Author Topic: What exactly does the NNTP scanner do?  (Read 3341 times)

0 Members and 1 Guest are viewing this topic.

General Failure

  • Guest
What exactly does the NNTP scanner do?
« on: March 08, 2005, 09:41:09 AM »
Hi all,

I'm using avast (lastest version) on XP Pro SP1, all patches applied. My newsreader is xnews.
Yesterday the following happened: I told xnews to open a newsgroup with about 8200 articles. Usually this should take about 45 sec and maybe 4 or 5 MB of data should be transferred. This time I interrupted the operation after about 10mins and 45MB of transferred data.
Now my question is: where does all the data come from? From my understanding, the reader downloads only the headlines (at least it is configured to do so) and the scanner should get active when an article is opened. Does the NNTP-scanner try to download the entire newsgroup to scan it in advance? Will the patch that was mentioned here a couple of times resolve this problem? Or do I have to turn off the NNTP-scanner? I have 1GB of traffic per month free and if opening a large newsgroup consumes 45+X MB I'd prefer to go without the protection. Nonetheless a cool feature.

Thanks for your help

GF

Offline vojtech

  • Avast team
  • Advanced Poster
  • *
  • Posts: 939
    • ALWIL Software
Re: What exactly does the NNTP scanner do?
« Reply #1 on: March 08, 2005, 10:20:52 AM »
The NNTP scanner only scans articles downloaded by the newsreader, it does not initiate any extra downloads. I don't know where did that data come from, maybe the newsreader tried to reload the headers, as it had received no response in an usual amount of time. If this was so, it would be solved by the patch.

kenwong

  • Guest
Re: What exactly does the NNTP scanner do?
« Reply #2 on: March 11, 2005, 09:16:12 AM »
How can one be sure that avast's NNTP scanner is really scanning the downloaded messages in news readers (like Thunderbird)?

Jarmo P

  • Guest
Re: What exactly does the NNTP scanner do?
« Reply #3 on: March 11, 2005, 09:44:48 AM »
I conformed that Internet mail provider is doing the newsgroup reading with Thunderbird and then looking at my Sygate firewall traffic log.
AshMaiSv.exe is getting a log entry to remote client TCP port 119.

To have a more firm confirmation, you can open the Customize window and tick the checkbox 'Insert note into the clean inbound news' in the NNTP-tab.

Something like this will be written to the new messages:

---
avast! Antivirus: Inbound message clean.
Virus Database (VPS): 0510-0, 08.03.2005
Tested on: 11.3.2005 10:35:18
avast! - copyright (c) 1988-2005 ALWIL Software.
http://www.avast.com

beerslayer

  • Guest
Re: What exactly does the NNTP scanner do?
« Reply #4 on: March 11, 2005, 10:44:36 AM »
And if you *really* want to be sure it's working...

Try posting the EICAR test virus to alt.test - if my understanding is correct, it should fail to post.

Assuming avast catches that, disable it briefly and post the EICAR file, then enable avast again and try to read your EICAR post from alt.test.

I haven't actually tried this myself but it might be worth a shot.