Eicar SSL

[Jem]

Hi,

Successfully downloading Eicar test files from the SSL links on the Eicar site. Not picked up while downloading or when written to disk in the Downloads folder which surprised me.

Is this as intended or have I missed an option somewhere?

Thanks.

[Pondus]

and if you click the file after saving?


http://forum.avast.com/index.php?topic=95272.0

[Jem]

and if you click the file after saving?

...nothing until I perform a deliberate right click scan. I can download every file from Eicar SSL including Eicar.com. I'm not asking for SSL scanning, but I cannot accept that these files are not detected when written.

EDIT: OK, for this to work with eicar.com and eicar.com.txt, you need to tick 'Scan All Files' in File System Shield settings. For it to deal with eicar_com.zip and eicarcom2.zip you need to tick 'Zip Archive' under Packers in the File System Shield. I would suggest that an adjustment to the default File System Shield extensions that are scanned is necessary to at least trap an executable when it's written to disk.

[DavidR]

Archive files are inert (the same as text files) until they are unpacked and executing the contents. Before that happens avast will scan the file/s.

That is why archives (with some exceptions, see below) aren't scanned by default, so by scanning all files and archives you place a performance burden on your system by scanning inert or non-targeted, non-executable files.

[Jem]

Archive files are inert (the same as text files) until they are unpacked and executing the contents. Before that happens avast will scan the file/s.
That is why archives (with some exceptions, see below) aren't scanned by default, so by scanning all files and archives you place a performance burden on your system by scanning inert or non-targeted, non-executable files.

In the case of the Eicar zip files (downloaded from the SSL links) they are not scanned when unpacked, unless I have 'Scan All Files' ticked. Even Eicar.com is not caught when it's written to disk without 'Scan All Files'. So, sure, zip files don't need to be scanned - I accept that. I do however want the contents scanned before executing anything. You say that should happen - well, it seems not by default.

[DavidR]

As I said, when extracted from the zip file and or when executed as avast hooks executable files before they are allowed to run.

I don't know the circumstances surrounding your download, generally I would expect them to be scanned by the web shield, but using https bypasses the web shield scan. So I don't know at what point the file system shield cuts in with the saving of the downloaded file using https. But it should certainly be scanned when you try to execute it.

[Jem]

As I said, when extracted from the zip file and or when executed as avast hooks executable files before they are allowed to run.

I don't know the circumstances surrounding your download, generally I would expect them to be scanned by the web shield, but using https bypasses the web shield scan. So I don't know at what point the file system shield cuts in with the saving of the downloaded file using https. But it should certainly be scanned when you try to execute it.

I actually changed my post while you were replying David. I thought I hadn't been clear....

[DavidR]

After they are downloaded and on your system, it shouldn't matter how they were downloaded (as that is no longer relevant) when unpacked. I believe they (executable files or those that present an immediate risk) should be scanned as per the 'Scan files when writing' (essentially New files), but the big issue is this has at least two parameters, the one just mentioned (which is fairly clear) and this one Scan files with default extensions.'

It is this second one that isn't clear as it says this list is maintained by the avast developers and provides the optimal balance between performance and protection.' Since we can't view this list - which I presume is in the program/VPS somewhere - it is hard to say if .com files are on that list or not, but I would have thought so.

As an avast user, I can't see this list either.

So are you saying you tried to execute the eicar.com file and it wasn't scanned ?

I can copy eicar.com from my excluded samples and eicar folder to an other and immediately avast scans and alerts on it, see image. So it is working as expected for me (scan on writing), for the purposes of further testing I just closed the avast alert window.

Now when trying to execute the eicar.com, I get an error, which I suspect is avast putting some sort of block on it, image2.

[Jem]

After they are downloaded and on your system, it shouldn't matter how they were downloaded (as that is no longer relevant) when unpacked. I believe they (executable files or those that present an immediate risk) should be scanned as per the 'Scan files when writing' (essentially New files), but the big issue is this has at least two parameters, the one just mentioned (which is fairly clear) and this one Scan files with default extensions.'

It is this second one that isn't clear as it says this list is maintained by the avast developers and provides the optimal balance between performance and protection.' Since we can't view this list - which I presume is in the program/VPS somewhere - it is hard to say if .com files are on that list or not, but I would have thought so.

As an avast user, I can't see this list either.

So are you saying you tried to execute the eicar.com file and it wasn't scanned ?

I can copy eicar.com from my excluded samples and eicar folder to an other and immediately avast scans and alerts on it, see image. So it is working as expected for me (scan on writing), for the purposes of further testing I just closed the avast alert window.

Now when trying to execute the eicar.com, I get an error, which I suspect is avast putting some sort of block on it, image2.

I'm not saying it wasn't scanned on execution. It wasn't scanned when downloaded and written to disk and it isn't detected when I move it from Downloads to, say, My Documents.

[doktornotor]

It wasn't scanned when downloaded

Obviously. Would you like Avast to install a MITM certificate for all your browsing purposes?

and written to disk and it isn't detected when I move it from Downloads to, say, My Documents.

Yes. Cannot see a problem with the ZIP sitting there. YMMV. It's a design decision, feel free to configure things otherwise.

[Jem]

Obviously what? David and I were talking about eicar.com - unzipped in the last couple of posts.

[doktornotor]

Obviously what?

Obviously this (even quoted):

It wasn't scanned when downloaded

Successfully downloading Eicar test files from the SSL links on the Eicar site. Not picked up while downloading

I for one do not want any MITM certs installed for this. (There are products that provide HTTPS scanning, I have personal experience with ESET, it was broken in the first place, plus the certificate stuff produces way more trouble and user confusion than the inert archives downloaded.)