Author Topic: Virus got into system past avast! :-/  (Read 18371 times)

0 Members and 1 Guest are viewing this topic.

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re:Virus got into system past avast! :-/
« Reply #15 on: December 21, 2003, 09:10:20 PM »
1) The warning about opening attacements was from the mail program (and was ignored, but that could happend, maybe someone though it was a real file, maybe it was a document, maybe someone was using Outlook Express :-)

2) The virus warning from avast! WAS correctly understood. "Delete" was selected, but did not work (error message). And that's what I'm complaining about. A virus program that catches a virus SHOULD prevent further access to that file. And if it does - how did it the virus get to be activated and change system settings and several files?

I like avast! (else I wouldn't use it). But if it lets viruses run in the background while displaying the warning then it's not the program for me anway (and that would be real sad).
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Walker

  • Guest
Re:Virus got into system past avast! :-/
« Reply #16 on: December 21, 2003, 09:28:13 PM »
2) The virus warning from avast! WAS correctly understood. "Delete" was selected, but did not work (error message). And that's what I'm complaining about.

Now this is a different slant on the original post(s). If this is all your complaining about then so be it. As Culpeper say's, no doubt the Alwil team will have a reply.

A virus program that catches a virus SHOULD prevent further access to that file.

This I don't accept. What if it was a 'false alarm', would you then be happy not being able to get into a valid file?.. . I don't think so  8) .

I also ask, as did Culpeper, is this on a network or the Server edition of Avast.

BUT I repeat... mho  8)
« Last Edit: December 21, 2003, 09:30:10 PM by Walker »

Offline Culpeper

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1187
Re:Virus got into system past avast! :-/
« Reply #17 on: December 21, 2003, 09:39:26 PM »
Yeah, I'm a little confused.  I get the impression that Lars is a network administrator.  That someone else on the network actually got the Avast warning?

I'm very prejudice and I'll assume that Avast wouldn't let something as common as the Swen virus run in the background.  But I have been wrong in my assumptions before and will let the experts investigate alongside Lars what happened here.
« Last Edit: December 21, 2003, 09:41:30 PM by Culpeper »
The wind in the wires made a tattletale sound
And a wave broke over the railing
And every man knew, as the Captain did, too,
T'was the witch of November come stealing.

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re:Virus got into system past avast! :-/
« Reply #18 on: December 21, 2003, 09:41:41 PM »
To the second quote. If you CHOOSE to continue access the file of course you should be able to. But when you choose "Delete" (or another choice to remove the virus) then there should be no way for that virus to get active.

Now, we don't exacly now what happened. But say that when we pressed "Delete" and avast! gave the error message about not being able to delete the file, that the control then was passed back to the system making further execution of the infected file possible - that would be bad.

The only way an detected file should be able to be executed should be when the users answers the virus alert message with "Continue access anyway" (or something similar), right?

BTW:  Just to clearify, this IS one my home PC (but there are not only me living here, I'm a developer/tech, I know what not to open, I could have lived without an anti-virus - I think anyway :-)

My system is a Win98se, avast! resident scanner, Zone Alarm, and I'm connected to the world through a cable-modem.
« Last Edit: December 21, 2003, 09:44:00 PM by Lars-Erik »
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline Culpeper

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1187
Re:Virus got into system past avast! :-/
« Reply #19 on: December 21, 2003, 09:44:42 PM »
To the second quote. If you CHOOSE to continue access the file of course you should be able to. But when you choose "Delete" (or another choice to remove the virus) then there should be no way for that virus to get active.

Now, we don't exacly now what happened. But say that when we pressed "Delete" and avast! gave the error message about not being able to delete the file, that the control then was passed back to the system making further execution of the infected file possible - that would be bad.

The only way an detected file should be able to be executed should be when the users answers the virus alert message with "Continue access anyway" (or something similar), right?

Yes, I agree.  What is your settings in the Blocker tab for the standard shield provider?  I'm curious about the setting for if Avast is unable to warn should the operation be continued or not.

Okay, I see.  You're on a single machine with an ISP.
« Last Edit: December 21, 2003, 09:46:21 PM by Culpeper »
The wind in the wires made a tattletale sound
And a wave broke over the railing
And every man knew, as the Captain did, too,
T'was the witch of November come stealing.

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re:Virus got into system past avast! :-/
« Reply #20 on: December 21, 2003, 09:48:05 PM »
Now my blocker settings are for all operations. But that's a bit annoying sinces you get messages for every operation (program DO open/write/rename/delete files all the time).

But with the prevoius standard settings (no blocking) avast! still should stop access to files when a virus is detected, right?

I'll run with block warning on every access now to be a bit more sure (then we will get lots of warnings on writes :-)
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline Culpeper

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1187
Re:Virus got into system past avast! :-/
« Reply #21 on: December 21, 2003, 09:50:21 PM »
Get rid of ZoneAlarm!  Especially if you're using the free version.  It allows selected IPs that pay ZoneAlarm for the privilege.  They may be trusted by ZoneAlarm but that is moot.  That would make ZoneAlarm free edition a platform for their own trusted spyware.
The wind in the wires made a tattletale sound
And a wave broke over the railing
And every man knew, as the Captain did, too,
T'was the witch of November come stealing.

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
About Zone Alarm, SpyWare etc
« Reply #22 on: December 21, 2003, 09:53:01 PM »
Have no bad experiences with Zone Alarm. Frequently scan for SpyWare with AdAware, but most ads and stuff never reaches my browser as I use WebWasher to filter it out.
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline Culpeper

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1187
Re:Virus got into system past avast! :-/
« Reply #23 on: December 21, 2003, 09:53:36 PM »
Now my blocker settings are for all operations. But that's a bit annoying sinces you get messages for every operation (program DO open/write/rename/delete files all the time).

