Author Topic: Avast did not BLOCK a virus  (Read 10145 times)

0 Members and 1 Guest are viewing this topic.

Offline zimm

  • Newbie
  • *
  • Posts: 6
Avast did not BLOCK a virus
« on: March 12, 2004, 02:34:54 PM »
Yesterday while browsing the Avast alarm went off that there was a virus located in //windows/temportary internet files....... and that it could not fix or delete it.

I rebooted then Avast could not find the virus.
Okay - temp file gone.

But how did a virus make it PAST Avast to be saved anywhere in my computer?

Am I still in the Norton mode and expect a virus shield to block these sort of invastions?

Thanks

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9348
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Avast did not BLOCK a virus
« Reply #1 on: March 12, 2004, 02:40:10 PM »
Antivirus program cannot block something that is on the internet. It needs to read some information,and to do this it needs to store file into resident memory (RAM) or on disk. As soon as its written to disk,Resident Shield detects it and gives you multiple options (Virus warning window). Virus itself cannot infect the system if it isn't executed. Its just there doing nothing. So this is perfectly safe and standard method of all antivirus programs.
Visit my webpage Angry Sheep Blog

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re:Avast did not BLOCK a virus
« Reply #2 on: March 13, 2004, 06:31:08 PM »
McAfee has a module called "Internet scanner" that supposly should detect the files in communication (at least before the on-access file scanner). Don't know how it worked though..
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9348
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Avast did not BLOCK a virus
« Reply #3 on: March 13, 2004, 06:39:07 PM »
This McAfee module probably worked as controled cache so files were first downloaded to that space and checked,after that they were copied to disk or rejected if found infected. Because its fully controled by antivirus,there is no problem with locked or in use files. But as far as i know Resident Shield can handle ANY threat that comes directly through browsing because everything you view needs to be stored in browser cache and there Standard Shield detects malicious code.
Visit my webpage Angry Sheep Blog

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re:Avast did not BLOCK a virus
« Reply #4 on: March 13, 2004, 07:23:50 PM »
Yes.But lately there have been many posting about "avast! unable to delete/clean file" and "file locked or in use". And for a novice user that's not good (what should they do when the only thing they are allowed to do is press OK - scary).
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re:Avast did not BLOCK a virus
« Reply #5 on: March 13, 2004, 08:28:13 PM »
Yes.But lately there have been many posting about "avast! unable to delete/clean file" and "file locked or in use". And for a novice user that's not good (what should they do when the only thing they are allowed to do is press OK - scary).

Lars, if I read correct in last posts, Igor said he will study a way to change this dialog in newer versions... Am I correct Igor?  8)
The best things in life are free.

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re:Avast did not BLOCK a virus
« Reply #6 on: March 13, 2004, 10:27:57 PM »
If that is true that would be VERY nice. Hope it's possible (that it's not Windows that makes unlocking the files impossible). From my programmers point-of-view I see the challenge (to to it right you might need to kill the prcesses locking the file, but if that are core windows tasks, then...)
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11765
    • AVAST Software
Re:Avast did not BLOCK a virus
« Reply #7 on: March 15, 2004, 02:50:14 PM »
Lars, if I read correct in last posts, Igor said he will study a way to change this dialog in newer versions... Am I correct Igor?  8)

I'm not sure...
I just said that I fixed the problem that Lars reported - i.e. then "If necessary, delete file(s) at the next system start" is checked, avast! will first try to delete the file in the usual way, and only if this fails, will schedule the delete during reboot (which is how it should be, of course, it's a bug that it deletes all the files on reboot only, when it's checked).

As for killing the processes... I don't think it's a good idea.
There are too many important files that should not be killed because it may kill the whole system. The infected file may be a DLL, loaded into many (or all) the processes' context - what now? Kill all running processes, including avast! itself?
avast! Virus Cleaner often kills infected processes... but it specifically knows what process (i.e. what virus) may be killed and what process should be kept (and disinfected in some other way).
Shortly, I don't think you can do a generic way of "unlocking" files (even if you managed to find out who is locking the files in the first place, which may not be that simple either).

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re:Avast did not BLOCK a virus
« Reply #8 on: March 15, 2004, 03:10:38 PM »
But what do other AntiViruses do?  I never had ONE incident with McAfee where it would not delete/clean/move infected files. With avast! bot myself and one friend has had that problem every time a virus was detected (ok, once, but that one time it did not work). And we have seen more messages from other users here as well. I can only repeat myself:

If a novice user gets a virus-warning, and neither "Delete" nor "Move" nor "Clean" works ("ok" is the only choice) then that user will panic (and proberbly do use avast! any more)

Its a terrible situation. avast! tells you that you have a virus infected file, and all that works is OK to access that file ?!?!?

What is the point having an anti-virus if that's the choice ?
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11765
    • AVAST Software
Re:Avast did not BLOCK a virus
« Reply #9 on: March 15, 2004, 03:35:16 PM »
"OK" doesn't let you access the file, it just closes the dialog. The access will be denied.

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Infected files that cannot be accessed
« Reply #10 on: March 15, 2004, 04:08:36 PM »
"OK" doesn't let you access the file, it just closes the dialog. The access will be denied.

That's not obvious. Even I didn't know that :-)
How is a novice user to know that?

What exacly happends if you choose OK on a file that is about to be loaded and executed?  (and what about the process that allreday has a lock on the file, will that be able to use the file?)?
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11765
    • AVAST Software
Re:Avast did not BLOCK a virus
« Reply #11 on: March 15, 2004, 07:40:44 PM »
When the OK button of the Virus dialog is pressed, the API call (to open or execute the file) will fail with ERROR_ACCESS_DENIED. Exactly the same happens e.g. on NT platform, when you try to access a file you don't have rights for. It's up to the application (the one that did the API call) to handle the failure and react somehow.

As for the other question... theoretically, it is possible that an application opens a (clean) file and keeps it open for a while. In the meantime, the file gets infected. Then, the application is still able to read the file, because it has the handle for the file still opened.
However, it's not so simple as it may seem. The application must have had opened the file with "write sharing" - otherwise, the virus would not be able to infect the file subsequently, no matter if an antivirus is running or not. For example, you don't have to worry about infection of a running application - its file is locked by the system. (A running application can be infected in memory, but it has nothing to do with files).


Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
OK button in Virus Warning box
« Reply #12 on: March 15, 2004, 10:44:41 PM »
When the OK button of the Virus dialog is pressed, the API call (to open or execute the file) will fail with ERROR_ACCESS_DENIED. Exactly the same happens e.g. on NT platform, when you try to access a file you don't have rights for. It's up to the application (the one that did the API call) to handle the failure and react somehow.

OK, but that is not how a "novice" user would expect OK to function. All I have spoken to (incuding my friend who is an IT tech herselves) thinks OK means "Go ahead and access the file".

Maybe the button should be "Stop Access" or "Only stop access", or maybe a text in the box that says "Pressing OK will still prevent access to the infected file". That would be kind of calming :-)
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re:Avast did not BLOCK a virus
« Reply #13 on: March 16, 2004, 12:11:21 AM »
Hey boys...
Why don't you just change the button OK for something more inteligible?
Better, an explanation like the Igor text above under the virus window annoucement...  ;)
The best things in life are free.

Offline xtonda

  • Newbie
  • *
  • Posts: 18
Re:Avast did not BLOCK a virus
« Reply #14 on: March 16, 2004, 07:11:46 PM »
When I tried to save attachement from mail virus, avast screamed that file is infected, but after hitting OK (or just Enter since OK is the default button) the file was saved. I don't think, that this should be the default action.