Author Topic: Avast file system monitor doesn't work on regular Truecrypt volumes?  (Read 1532 times)

0 Members and 1 Guest are viewing this topic.

GrandAdmiralThrawn

  • Guest
Greetings!

I am not sure if this can be resolved at the moment, but I would still like to report this. Avast, when used with regular Truecrypt volumes (all other than system-encryption volumes) fails to make its file system monitor work with such disks. It seems to be the case that the reason for this is the location of each kernel driver in the stack (TC and Avast kernel drivers). Should the Avast kernel driver load before a TC volume is properly mounted, it seems that the file system monitor will not work on that volume.

Another user on the Truecrypt forums has also [reported] that same behavior for Microsoft Security Essentials, and it seems that Nod32 is also not handling Truecrypts "virtual volumes" correctly. Some AV suites seem to be able to deal with that, others not so much. I would love Avast to be one of those which can handle TC volumes.

To test for this, you can for instance download the EICAR AV test from here: [EICAR.org test files]. Please make sure that you download from a HTTPS source, as the test file would otherwise be intercepted by Avasts network monitor. We want to test the file system monitor though, so use HTTPS. Also make sure you're downloading with a tool that does not cache files anywhere else like most web browsers do (wget is good). Just download the file to a mounted Truecrypt volume with a proper tool via HTTPS and you will see that the file system monitor does not notice anything at all.

It would be nice if an according change could make it into Avast in the future.. I know it would be easy to say "It's a Truecrypt bug", but I guess other virtual volumes driven by kernel drivers (maybe other disk/partition encryption solutions) might also be affected by this.

If there is any way/workaround to handle this situation with current Avast versions, I'd be very happy to hear about it of course!

Thanks!