disapointing results for Avast! 4

[asafdem]

Sick and tired of: "Test your AV software using EICAR test string", I did some real-life testing of my own and here the resullts:

[size=0]      FILE         RAV (Online scan)   PANDA (Online scan)   AVAST 4 pro
 
  \EICAR.COM        EICAR_Test_File     Eicar.Mod        EICAR TEST  
  \EICAR.RAR       EICAR_Test_File     Eicar.Mod       -
  \BABA.ZIP       Baba.353.A      Univ.EH        Baba-353
  \CASINO.ZIP       NGV.gen         Ngv.1600.b.drp    -
  \D-DANCE.ZIP       Devil's_Dance.941.A     Devils    -   
  \ENIGMA.ZIP       Old_Yankee.1755.A  Enigma        OId Yankee
  \FDT.ZIP          Necropolis.1963.A  Necropolis.1963    -
  \GARANT.ZIP       Major.1644.A      Major.1644    Major-1644
  \HAIKU.ZIP       I_Worm:Haiku      W32/Haiku        Win32:Haiku
  \KENNEDY.ZIP       Danish_tiny.333.A  Kennedy       -
  \MANTA.ZIP       VCS.1077          VCS          -
  \NATAS.ZIP       Natas.4744      Natas.4744    -   
  \ONEHALF.ZIP       One_Half.3544.A      One          -
  \PIXEL.ZIP       Pixel.740.A      Univ        PixeI-740
  \TORERO.ZIP       Torero.1429      Torero       -
  \Ambulance.786.zip    Ambulance.796.A     Ambulance.796.A    -
  \HYDRA0.ZIP       Pixel.Hydra.736.A  Univ       -
  \AntiAVP.959.zip    AIDS.COM         AntiAVP.959    -
  \CIH_14.ZIP       Win95/CIH.1003     W95/CIH        Win95:CIH 1.x
  \AntiAVP.1235.zip    AntiAVP.1235      Astra_II       -
  \Leprosy.370.zip    Leprosy.666.A      Leprosy       -
  \NINJA.ZIP       Ninja.1616      Ninja.2090    Ninja-1852
  \Oops.368.zip       Ooops.368         Ooops.368       -
  \SIERRA.ZIP       Stoned.I.C.dr      NYB.E.Drp        NYB-A
  \Win.Lamer.zip    Win/Winlamer.1734     Winsurf.Skim.1454 Win:Lame
  \XPEH.4768.zip    Yankee_Doodle.XPEH.4928   Micropox       -
  \I-Worm.Sircam.exe    Worm.Sircam.exe    W32/Sircam        Win32:Sircam-C [Wrm]
  \I-Worm.Happy99.exe    Win32/Ska.A@m         W32/Happy    Win32:Ska
  \I-Worm.Opasoft.exe   Win32/Opaserv.A.worm     W32/Opaserv Win32:Opas [Wrm]
  \I-Worm.Klez.a.SCR   Win32/Klez.E@mm     W32/Klez.F        Win32:KIez-E [Wrm]
  \I-Worm.Numda.d.exe    Win32/Nimda.D@mm  W32/Nimda       Win32:Nimda [Wrm]
[/size]

So Avast missed 15 out of 31! :'(

[raman]

Some comments/questions on it. Did you let Avast scan inside Archives? because it should find the eicar inside the RAR without problems and it finds the oops.368 without problems too.(infection: Ooops-368) So check if you activate Archivscanning.

It finds the natas also and i think the others too. Unpack and scan them again.  You will find it out by your own. The samples you use(exept the last few) are d*mn old. I do not think that they are still able to infeced under newer Windows versions anymore!?

[asafdem]

Almost all viruses Avast! 4 has found, were within zip files, so I guess that means that I selected archives option. And I did it again, just to be sure. (see attached "options and results.gif"). "Old samples" sounds like a lame excuse.

