Possible false positive.

[mauserme]

Thank you for the insight Vlk.  That does make sense for most users.  Possibly additional options could be made available in an "expert mode" for users who feel they need them at some point in the future (time and resources permitting, of course).

And to polonus - welcome back.  I hope you're feeling better.

[essexboy]

I think I must agree with Vlk having seen the way my niece and nephew use the web with IM and P2P

[DavidR]

We don't plan to provide an "Ignore"-type button to WebShield anytime soon... The reason is, if you absolutely feel that you want to download the infected file (or you're 100% sure it's a false positive), you can always pause/stop the provider. But as soon as the protection is ON, there should basically be no WRONG answer in the dialog, because 90% of the users simply don't know what it's all about, and they just click a (more or less random) button just to make the noisy dialog go away...

I agree you have to look out for the average user so they don't come to harm.

However, I doubt whether anyone can be totally confident to state that something is totaly 100% a false positive, especially as they wouldn't have any way of investigating this unless they pause the web shield to allow for download and investigation.

The question remains why would the web shield scan a .zip file (when standard shield doesn't) the contents of which are an .iso file and buried in side a folder is a killcmos.com file, when there is absolutely no way of a one click or auto execution. You would need to unzip the .iso file, burn it on to a CD, run the newly burned CD, open the sub folder and then execute the killcmos.com file (that I'm not sure would work in 32 bit environment, tried a basic test which failed).

Yet with web shield paused to enable it to be download the file doesn't get scanned by Standard Shield set to Normal because it is a zip file (inert). So why the difference between files that web shield would scan Vs files that standard shield scans when the file type .zip is the same. So same degree of threat/risk from what is an inert file.

That is what concerns me more than any the detection of killcmos.com, a 16 bit MSDOS program, inside a folder, inside an .iso file, that is inside a zip file.

[Vlk]

Well we always considered the WebShield's ability to scan inside archives as a big PLUS. The rationale behind is that Web downloads are relatively slow, and so the extra overhead taken by uncompressing of the contents is more or less negligible compared to the time it took to download the file.

Of course, in your particular case, it is questionable whether we should be detecting the file or not (no matter if it's inside an archive or not) but generally, I'd say it's a very advanced (and powerful) feature.

[DavidR]

Yes is it an advanced and powerful feature, because many AVs can't scan inside .iso files only three including avast picked it up on Jotti, possibly because it was inside an iso file. However, like all advanced features should it not be selectable ?

Should Web Shield use the same logic as Standard Shield that doesn't consider .zip files (and by that logic, .iso/inert files too) an immediate threat/risk, they aren't scanned by default (Normal, only if you use some of the advanced features/increased scan level). So should Web Shield act in the same way ?

Yes downloads are slow, even more so when using dial-up so for the download to fail on virtually the last packets is extremely frustrating and you have to then pause web shield and download it again to investigate.