Scanning of archives

[jamesvaul]

Avast is not able to detect some viruses when you do a scan from the main avast antivirus interface (0 virus found!!!) but the virus is detected if you use the scan explorer shell extension. Why? So scanning folders or the whole hard disk from the main avast antivirus interface is useless???

in test folder I've keyfinder.exe



and when you use the scan explorer shell extension the virus is detected, but Avast is not able to remove that virus:



I uploaded here the file used during the test (tested the exe inside): http://rapidshare.de/files/37365307/keyfinder.rar.html

[Bluesman]

1)Avast is not able to detect some viruses when you do a scan from the main avast antivirus interface

What was the name on these virus?

[alanrf]

I believe that the issue you are reporting is nothing new.

You ran a standard scan - a standard scan does not unpack archive files.  I believe that the rationale is that malware sitting in an archive file is not about to be executed.  If you unpacked the rar file yourself the the malware would be detected.  If you ran a thorough scan then the archive file would be unpacked and the malware reported.

The explorer shell extension (ashquick.exe) executes a through scan and does does unpack archive files. 

It is frequently recommended here that all file downloaders should (whenever provision is made) invoke ashquick.exe to scan files being downloaded and so prevent them getting into your file store.   I assume you bypassed that recommendation to get the rar file in place.

It is for this reason too that it is recommended in this forum that first time avast users should run a thorough scan.

[Spyros]

In the screenshot you don't have "Test archives" enabled, although the malware is "keyfinder.rar" (which of course IS an archive).

[Edit: please avoid silly thread titles if you are not 100% sure what you're doing!]

[jamesvaul]

In the screenshot you don't have "Test archives" enabled, although the malware is "keyfinder.rar" (which of course IS an archive).

[Edit: please avoid silly thread titles if you are not 100% sure what you're doing!]

I've tested the .exe, look the images.
try yourself: extract the exe from this rar and test it http://rapidshare.de/files/37365307/keyfinder.rar.html

[Spyros]

Sorry, but I can't reproduce it now, because I'm testing another AV on this machine right now. Maybe someone else can help you out.
Please remove the malware link, you never now in what way other people may use it

[igor]

Just as alanrf said: you don't have the scanning of archives enabled and this file is an archive (RAR SFX, in particular - and I'm talking about the EXE file, not about the outer RAR layer). If you check the "Test archives" option, it will be detected.

So, there's no bug here.

[alanrf]

Here is the result when I place your file in a folder and run a standard scan of the folder.

Edit: I just rechecked - although I did a standard scan I did have the "scan archive" box checked.  As igor has pointed out this file is, in itself, an archive file.  the ashquick.exe scan shows it containing 6 files.

[jamesvaul]

So, there's no bug here.

Avast is not able to delete the infected file (The operation is not supported for this type of archive: can't process..) so there's a huge bug!

[igor]

No, it is not!
Please read the message: "The operation is not supported for this type of archive". That's it - deleting the file from the archive is not supported, and it's clearly stated - so it's not a bug. The archive is a solid RAR SFX - and it's not possible to delete files from solid archives (that would require avast! to recompress the archive, but the RAR compression algorithm is closed).

Simply put, avast! is not an archive processing tool, allowing you to do whatever you want with them. It is trying to do its best, but there are some limits.

The "Delete all" button does the following: "try to delete all next detected files, without stopping and displaying any windows". You are right that in some cases, a (failure) message should be displayed, but that would go against the idea of not stopping with any windows...

[jamesvaul]

The archive is a solid RAR SFX - and it's not possible to delete files from solid archives (that would require avast! to recompress the archive, but the RAR compression algorithm is closed).

Is it so difficult to delete the whole infected rar archive automatically? Every other antivirus product does it, also a-squared free is able to remove it

[igor]

Well, it's not that difficult - the question is if you really want it.
Imagine you use RAR as a backup tool and pack the content of your hard disk (or an important folder, doesn't matter). Now, you scan it with avast! and it detects one infected item inside; you choose to delete it - and the whole archive is gone, together with all your backups. Oops...

So, this kind of processing would require additional options or questions to the user - which would bother most of them. I hope such an option will be implemented in one of the future versions, but it will need some GUI changes.

[Lisandro]

Well, it's not that difficult - the question is if you really want it.

There are applications that ask the user if they want to do so.
It's better, much better, then trying to repair or send the file to Chest and receive the 'stupid' message that avast can't handle this kind of package (file or archive).
The user clicks again and again and nothing happens... He/she will blame against avast malfunction...
I would like to see an option to send to Chest (and even delete) the whole archive file (zip, rar, etc.).

So, this kind of processing would require additional options or questions to the user - which would bother most of them.
I hope such an option will be implemented in one of the future versions, but it will need some GUI changes.

You can automate it ('Don't ask again...')... I hope you can do it...