In the meant time if your system isn't lacking in resources you could try what I suggested and see if any file that isn't aborted is subsequently detected by the file system shield; plus check if there is an appreciable performance hit with that setting.
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 28, 2012, 07:12:30 PM

But the advantage of webshied(if works properly) is that the malware is blocked before  they get through
I mean this kind of protection is one step superior
I dont wanna compare products but the advantage of Avast Free over Avira Free (for example)  is the shields,otherwise,even avira can detect and catch the zipped file just after being downloaded (if you change its setting to scan archived files)
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 28, 2012, 07:26:04 PM
Update

 I change the setting this way:

file system shield, expert settings,packers..........tick "all"

first,dl process started,then webshield warned,dl was finished completely,then file shield warned and quarantined the file
as you see the webshield was bypassed....
Title: Re: Malware not blocked by webshield
Post by: DavidR on February 28, 2012, 09:07:08 PM
OK, my bad, forgot it isn't all packers that are scanned by default only selective ones (executable ones, self-extracting).
Title: Re: Malware not blocked by webshield
Post by: logos on February 28, 2012, 09:18:51 PM
OK, my bad, forgot it isn't all packers that are scanned by default only selective ones (executable ones, self-extracting).

default is "all packers" for the web shield.
Title: Re: Malware not blocked by webshield
Post by: DavidR on February 28, 2012, 10:11:54 PM
OK, my bad, forgot it isn't all packers that are scanned by default only selective ones (executable ones, self-extracting).

default is "all packers" for the web shield.

But we are talking about the file system shield settings, as the file is not aborting as it should it isn't being blocked by the web shield. So the intention is to provide a second line of defence for archives that get past the web shield abort connection.
Title: Re: Malware not blocked by webshield
Post by: logos on February 28, 2012, 10:33:06 PM
oh okay ... but I tell you, the user is gonna go nuts if he sets all packers for the file shield. I gave it a shot once for fun years ago, that slows down the whole system, especially install and uninstall operations, just don't do it ;)

ps: not sure, but I think MIME and "installer" archives are the worse to scan
Title: Re: Malware not blocked by webshield
Post by: DavidR on February 29, 2012, 01:01:50 AM
The user has been made aware of the possible performance hit.

But what I want to know is why when the abort connection is the only option, why Chrome is completing the download.
Title: Re: Malware not blocked by webshield
Post by: logos on February 29, 2012, 01:09:35 AM
noticing something strange here while testing with Eicar in Chrome: connection instantly aborted with the eicar files, while it takes a little while until the web shield takes a decision with archived eicar files, like 15-20 seconds (spinning annimation in tab) and then the alert comes ... this delay to react with archives here isn't normal at all, especially when one considers the size of an Eicar archive.
Title: Re: Malware not blocked by webshield
Post by: DavidR on February 29, 2012, 01:29:11 AM
This is exactly what we have been trying to find out why. It is almost that Chrome ignore the abort connection or if it does abort it, it then re-establishes the dropped connection and concludes the download.

Edit: just tested with firefox 10.0.2, whilst there was a delay that you mentioned I got the alert (mine is set to ask though) and aborted the connection, I got a second web shield alert (aborted again). I checked my downloads folder and no eicar_com.zip.

So working as expected in firefox.

EDIT2: I just wonder if the delay we are experiencing between the clicking the download and the alert is down to the File Rep cloud check (as presumably because this is a download it would be checked) ?
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 29, 2012, 04:51:51 AM
Unfortunately the incompatible browser (chrome) is suggested by Avast installer and is my favorite  :-[
Title: Re: Malware not blocked by webshield
Post by: hardov on February 29, 2012, 05:01:40 AM
Update

 I change the setting this way:

file system shield, expert settings,packers..........tick "all"

first,dl process started,then webshield warned,dl was finished completely,then file shield warned and quarantined the file
as you see the webshield was bypassed....


Do you think is a good idea to let tick the RAR and ZIP files all the time?
Title: Re: Malware not blocked by webshield
Post by: AntiVirusASeT on February 29, 2012, 05:45:29 AM
tested with eicar_com.zip & eicarcom2.zip through http with google chrome, both blocked before download

dunno if it is my settings which helped in the blocking
also check if u have docs pdf/powerpoint viewer by google in ur extensions i found out if i enabled it, the webshield fails to block completely

google chrome v17.0.963.56
Title: Re: Malware not blocked by webshield
Post by: True Indian on February 29, 2012, 08:34:27 AM
I also tested with eicar zip blocked instantly no delay faced...i have even been playing with downloading malware in chrome on another machine but havent seen a piece of malware that gets past the web shield even after it aborted the connection atleast with version 7

Thats why i have been suggesting avast team to make file shield to scan many more packers like RAR And ZIP packers where malware can be hiding[if not all] as we can get the chance of detecting something earlier and not waiting till the last moment of the file being extracted or something like it....

