EICAR NOT DETECTED by File System Shield !?!?

[Pondus]

Oh god, Avast nerds have been insulted. 

Nope......  and i use 5 different AV ......  so maybe a 5 AV nerd   

 

[Skakara]

Nope......  and i use 5 different AV ......  so maybe a 5 AV nerd   

Ok, whatever makes you feel safe. Can we stay on topic? Thank you.

[mchain]

See:  https://forum.avast.com/index.php?topic=150758.0;topicseen

No WebShield, no detections or blocks.  It's like you're bringing only one big gun to the party when you could have two, (or more) and you're surrounded by vicious malware monsters who will kill you if you don't kill them first.  You won't be able to see them if you're not proactively armed with the appropriate weapon.

No, we're not avast nerds and no, not insulted.  Sooner or later, a web-based threat is going to get you w/o webshield in place.  For example, downloading an EICAR test file(s) is web-based, just so you know.

Correct, it is your system.

Again, why only FSS in place?   

[EDIT:]  Warning:  Don't click any hXXp://killmalware.com/ links posted by Pondus as they have live Trojan links that will only be blocked by avast! only if WebShield is installed.  You click those links, you will be infected.  Just so you know.

[Skakara]

No WebShield, no detections or blocks.
...
For example, downloading an EICAR test file(s) is web-based, just so you know.

Ok, please stop. You're wrong. Please stop spreading FUD.

You obviously didn't read my posts here. Here's one with crucial info that will blow your erroneous whining away. Read closely the part where I tell how previous 8 version of Avast handles things in WinXP. And in Win8.1.1, newest Avast, FSS STOPS eicar.com when downloaded with IE, like it should, and all without your little darling webshield.. with Firefox (and god knows with how many other programs), Avast tumbles & falls badly. Read & learn.. and stop spamming your false info here, thanks.

Fail to understand why only File System Shield is installed, is there a specific reason for that?  As that is one area these two systems differ.

Because that's all I need. I don't need superfluous, marketing gimmicks (though in this case since it's free, it's not that obvious). File System Shield is the only one needed to keep you clean.

So, the expectation that FSS will do the same thing as WS is maybe not realistic?  FSS has to do with the actual files when opened and blocks malicious code inside or manual scan

I'm sorry but this is totally wrong. FSS has a thing called "scan when writing", which states: "the following settings determine files that should be scanned at the moment they are created or modified".. maybe you should check out the settings more closely and learn what everything does.

See the attached image, it's from WinXP running Avast 8.0.1497 and trying to download the eicar.com file with Firefox, notice the texts what it says: "file system shield ... threat was detected and blocked when the file was created or modified".. this is what should happen with Avast 2014.9.0.2018 on Win8.1(.1) with Firefox, but the file system shield is totally silent (with IE it works). And to make things worse, the default "on" option of "Optimize scanning during file copy option" allowed the (fake)virus to be copied everywhere in the system without Avast making a single peep.

There's something wrong with the new Avast. Creating a new malware file to the system through Firefox yields NO warning whatsoever, and subsequently Avast allows copying (=making new files) of that file everywhere in the system IF "Optimize scanning during file copy option" setting is on. With IE, Avast blocks the malware download (=creating a new file). Something is not right with Avast.

P.S. You might want to google about the WOT you're using and advertizing. It's not working properly, the system can be manipulated and can't be trusted, it gives a false sense of security. Just as a side note & a tip, let's not get into conversation about it in this topic.

[mchain]

Sorry, I've to disagree.

What you're doing is comparing two different versions:

• Avast 8.0.1497
• Avast 2014.9.0.2018

and expecting them to perform in the same way.
 
They don't. 

8.0 has most of the same features but some of those features were moved over to WebShield in the latest version.  Better to block than allow the malware to download and install, eh?

As they say, one can lead a horse to water, but one cannot make it drink. 

Like Pondus, I run 5 a/v's at once.  Just so you know.   

