Author Topic: Strange Difference in Resident and Avast GUI Scaning  (Read 5377 times)

0 Members and 1 Guest are viewing this topic.

IgorM

  • Guest
Strange Difference in Resident and Avast GUI Scaning
« on: September 26, 2006, 01:09:17 PM »
I see strange difference in behavior of Resident Standart Shield working and Scanning from Avast GUI in case of "RavMonE.exe" part of "Win32:Rjump [Wrm]". I selected the highest settings for Standart Shield. And see that it scans "RavMonE.exe" when I copy or simply open it. But see nothing problematic with this file. Also It see no problems with starting this file. ::((
Still when I start GUI scan of directory with this file it reported as containing  "Win32:Rjump [Wrm]".

   I tried with the same result with Home, Pro and Server variants of Avast Software. I use the latest application and database from 26-sep-2006.

After so strange difference in behavior of Resident and GUI scanning I am in BIG doubt about buying park of Standart suit of licenses of this product.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11812
    • AVAST Software
Re: Strange Difference in Resident and Avast GUI Scaning
« Reply #1 on: September 26, 2006, 02:35:51 PM »
The resident protection scans the files in a little different way (namely, it doesn't have the "Scan full files" option enabled, and there's no way to do that). So, you can say that the file is actually not detected (and the fact that the GUI scanner does detect it is just a coincidence).
So, can you please send the RavMon.exe file (packed into a password protected ZIP or RAR) to virus@avast.com, please?

IgorM

  • Guest
Re: Strange Difference in Resident and Avast GUI Scaning
« Reply #2 on: September 26, 2006, 03:12:17 PM »
OK! :)  Files were sent.

I see that "resident protection scans the files in a little different way " :)

The problem is that Avast team can say that Avast support that worm. Still I have no real protection due to luck of functionality in resident part. It is kind of missleading. I see no notion in documentation about this difference. I was sure if I use resident protection on servers and workstations enabled and latest data base -- I have protection from virus spreading at least. And have no need to run manual scan. And so on ...   

I have data base that contains info for this virus and resident protection that scans file with this virus and see nothing. Kind of madness. It is ARCHITECTURAL BUG from my point of view as answer to your statement ("resident protection doesn't have the "Scan full files" option enabled, and there's no way to do that"). And I think many users and sysadmins see it in the same way.


Best Regards,
Igor Arsenin

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Strange Difference in Resident and Avast GUI Scaning
« Reply #3 on: September 26, 2006, 03:33:27 PM »
Quote
I have data base that contains info for this virus and resident protection that scans file with this virus and see nothing. Kind of madness. It is ARCHITECTURAL BUG from my point of view as answer to your statement


Not really. As Igor pointed out, we consider all files not detected by the on-access scanner as UNDETECTED, i.e. unknown to avast. In other words, the on-access scanner is what counts when saying detected/undetected.
If at first you don't succeed, then skydiving's not for you.

IgorM

  • Guest
Re: Strange Difference in Resident and Avast GUI Scaning
« Reply #4 on: September 26, 2006, 03:54:34 PM »
O! Yes! I am sure!  Still it is needed to explain in documentation in BIG letters that detecting of some virus by GUI Scaner does not means that customer is protected by resident also. Or notion in GUI Dialog must state that you need to do full scan on all nearby computers to be not dependent on this particular virus is detectable only by GUI.

IgorM

  • Guest
Re: Strange Difference in Resident and Avast GUI Scaning
« Reply #5 on: October 03, 2006, 01:51:25 PM »
It is already week after samples of this worm was sent by me and others. Still Avast Resident do not detect it. ???

Best Regards,
Igor Arsenin

BunkFace

  • Guest
Re: Strange Difference in Resident and Avast GUI Scaning
« Reply #6 on: February 11, 2007, 11:42:40 AM »
Just an update: My last avast scan about a week ago still can't detect then RavMone virus. I have noticed that avast has a hard time detecting viruses spreading thru removable USB drives.

AVAST also can't detect the VBS/Solow-A worm (which is also spread thru removable USB drives).

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11812
    • AVAST Software
Re: Strange Difference in Resident and Avast GUI Scaning
« Reply #7 on: February 11, 2007, 11:51:10 AM »
There's a number of RavMon variants - this might be another one...
Can you please send your sample to virus@avast.com, and possibly note (in the message) that the resident protection has problems detecting the sample?
Thanks.

BunkFace

  • Guest
Re: Strange Difference in Resident and Avast GUI Scaning
« Reply #8 on: February 12, 2007, 11:11:12 AM »
I have already deleted my copy of the RavMone virus. I have sent a copy of VBS/Solow.A virus though. I have zipped it with the password 'virus'. Will I get a confirmation from the virus@avast.com email (I haven't received any yet.)

tls

  • Guest
Re: Strange Difference in Resident and Avast GUI Scaning
« Reply #9 on: February 12, 2007, 03:13:47 PM »
As far as I know, you will not receive a confirmation.  More than 4000 emails a day are received at virus @ avast.com to be analyzed and prioritized.  The file can be scanned in the chest (if you did not delete it) to see if the detection has been added.