EICAR NOT DETECTED by File System Shield !?!?

[Skakara]

What is happening!?

I installed Avast Free Antivirus 2014.9.0.2018 on new Win8.1(.1) laptop and EICAR test files are NOT detected by the file system shield!?!?

I only installed the file system shield, everything else disabled. Rebooted after install (was not offered nor instructed but did it anyways). Definitions are up to date. Windows Action Center says that Avast is protecting for viruses & spyware. No warnings of any kind anywhere.

- file system shield is on and it's settings:
- scan when executing is on
- scan when writing is on

When I go to http://www.eicar.org/85-0-Download.html with Firefox and download all the 4 files from "standard protocol http" area, everything gets downloaded fine, Avast is quiet!! Should be detecting at least some of the files already (writing scan on)!!

Then when I browse to the files, I CAN OPEN THEM ALL WITHOUT AVAST DOING ANYTHING!!!

If I do Avast explorer scan on the files, Avast detects all.

SO, what the bleep is happening?!?! I don't know if I can trust Avast anymore. Unbelievable. Is this the reason why Avast detection rates have been falling awfully in recent AV-tests?!

[REDACTED]

Did you try enabling 'Scan for potentially unwanted programs (PUPs)' under Settings>Active Protection>File System Shield>Sensitivity ?

[Pondus]

I installed Avast Free Antivirus 2014.9.0.2018 on new Win8.1(.1) laptop and EICAR test files are NOT detected by the file system shield!?!?

because it is not an executable file....

[Skakara]

Did you try enabling 'Scan for potentially unwanted programs (PUPs)' under Settings>Active Protection>File System Shield>Sensitivity ?

Yes, that has been on the whole time.

[igor]

If you have a 64bit OS (which I assume but don't know), then there's no "execute" of the eicar test file (because it's a "COM", old 16bit code and 64bit OSes doesn't have the 16bit subsystem) - so eicar cannot be detected on execution on 64bit OSes. (So Eicar is not very useful as a test file these days.)

However, if you are able e.g. to copy an eicar.com file from one folder into another without any detection, then there's something wrong here (just to be sure, I'd disable the "Optimize scanning during file copy option" in File System Shield Settings / Advanced).

[REDACTED]

Here, both File Shield and Web Shield detected the file as malicious! Not sure, why it isn't the same case there.

[Pondus]

found this   https://forum.avast.com/index.php?topic=93556

[igor]

Mac forum? 

[Pondus]

Mac forum? 

so this is not the same then ?

The file shield does two things - it detects the malicious code and prevents it's execution.
Opening a virus code for reading can not cause any harm.

[Skakara]

If you have a 64bit OS (which I assume but don't know), then there's no "execute" of the eicar test file (because it's a "COM", old 16bit code and 64bit OSes doesn't have the 16bit subsystem) - so eicar cannot be detected on execution on 64bit OSes. (So Eicar is not very useful as a test file these days.)

64-bit yes, that would explain the execute-protection, but why isn't the write-protection of the file system shield acting on this? That is what my old laptop WinXP & Avast 8.0.1497 does!!

If I extract the eicar.zip file, avast acts on the extracted eicar.com file immediately and shows a popup window to choose action (I have set the options to do that, I don't want any automatic actions). So in this case the write-protection of the file system shield does work.

However, if you are able e.g. to copy an eicar.com file from one folder into another without any detection, then there's something wrong here (just to be sure, I'd disable the "Optimize scanning during file copy option" in File System Shield Settings / Advanced).

Yes, I can perfectly copy the eicar.com file anywhere I like, Avast does nothing.

If I turn off the "Optimize scanning during file copy option", Avast stops file copy process. Seems to me that there's a loophole in the protection with this setting set to "on". Worrying.

BUT, that option still "off", downloading the eicar.com file yields NO action from Avast. I find this a bit odd. There, in my download folder is a (fake)virus and Avast did nothing.

[Skakara]

Plot thickens, if I try to download the eicar.com file with IE, Avast shows warning immediately. But with Firefox, Avast is silent.

[mchain]

What is happening!?

I installed Avast Free Antivirus 2014.9.0.2018 on new Win8.1(.1) laptop and EICAR test files are NOT detected by the file system shield!?!?