More ever,i feel that chrome is in some way incompatible with web shield.But i do know its very rare that malicious downloads complete even after web shield blocks them but are eventually blocked by file shield[however in this case the file shield doesnt react due to the packer setting]thats why i hope avast team will make some changes to the default packers to be scanned of file shield otherwise web shield is always perfect in its job and i find it very accurate in blocking and aborting connection.I also know that chrome is very sensitive and very granular as if u visit a malicious site with an iframe redirection in chrome avast will block the site but still chrome will say the site is loading and it results in blank page....this doesnt happen in IE as if the same is done in IE as soon as u see the web shield alert u can see IE saying site not found.


Thanks.
Title: Re: Malware not blocked by webshield
Post by: akama1 on February 29, 2012, 01:54:48 PM
isn't this issue for avast web shield suppose to be quiet normal? as sometimes the alert is given by the webshield but the file was dropped at the last second and the alert kicked in? this actually happens sometimes.... it should be pretty normal though :/
Title: Re: Malware not blocked by webshield
Post by: lukor on February 29, 2012, 03:27:54 PM
Hi, WebShield blocks the connection as soon as the virus is detected. In ZIP files, where the directory of the zip container is at the end and the end of the file is needed for unpack, the detection is actually only possible once almost whole archive has been downloaded.

When the file is small, all works as you expect, the content is found and stopped. When the file is larger, the start might have already been delivered to the browser.

Have you tried to open the zip? Since not whole file is downloaded by the browser, the content should actually be corrupted and impossible to open as a zip file. Some browser is such case (aborted download) don't save anything - since it was aborted before the end, other browsers save what they have. In any case, the file saved shouldn't be complete.
Title: Re: Malware not blocked by webshield
Post by: igor on February 29, 2012, 03:35:10 PM
To activate the malware, you have to unpack it from the archive anyway - and it would be detected at that moment.
Yes, you can save an archive containing some malware to your disk (though it normally shouldn't happen with WebShield active) - but we won't change the defaults, because it would have a very negative impact on your machine, without real security benefit (as the first sentence says).
You can enable the unpackers for your installation, it's up to you - but don't be surprised if you copy an archive from one folder to another and your machine freezes for a minute.
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 29, 2012, 03:45:16 PM
Hi, WebShield blocks the connection as soon as the virus is detected. In ZIP files, where the directory of the zip container is at the end and the end of the file is needed for unpack, the detection is actually only possible once almost whole archive has been downloaded.

When the file is small, all works as you expect, the content is found and stopped. When the file is larger, the start might have already been delivered to the browser.

Have you tried to open the zip? Since not whole file is downloaded by the browser, the content should actually be corrupted and impossible to open as a zip file. Some browser is such case (aborted download) don't save anything - since it was aborted before the end, other browsers save what they have. In any case, the file saved shouldn't be complete.

yes I tried to unzip the file and it was intact (fileshield picked the malware inside on extraction)

Do you think is a good idea to let tick the RAR and ZIP files all the time?

NO ,because zipped file are not harmfull (till this time!!!) and activating this option will impact system performance,it was just a test to show webshield download bypassing by google chrome


I also tested with eicar zip blocked instantly no delay faced...i have even been playing with downloading malware in chrome on another machine but havent seen a piece of malware that gets past the web shield even after it aborted the connection atleast with version 7

I have an idea,someone(valounteer)gives me an email of his,I ll forward the spam to him,he checks it(downloads it 8 times using chrome) and tells us the results
Title: Re: Malware not blocked by webshield
Post by: lukor on February 29, 2012, 03:46:51 PM
Do you have the link for the infected zip file?
Title: Re: Malware not blocked by webshield
Post by: phyniks on February 29, 2012, 03:51:36 PM
Do you have the link for the infected zip file?
No,it is in a spam mail
Title: Re: Malware not blocked by webshield
Post by: The Kitchen Sink on February 29, 2012, 08:05:45 PM
Maybe I'm just tired at the moment. Is there a way to add archive formats for Avast to scan inside those as well? I think it should be a feature to scan inside before user opens the file. If I have half the files archived on my system holding infected files and someone elses machine does not have good enough anti virus software to find it when they open it. This is a problem when passing files around.