Your solution:  Run only 8.0 version if that is what makes you happy. 

[Skakara]

Sorry, I've to disagree.

Yes, you can do that.

But it's really sad that you can't see the problem. I've written it for you twice already and you either fail to understand or it's selective ignorance, willfully or not.

Last attempt, read it very carefully: Win8.1.1, newest Avast 2014.9.0.2018, FSS STOPS eicar.com when downloaded with IE, without webshield.. with Firefox, Avast FSS is silent.


And then there's the second problem, possibly related to the 1st one; read what Igor from Avast team wrote earlier:

However, if you are able e.g. to copy an eicar.com file from one folder into another without any detection, then there's something wrong here (just to be sure, I'd disable the "Optimize scanning during file copy option" in File System Shield Settings / Advanced).

Igor obviously knows that there really could be a problem in current Avast, AND with specific option which is ON by DEFAULT, for EVERY new installed Avast.

My reply to that post, which confirms that the problem exists, was:

Yes, I can perfectly copy the eicar.com file anywhere I like, Avast does nothing.

If I turn off the "Optimize scanning during file copy option", Avast stops file copy process. Seems to me that there's a loophole in the protection with this setting set to "on". Worrying.

BUT, that option still "off", downloading the eicar.com file yields NO action from Avast. I find this a bit odd. There, in my download folder is a (fake)virus and Avast did nothing.

So, there's 2 problems. I'm sorry if that eats away your confidence about Avast. Now, we have heard you. Thanks for your input. Please don't post same thing here anymore. Thanks.

One would think that fellow Avast users would be interested and perhaps a little worried when somebody tells that there could be 1-2 problems in of the security layers in the very same security product that they use. But obviously no. 

Like Pondus, I run 5 a/v's at once.  Just so you know.   

I was once like you, I ran everything I could get my hands on, "just to be safe". Then, I wisened up (& learned more about security) and stopped wasting my time (and now when I think of it, I wasted SO MUCH TIME) with all the software/settings/etc.

[Skakara]

Igor (& everyone else), I found out what happens.

I put "File System Shield Settings -> Scan when writing -> Scan all files" ON.

Download eicar.com with Firefox. And then an Avast warning comes up (attached image). Check out the extension of that downloaded "object"!!

Firefox downloads ALL files with added ".part" suffix until the whole download is ready. Then Firefox renames the file back & moves it to the users download folder.

So, the problem is: why Avast FSS ignores the renaming of the object from .part to an executable file, AND moving of that object from the download cache/temp folder to the actual "download" folder? (when FSS is set to "scan files with default extensions" in the "Scan when writing" FSS settings (this is the DEFAULT setting))

And the second problem (very likely related to the 1st problem) is: after a file gets into the system through that 1st loophole, the DEFAULT ON setting of "Optimize scanning during file copy option" in FSS advanced settings allows the file to be copied further ANYWHERE in the system.

Is the ".part" file put to a transient or persistent cache? Or something similar happens?

I just put OFF transient & persistent caching in FSS. I'll have to wait for a definition DB update to check if those have any relation to these problems. I'll be back tomorrow.

[Skakara]

I figured couple of things. After many many tests & brain exploding thinking. Haha.

There is an erroneously named and/or illogically acting Avast setting. The FSS "Scan when writing -> scan files with default extensions" actually sometimes means: "scan files with default file contents" (maintained by avast). It's not always file extensions what Avast is looking for when a file is created or modified.

Here's some examples (on Win8.1.1 x64 & Avast 2014.9.0.2018):

• Eicar.com file downloaded with IE -> downloads to temp folder with ".com" extension = Avast detects the file.
• Eicar.com file downloaded with Firefox -> downloads to temp folder with ".com.part" extension = Avast does NOT detect the file -> completed file is renamed with .com extension and moved to final download folder = Avast does NOT detect the file.