I only installed the file system shield, everything else disabled. Rebooted after install (was not offered nor instructed but did it anyways). Definitions are up to date. Windows Action Center says that Avast is protecting for viruses & spyware. No warnings of any kind anywhere.

- file system shield is on and it's settings:
- scan when executing is on
- scan when writing is on

When I go to http://www.eicar.org/85-0-Download.html with Firefox and download all the 4 files from "standard protocol http" area, everything gets downloaded fine, Avast is quiet!! Should be detecting at least some of the files already (writing scan on)!!

Then when I browse to the files, I CAN OPEN THEM ALL WITHOUT AVAST DOING ANYTHING!!!

If I do Avast explorer scan on the files, Avast detects all.

SO, what the bleep is happening?!?! I don't know if I can trust Avast anymore. Unbelievable. Is this the reason why Avast detection rates have been falling awfully in recent AV-tests?!

All four EICAR files were detected by WebShield here, something you specifically say you've not got installed.  All detections are in http: and using FF 30.0 version.

See attached below:

Fail to understand why only File System Shield is installed, is there a specific reason for that?  As that is one area these two systems differ.

All EICAR files downloaded under SSL secure protocol (https:) will not be detected as avast! does not scan https: connections.  Without WebShield installed, it cannot scan and block http: connections, for malware, as it is being downloaded.  Having WebShield installed is added protection on top of what File System Shield offers.

So, the expectation that FSS will do the same thing as WS is maybe not realistic?  FSS has to do with the actual files when opened and blocks malicious code inside or manual scan, WS monitors and blocks http: connections for suspicious or detected files as they are downloaded.  WS is more of a real-time scanner than FSS is, at least in this scenario.  It also detects and blocks infected web domains, some of which many other a/v's do not detect.

Works here just fine.  4 out of 4 blocks here.

[Skakara]

Fail to understand why only File System Shield is installed, is there a specific reason for that?  As that is one area these two systems differ.

Because that's all I need. I don't need superfluous, marketing gimmicks (though in this case since it's free, it's not that obvious). File System Shield is the only one needed to keep you clean.

So, the expectation that FSS will do the same thing as WS is maybe not realistic?  FSS has to do with the actual files when opened and blocks malicious code inside or manual scan

I'm sorry but this is totally wrong. FSS has a thing called "scan when writing", which states: "the following settings determine files that should be scanned at the moment they are created or modified".. maybe you should check out the settings more closely and learn what everything does.

See the attached image, it's from WinXP running Avast 8.0.1497 and trying to download the eicar.com file with Firefox, notice the texts what it says: "file system shield ... threat was detected and blocked when the file was created or modified".. this is what should happen with Avast 2014.9.0.2018 on Win8.1(.1) with Firefox, but the file system shield is totally silent (with IE it works). And to make things worse, the default "on" option of "Optimize scanning during file copy option" allowed the (fake)virus to be copied everywhere in the system without Avast making a single peep.

There's something wrong with the new Avast. Creating a new malware file to the system through Firefox yields NO warning whatsoever, and subsequently Avast allows copying (=making new files) of that file everywhere in the system IF "Optimize scanning during file copy option" setting is on. With IE, Avast blocks the malware download (=creating a new file). Something is not right with Avast.

P.S. You might want to google about the WOT you're using and advertizing. It's not working properly, the system can be manipulated and can't be trusted, it gives a false sense of security. Just as a side note & a tip, let's not get into conversation about it in this topic.

[Pondus]

Because that's all I need. I don't need superfluous, marketing gimmicks (though in this case since it's free, it's not that obvious). File System Shield is the only one needed to keep you clean.

Then i guess ClamWin/ClamSentinel is the AV for you ... 

[Skakara]

Because that's all I need. I don't need superfluous, marketing gimmicks (though in this case since it's free, it's not that obvious). File System Shield is the only one needed to keep you clean.

Then i guess ClamWin + ClamSentinel is the AV for you ...

Oh god, Avast nerds have been insulted.  Please, that statement is so wrong on many levels.. please, try to put your emotions aside and think straight. Or are you trying to say that ClamWin + ClamSentinel has the same or better level of malware detection than Avast? In that case, I might try it. You know, it could have.. Avast has been scoring very badly on AV-tests lately.