Summary: 15 misses, 1 false positive. ( Too bad, I was looking for something to replace resource hungry NAV 200x  :'()

[raman]

Aure. (see attached "options and results.gif"). "Old samples" sounds like a lame excuse.

Have searched for these old ones and if you will unpack them Avast will find them too. I do not know, but avast has some problems to identify some old PK-Zip Headers. But i do not know why it do not find the Eicar inside of the Rar Archive.
Avast finds the following with follow names:
[RAV]
i:\temp\3544.EXE | Infected: One_Half.3544.A
i:\temp\370.COM | Infected: Leprosy.370
i:\temp\4744A.COM | Infected: Natas.4744
i:\temp\4744A.EXE | Infected: Natas.4744
i:\temp\4928.COM | Infected: Yankee_Doodle.XPEH.4928
i:\temp\ANTI1235.COM | Infected: AntiAVP.1235
i:\temp\HYDRA0.COM | Infected: Pixel.Hydra.736.A
i:\temp\MANTA.COM | Infected: VCS.1077
i:\temp\ONEH3544.EXE | Infected: One_Half.3544.A
i:\temp\ONEHALF.BIN | Infected: OneHalf
i:\temp\OOPS.COM | Infected: Ooops.368
i:\temp\TORERO.COM | Infected: Torero.1427
i:\temp\UNKNOWN.COM | Infected: VCS.1077

[AVAST]
I:\temp\3544.EXE [L] One half-3544/3577 (0)
I:\temp\370.COM [L] Leprosy-37X (0)
I:\temp\4744A.COM [L] Natas-4744 (0)
I:\temp\4744A.EXE [L] Natas-4744 (0)
I:\temp\4928.COM [L] Yankee Doodle (0)
I:\temp\ANTI1235.COM [L] AntiAVP-1235 (0)
I:\temp\HYDRA0.COM [L] Pixel-Hydra-736-B (0)
I:\temp\MANTA.COM [L] VCS 1.0 (0)
I:\temp\ONEH3544.EXE [L] One half-3544/3577 (0)
I:\temp\OOPS.COM [L] Ooops-368 (0)
I:\temp\TORERO.COM [L] Torero-1427 (0)
I:\temp\UNKNOWN.COM [L] VCS 1.0 (0)

[asafdem]

It appears that you have to set scan level to thorough. Once I did that I got:

[size=0]
\EICAR.COM                                           Infection: EICAR Test-NOT virus!!
\EICAR.RAR\EICAR.COM                          Infection: EICAR Test-NOT virus!!
\CPAV.EXE                                             Infection: Emmie-3097
\BABA.ZIP\BABA.EXE                               Infection: Baba-353
\D-DANCE.ZIP\D-DANCE.COM                   Infection: DeviI's Dance-941
\ENIGMA.ZIP\ENIGMA.EXE                        Infection: OId Yankee
\FDT.ZIP\FDT.COM                                  Infection: Necropolis-1963
\GARANT.ZIP\GARANT.EXE                       Infection: Major-1644
\HAIKU.ZIP\Haiku.exe                              Infection: Win32:Haiku
\KENNEDY.ZIP\KENNEDY.COM                  Infection: Danish Tiny-Kennedy-333
\MANTA.ZIP\MANTA.COM                         Infection: VCS 1.0
\NATAS.ZIP\NATAS.COM                          Infection: Natas-4744
\ONEHALF.ZIP\ONEHALF.COM                  Infection: One half-3544/3577
\PIXEL.ZIP\PIXEL.EXE                              Infection: PixeI-740
\TORERO.ZIP\TORERO.COM                     Infection: Torero-1429
\Ambulance.786.zip\ambulanc.com            Infection: Ambulance-795
\HYDRA0.ZIP\HYDRA0.COM                      Infection: PixeI-Hydra-736-B
\AntiAVP.959.zip\AVP-AIDS.COM               Infection: AntiAVP-959
\CIH  14.ZIP\CIH  14.EXE                         Infection: Win95:CIH 1.x
\AntiAVP.1235.zip\ANTICARO.COM           Infection: AntiAVP-1235
\Leprosy.370.zip\LEPROSY.COM               Infection: Leprosy
\NINJA.ZIP\NINJA.EXE                            Infection: Ninja-1852
\Oops.368.zip\oops.com                          Infection: Ooops-368
\SIERRA.ZIP\FIoppy.exe                          Infection: NYB-A
\Win.Lamer.zip\WINLAME2.EXE                Infection: Win:Lame
\XPEH.4768.zip\XPEN4928.COM               Infection: Yankee Doodle
\I-Worm.Sircam.exe\I-Worm.Sircam.exe   Infection: Win32:Sircam-B
\I-Worm.Sircam.exe                                Infection: Win32:Sircam-C [Wrm]
\I-Worm.Happy99.exe                             Infection: Win32:Ska
\I-Worm.Opasoft.exe                               Infection: Win32:Opas [Wrm]
\I-Worm.KIez.a.SCR                                 Infection: Win32:KIez-E [Wrm]
\I-Worm.Numda.d.exe                              Infection: Win32:Nimda [Wrm]

