* Introducing * - beta version of upcoming avast update (4.6.689)

[bob3160]

Fixer
Simple logic, remove exclusions means increas files to scan. The more files you scan, the longer it takes.
The longer it takes, the slower the web response....

[RejZoR]

Well from what i have seen in Web Shield it works different than NOD32 IMON HTTP scanner. avast! intercepts specified ports with HTTP traffic, downloads all files to temp folder on disk and scans them regular way automatically and then sends them back to browser. Very simple and effective trick.
Because HDD transfer rate is in average 50MB/s this is very fast,also scanning is direct and as fast as Standard Shield.

NOD32 uses different method. They intercept HTTP traffic with LSP. Smaller files are scanned directly in memory,while passive transfers are transfered same way as avast! does. Only thing that bothers me in this part (and i don't know why) is that NOD32 renders pages much slower than avast! and if page contains lots of graphics (lots of smaller images) there will usually be corrupted or badly rendered web pages (mainly missing images).

So in theory and my little tests,avast! Web Shield downloads everything at the same rate of speed as browser would without it. So exclusions aren't really necessary.
And it's even more thorough if you check everything

[Vlk]

The good performance is achieved thanks to the "Intelligent Stream Scan" feature. Try disabling it, and you'll see the difference...

[alanrf]

Hmmm .... just tried that ... what difference am I missing?

[RejZoR]

POTENTIAL SECURITY FLAW
Ok,there is another thing. It's not really a bug,but it's a possible rsecurity flaw.

You use string:
*\PageFile.sys

to exclude pagefile file. But here is the catch. Create malware with name pagefile.sys and place it anywhere on the drive. It won't be detected.
Star before slash means that it will be excluded in all folders. Not a good idea imo.

Now use exclusion string:
?:\PageFile.sys

Now thats something different. Pagefile can only be placed in root of every partition.
And since pagefile is a system file,it cannot be replaced or overwritten while it's in use. And any file named pagefile.sys in folders other than root of partitions will be detected.

BUG #2
Next thing that happened to me lots of times with avast! (not sure if limited only to this beta) that detected file triggers warning dialog. I select delete file and again i get the same warning for the same (already deleted) file. I click delete again and then i get cannot process file error. Then i click Ok in this error dialog and i get the warning dialog again!? This loops forever for as long as i don't click No action button.

I was testing security flaw above and i found that avast! appears to have problems only with EXE files (same file renamed to .sys was also detected and properly cleaned).
I'm not sure about other executables like COM,SCR etc...,but i can reproduce this bug on my machine with any EXE file in any folders.

[igor]

Re #2:
I really don't think the filename could make any difference to its processing... 
In general, similar problems may be caused by "stored" archives (i.e. the malware is detected inside of an archive and also in the archive file itself). Unfortunatelly, it's not really easy to process such archives correctly. I'm planning to do some improvements, but it has to be done carefully (the change of the behavior may have bad consequences elsewhere).
I think, however, that some improvements were already done for the resident protection - so it shouldn't behave like you are describing. Can you send me a sample of such a problematic file?

[RejZoR]

No,it's not an archive. It could be packed with runtime packer,but it's certanly not an archive (or SFX).

Ok,i have tested even further and i have been able to replicate this as well.
This infinite loop happens only if you copy file from excluded folder to some non excluded folder.

For example:

My excluded folder:
E:\My Documents\Virus Storage

I copied malware from that folder to desktop:
C:\Documents and Settings\RejZoR\Desktop

and i got that loop bug again.
Then i packed same malware to archive, placed it into some non excluded folder and extracted it there.
It got detected just fine and it was also cleaned properly.

So it appears that there is some kind of problem with exclusions.

[igor]

Hmm, I'm unable to reproduce that.
If I copy a file from an excluded folder to a non-excluded one and click "No action", I indeed get two warnings - but that's because the first warning is "On close" and the subsequent one is caused by Total Commander (used to copy the file) is extracting an icon from the file.
If I press Delete, however, the file is deleted immediatelly, no subsequent warnings.

Does the file get copied to the target folder actually? (if you press the "No action" button)? If yes, then it's not a problem with exclusions - if it were, it wouldn't be possible to copy the file because the access would be denied to it.

Do you use any special method/program to copy the file? Any special Standard Shield settings? Anything else that might be special?

[RejZoR]

Nothing special,Standard Shield is set to Normal sensitivity (default,nothing changed)
And i use two extra exclusions,one for Recycle Bin and one for my malware storage folder (that Virus Storage path).

[igor]

And every time you copy a file out of this folder, you get a loop of virus warnings?
Are the virus dialogs (in the loop) always exactly the same? (exactly the same path in the "File name" field, same text below, ...)

[RejZoR]

Yes,i get this loop every time. But only for .EXE extension. Detected messages are always the same and in the exactly same order. For example .SYS was detected and cleaned ok. Only thing that i noticed is that i had to use Refresh command on my desktop to refresh  view,otherwise that detected .sys file just stayed on desktop (the icon). Maybe this has something to do with this bug.

[igor]

It sounds more like some strange interference with another tool to me... how about some behavior blocker, possibly even avast! one? It really works without any problems here.

I don't know... maybe you could try if File Monitor revealed what programs access the file before/during/after the copy?

[RejZoR]

Ok,now thats strange Now it works fine (i had one restart in between),except  refreshing still doesn't get in place,so file appears to be there (you have to use Refresh and it will dissapear). Not sure if this is related to avast! or just some Explorer glitch (which i haven't seen before

What about pagefile exlusion? Will it be fixed?

[Dwarden]

i think Avast! itself should autodetect "active" pagefiles and "exclude" them on the fly w/o being "accessable" in exclusion list ...

[RejZoR]

Yeah,i agree for all Standard Shield default exclusions. Web Shield is difefrent,but Standard Shield could use such method. Just doublecheck the syntaxes when transiting to such "hidden" mode. We don't want any hidden surprises in for of *\pagefile.sys exclusions...