Even as an option this just makes sense to keep adding many archive formats, even as an option. Not having such a feature is rather lazy because it doesn't slow anything down if it is an optional turn on/off at user discretion based upon the user behavior.
Title: Re: Malware not blocked by webshield
Post by: TheFireflame11 on February 29, 2012, 08:32:37 PM
This might have something with the corrupted installer. Idk, but search fix update for avast! 6x or 7x if it is the case.
Title: Re: Malware not blocked by webshield
Post by: logos on February 29, 2012, 08:33:56 PM
This might have something with the corrupted installer. Idk, but search fix update for avast! 6x or 7x if it is the case.

nope, absolutely unrelated  :D
Title: Re: Malware not blocked by webshield
Post by: TheFireflame11 on February 29, 2012, 08:59:09 PM
Virus Total didn't detect anything with that site. I went to that site and avast! blocked it.
Title: Re: Malware not blocked by webshield
Post by: phyniks on March 02, 2012, 11:49:13 AM
After all these downloading,first i scanned MY Documents(downloads) with avast and removed all the malwares missed by webshield, then I disabled avast and scan my system with ESET 5
the software found 4 malwares in chrome cash!!!
I scaned them with jotti (virus total has blocked my cuntry) and here is the result:

http://virusscan.jotti.org/en/scanresult/5c595911894ba767c67c37047d4e43a006ed49ad (http://virusscan.jotti.org/en/scanresult/5c595911894ba767c67c37047d4e43a006ed49ad)

http://virusscan.jotti.org/en/scanresult/449bde9a447fb09e6032fc58594276b525773ee8/10b8a707edfe449282dd3e755a6936468de99731 (http://virusscan.jotti.org/en/scanresult/449bde9a447fb09e6032fc58594276b525773ee8/10b8a707edfe449282dd3e755a6936468de99731)

http://virusscan.jotti.org/en/scanresult/449bde9a447fb09e6032fc58594276b525773ee8/a47a5a51087b6e156528c7ab69c00efbf7df1838 (http://virusscan.jotti.org/en/scanresult/449bde9a447fb09e6032fc58594276b525773ee8/a47a5a51087b6e156528c7ab69c00efbf7df1838)

http://virusscan.jotti.org/en/scanresult/a5874318f3fdb8e5141fa74748bca29ede05babe/36100f7e4e10e19c58ed5934780987ab1e88cc7e (http://virusscan.jotti.org/en/scanresult/a5874318f3fdb8e5141fa74748bca29ede05babe/36100f7e4e10e19c58ed5934780987ab1e88cc7e)

as you know jotti is not updated so I zipped them and sent the packed file to avira online sample submission and here is the result:

we received the following archive files:
File ID    Filename    Size (Byte)   Result
26609062    New_folder_3_.zip   175.37 KB   OK
A listing of files contained inside archives alongside their results can be found below:
File ID    Filename    Size (Byte)   Result
26602678    IMG04958.exe    35.5 KB    MALWARE
26609006    n31.exe    210.5 KB    MALWARE
26607534    unp2335604128.tmp    42.5 KB    MALWARE

Please find a detailed report concerning each individual sample below:
 Filename   Result
 IMG04958.exe    MALWARE

The file 'IMG04958.exe' has been determined to be 'MALWARE'. Our analysts named the threat Worm/Gamarue.E.4. The term "WORM/" denotes a worm that is able to spread itself for instance over the Internet (using eMail, peer-to-peer networks, IRC networks etc.). Detection is added to our virus definition file (VDF) starting with version 7.11.21.116.

 Filename   Result
 n31.exe    MALWARE

The file 'n31.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/Delphi.Gen. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system. This file is detected by a special detection routine from the engine module.

 Filename   Result
 unp2335604128.tmp    MALWARE

The file 'unp2335604128.tmp' has been determined to be 'MALWARE'. Our analysts named the threat TR/Yakes.VB. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system. Detection will be added to our virus definition file (VDF) with one of the next updates.


this is microsoft analysis:

Analysis of the file(s) in Submission ID MMPC12030214442183 is now complete.

This is the final email that you will receive regarding this submission.

The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 3/2/2012 2:16:09 AM Pacific Time.
Below is the determination for your submission.

========
Submission ID MMPC12030214442183

  Submitted Files
  =============================================
  New folder (3).zip [Worm:Win32/Gamarue.E]
  +---n1.exe [PWS:Win32/Zuler.B]
  +---f_000070 [Worm:Win32/Gamarue.E]
      +---IMG04958.exe [Worm:Win32/Gamarue.E]
  +---unp233560128.tmp [Worm:Win32/Gamarue.F]



three of these 4 are in avast database (they are not in" jotti scan"  result because of its uotdating)
As you see there were  malwares in chrome cash so maybe the webshield is not working properly