This is perfectly normal & in accordance with "scan files with default extensions" setting because:

• In IE case, the file is created with ".com" extension right from the start.
• With Firefox, the file creation is done with an extension that is not "detected" by Avast. The subsequent Firefox file rename & move (or move & rename) to final location is NOT a file creation or modification process. That's why Avast FSS doesn't detect it.

More, preparing: eicar_com.zip downloaded with any browser (IE, Firefox) -> Avast does NOT detect the file -> file is created & moved to final download folder. Perfectly normal again.

• Open zip-file & extract eicar.com ->  Avast detects the file.
• Open zip-file, rename eicar.com to eicar.com.part inside the zip-file & extract eicar.com.part -> Avast does NOT detect the file.

This is once again perfectly normal & in accordance with "scan files with default extensions" setting.

But here things get interesting, preparing: Spycar_tests.zip file downloaded from http://www.testmypcsecurity.com/securitytests/spycar_suite.html -> Avast does NOT detect the file. Normal.. but:

• Open zip-file & extract e.g IE-KillAdvancedTab.exe file ->  Avast detects the file.
• Open zip-file, rename IE-KillAdvancedTab.exe to IE-KillAdvancedTab.exe.part inside the zip-file & extract IE-KillAdvancedTab.exe.part -> Avast detects the file.

Whoops, what just did happen?! The first detection is normal, BUT the 2nd detection of ".part" file is NOT normal. It's not in accordance with "scan files with default extensions" setting. Did Avast scan the file based on it's contents?? Ignoring the "unfamiliar" extension of the file?? Why did Avast decide to do this with this file BUT NOT with eicar.com.part file??

Now, the last example (WinXP 32bit running Avast 8.0.1497):

• Download the eicar.com file with Firefox -> Avast detects the file AFTER it was renamed & moved to final download folder.

Check the attached image. Why this doesn't happen in Win8.1.1 x64 with Avast 2014.9.0.2018?? Was something changed?

What baffles me the most is that sometimes files are scanned based on contents even it should not happen according to settings.

And finally, still open, is there a problem on some cases with "Optimize scanning during file copy option" setting ON?

[Skakara]

It would be very nice if somebody from Avast could posts their thoughts about these things. Thanks.

[Skakara]

Hello?! Is anybody out there?

[mchain]

If you have a 64bit OS (which I assume but don't know), then there's no "execute" of the eicar test file (because it's a "COM", old 16bit code and 64bit OSes doesn't have the 16bit subsystem) - so eicar cannot be detected on execution on 64bit OSes. (So Eicar is not very useful as a test file these days.)

However, if you are able e.g. to copy an eicar.com file from one folder into another without any detection, then there's something wrong here (just to be sure, I'd disable the "Optimize scanning during file copy option" in File System Shield Settings / Advanced).

There's your answer.  Point is moot on a 64-bit os as it can't run a 16-bit file; it has no 16-bit subsystem on which to run it on.  No support for that.  Suggest redo the avast! install (clean install) and see if your issue goes away.

[Skakara]

Aargh! You again! You're wrong again. You obviously do NOT understand the technical side of this issue/topic and you just spew more and more false information. Please, no more. Your blind faith and fanboyism is so obvious here that it's rather sad.. and nerve wrecking to me. Could you please refrain from posting here? Please?

IF you had read AND understood my latest post which describes the problems, you would not have posted that message you just did.

[bob3160]

Running Windows 8.1 64 bit and avast! Free v.2014.9.0.2021

[Skakara]

Hi Bob, what does that have to do with this topic? I'm not talking about the "web shield". The problems are with the "file system shield" (and using only that shield).

[Skakara]

I've to say that I'm dumbfounded that nobody seems to care.. nor understand. There's obviously an anomaly how the File System Shield works with the "Scan when writing -> scan files with default extensions" default setting. Nobody cares. I'm very close of leaving Avast for good (have been using since, I can't remember exactly, version 4.x?) because of this lack of Avast support (+other Avast problems).