But with the prevoius standard settings (no blocking) avast! still should stop access to files when a virus is detected, right?

I'll run with block warning on every access now to be a bit more sure (then we will get lots of warnings on writes :-)

I'm not sure on that one, Lars.  My theory is that Avast was unable to give another warning because a file was already in memory and since it was set to allow the operation if Avast couldn't warn then it got executed upon opening.  Just a theory though.  
The wind in the wires made a tattletale sound
And a wave broke over the railing
And every man knew, as the Captain did, too,
T'was the witch of November come stealing.

Offline Culpeper

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1187
Re:About Zone Alarm, SpyWare etc
« Reply #24 on: December 21, 2003, 09:58:03 PM »
Have no bad experiences with Zone Alarm. Frequently scan for SpyWare with AdAware, but most ads and stuff never reaches my browser as I use WebWasher to filter it out.

I'm just warning that the free version of ZoneAlarm has preconfigured settings that are beyond your control.  That organizations pay ZoneAlarm to preconfigure access past the firewall settings.   It will not show up as spyware on any scans.  For example, XYZ Advertising Inc., gets to see your IE history without your knowledge because they have paid ZoneAlarm to program access past the firewall.  This is just an arbitrary example.

See my following posts/links.
« Last Edit: December 21, 2003, 10:17:54 PM by Culpeper »
The wind in the wires made a tattletale sound
And a wave broke over the railing
And every man knew, as the Captain did, too,
T'was the witch of November come stealing.

Offline Culpeper

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1187
Re:Virus got into system past avast! :-/
« Reply #25 on: December 21, 2003, 10:12:03 PM »
The wind in the wires made a tattletale sound
And a wave broke over the railing
And every man knew, as the Captain did, too,
T'was the witch of November come stealing.

Offline Culpeper

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1187
Re:Virus got into system past avast! :-/
« Reply #26 on: December 21, 2003, 10:15:26 PM »
Many people first notice something is up when they install a firewall, such as ZoneAlarm, which only lets programs with explicit permission access the net.

http://news.bbc.co.uk/2/hi/in_depth/sci_tech/2000/dot_life/2487651.stm
The wind in the wires made a tattletale sound
And a wave broke over the railing
And every man knew, as the Captain did, too,
T'was the witch of November come stealing.

Offline Culpeper

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1187
Re:Virus got into system past avast! :-/
« Reply #27 on: December 21, 2003, 10:17:20 PM »
And just to give ZoneAlarm a fair shake but you should read the entire page especially the part about Media Metrix and TrueVector technology.

http://www.grc.com/zonealarm.htm
The wind in the wires made a tattletale sound
And a wave broke over the railing
And every man knew, as the Captain did, too,
T'was the witch of November come stealing.

Walker

  • Guest
Re:Virus got into system past avast! :-/
« Reply #28 on: December 21, 2003, 10:54:32 PM »
To the second quote. If you CHOOSE to continue access the file of course you should be able to. But when you choose "Delete" (or another choice to remove the virus) then there should be no way for that virus to get active.

As the legal profession would say.. . 'already asked and answered'. I've agreed that if 'delete' didn't work then it is a issue for the Alwil guys to address. I've also given my opinion on what you 'previously' asked which was "A virus program that catches a virus SHOULD prevent further access to that file.", which I disagree on. These were two different responses to two seperate sentences that you wrote, which I replied to as such (seperately).

The only way an detected file should be able to be executed should be when the users answers the virus alert message with "Continue access anyway" (or something similar), right?.

I still disagree with you (depending upon exactly what you mean by 'something similar') in as much as a file caught by 'false alarm' (NOT one that you have chosen to delete, but this hasn't happened), should still be accessable from quarantine or the 'chest'.

My system is a Win98se, avast! resident scanner, Zone Alarm, and I'm connected to the world through a cable-modem.

OK, so this is Avast 'Home' or 'Pro' on a single machine?. To refer back to your earlier comments about an executable being activated on a web site (and I am open and happy to be corrected on this), the Pro version has the 'Script Blocker', which is not in the Home version. So until an .exe file is run from your local machine, it can only remain a 'script' and the Pro version should, I assume, deal with it. Note: I'm not referring to an .exe file that has been downloaded/sent with e-mail etc., or that Avast should have deleted at your bequest.


Offline Waldo

  • Sr. Member
  • ****
  • Posts: 397
  • Avast does the ownage
Re:Virus got into system past avast! :-/
« Reply #29 on: December 22, 2003, 04:41:20 PM »
It is indeed easy to make a mistake and press "the wrong button" when alerted for a possibel virus. Everybody gets scared from a mesage like that.

It's also possibel that AVAST did detected it, but ley it run anyway...also, i doubt that. This must be ivestigated by the vendors of Avast.

These 2 reasons for the possibel worm infection Lars-erik got ,gives more strenght again to the thingy i always say : layered defence !

It's correct that Avast shoudn't let virusses & worms run (especially well known worms) but i don't believe this ever happended in the past.

If you had had the freeware Abtrusion protector nothing would have happendend (if you by mistake pressed the wrong button):

http://www.abtrusion.com/

or :

http://maxcomputing.narod.ru/ssme.html

or some commercial Anti-trojan with memory/process scan (resident guard).

Waldo

**Guns are for show, knifes for a pro**