I figured couple of things. After many many tests & brain exploding thinking. Haha.
There is an erroneously named and/or illogically acting Avast setting. The FSS "Scan when writing -> scan files with default extensions" actually sometimes means: "scan files with default file
contents" (maintained by avast). It's not always file extensions what Avast is looking for when a file is created or modified.
Here's some examples (on Win8.1.1 x64 & Avast 2014.9.0.2018):
- Eicar.com file downloaded with IE -> downloads to temp folder with ".com" extension = Avast detects the file.
- Eicar.com file downloaded with Firefox -> downloads to temp folder with ".com.part" extension = Avast does NOT detect the file -> completed file is renamed with .com extension and moved to final download folder = Avast does NOT detect the file.
This is perfectly normal & in accordance with "scan files with default extensions" setting because:
- In IE case, the file is created with ".com" extension right from the start.
- With Firefox, the file creation is done with an extension that is not "detected" by Avast. The subsequent Firefox file rename & move (or move & rename) to final location is NOT a file creation or modification process. That's why Avast FSS doesn't detect it.
More, preparing: eicar_com.
zip downloaded with any browser (IE, Firefox) ->
Avast does NOT detect the file -> file is created & moved to final download folder. Perfectly normal again.
- Open zip-file & extract eicar.com -> Avast detects the file.
- Open zip-file, rename eicar.com to eicar.com.part inside the zip-file & extract eicar.com.part -> Avast does NOT detect the file.
This is once again perfectly normal & in accordance with "scan files with default extensions" setting.
But here things get interesting, preparing: Spycar_tests.zip file downloaded from
http://www.testmypcsecurity.com/securitytests/spycar_suite.html ->
Avast does NOT detect the file. Normal.. but:
- Open zip-file & extract e.g IE-KillAdvancedTab.exe file -> Avast detects the file.
- Open zip-file, rename IE-KillAdvancedTab.exe to IE-KillAdvancedTab.exe.part inside the zip-file & extract IE-KillAdvancedTab.exe.part -> Avast detects the file.
Whoops, what just did happen?! The first detection is normal, BUT the 2nd detection of ".part" file is NOT normal. It's not in accordance with "scan files with default extensions" setting. Did Avast scan the file based on it's contents?? Ignoring the "unfamiliar" extension of the file?? Why did Avast decide to do this with this file BUT NOT with eicar.com.part file??
Now, the last example (WinXP 32bit running Avast 8.0.1497):
- Download the eicar.com file with Firefox -> Avast detects the file AFTER it was renamed & moved to final download folder.
Check the attached image. Why this doesn't happen in Win8.1.1 x64 with Avast 2014.9.0.2018?? Was something changed?
What baffles me the most is that sometimes files are scanned based on contents even it should not happen according to settings.
And finally, still open, is there a problem on some cases with "Optimize scanning during file copy option" setting ON?