[/size]

Conclusion: 30 found (Win32:Sircam-B & Win32:Sircam-C [Wrm] within same file!), 1 missed (CASINO.COM->(PKLite) - NGV.gen ), 1 false.  

Comments?

[igor]

How about setting the Thorough scan, instead of Standard? Does it change anything? It is indeed very strange that Eicar has not been found within a RAR archive - RAR archives definitelly are supported.

Since you labeled the column as "Avast 4 Pro" - what are the results when you create your own task in the Enhanced User Interface and set the appropriate Packer options?

Probably a stupid question, but just for sure: weren't you running another resident antivirus protection in background?

[igor]

Seems you were faster with posting the answer before I even sent the quesion

As for the Sircam-B & Sircam-C thing: Sircam-C is probably a packed version of Sircam-B (btw, the Sircam-B name is really without the [Wrm] tag?). When Sircam has been added to the virus database, avast! did not feature UPX/AsPack unpacking (or whatever Sircam-B is packed with) - so, the signature for the packed version has been added. Now, when it's able to unpack the packed executable, it finds even the "inner" file, which is Sircam-B.
I think it's not a problem... the signatures for the packed versions make it possible to identify the virus even with an older version of avast, or with archive-scanning turned off.

[raman]

1 missed (CASINO.COM->(PKLite) - NGV.gen ), 1 false.  

Unpack the PKLITE and Avast reports nuke-1680. But i thought Avast is able to unpack PK-lite by itself?

[asafdem]

Igor

Did you read the very first line in my previous post?  

[asafdem]

Igor

Thank you for clarification.

[igor]

Yes, I did, but only afterwards - since you posted it while I was writing the followup

[asafdem]

Igor

(btw, the Sircam-B name is really without the [Wrm] tag?)

Yes it is. From Avast! 4 log:

[size=0]\I-Worm.Sircam.exe\I-Worm.Sircam.exe [L] Win32:Sircam-B (0)
\I-Worm.Sircam.exe [L] Win32:Sircam-C [Wrm] (0)
[/size]
 

[techie101]

As you have discovered, setting Avast to scan inside archives and setting it to Thorough (sensitivity at high) allows Avast to detect 99% of all viruses.

NOW, if you also make sure that the Heuristic feature is selected for the respective On line Access Protection modules, and you have a nice secure setup.

ANY anti-virus software will overlook some viruses is its' search engine sensitvity is lowered.

This "lowering" should only be used when a substantial number of "false positives" are registered, but only low enough to stop them.

Thank you for taking the time to share your test results with us.

 

[Culpeper]

I'm still not clear if the user was using the Pro or Free versions?  I thought the Free version didn't support RAR files.

[Vlk]

The Home version does support RAR archives (and always has).

For a comparison table please refer to http://www.avast.com/i_idt_1018.html .

Vlk