Virus got into system past avast! :-/

[Lars-Erik]

We got the common mail supposed to be from MS containing the Swen32 worm. When someone clicked the Pack65.exe file in the mail program (Agent) it gets written to Windows/Temp (by the mail program) and avast! dectected it at once (as it should). BUT I couldn't delete it from the avast! dialog warning as it was in use by Windows, and a full scan showed that it was in memory and that several windows files has been infected/renamed allready (of course avast! repaired this OK).

BUT the question is WHY did the virus get into memory and WHY did avast! allow the virus file to be started.

I have scan both for writing and opening EXE files on, and the warning was shown, but apparently the virus started in the backuground anyway (while avast! displayed the message). Doesn't avast! stop all action in the background? And shouldn't I've gotten a second virus warning (the file was first saved from the mail-program to Windows/Temp, and then it was runned from Windows/Temp after that)?

Suddenly I'm a bit unsure about avast!.  McAfee NEVER let a virus into the system, even if I ran it from the mail program.

Any explanation?  Any settings that are wrong?

If this can happend inside a mail-program, the same thing will happend if someone click a .EXE file on a web-page (it also first gets saved in folder, and then executet from there)

[Culpeper]

I have no idea!  I've received that same virus via email on at least three different occasions without any adverse effects.  And I used the delete option offered by the Avast warning screen and ran a full scan afterwards.

I'm assuming you're using Avast on an internal network system and not just an ISP?

[Walker]

I've received that same virus via email on at least three different occasions without any adverse effects.

I agree Culpeper, Avast has taken care of this virus for me on a couple of occassions.. .. no problem  

W.

[Lars-Erik]

I'll add that I don't use the mai-scanner. So virus was decteted on double-click on a attachement in a message. When that file was written to the temp-directory before beeing started - but again - it got started anyway - even with scan on both "write file" and "open file" on "exe" type.

I mail I can fix this by using the mail-scanner too, but when using web-mail or clicking on files on web-pages they get written to "Temporary Internet Files" and then started. And if the detect of a virus during saving of file will not stop it from running anyway (that takes an "open" as well) then the protection is not that good (doesn't help to detect a virus if the file can still be saved and started in the background - all access to the file should be halted at once)

[Culpeper]

I'll add that I don't use the mai-scanner. So virus was decteted on double-click on a attachement in a message. When that file was written to the temp-directory before beeing started - but again - it got started anyway - even with scan on both "write file" and "open file" on "exe" type.

I mail I can fix this by using the mail-scanner too, but when using web-mail or clicking on files on web-pages they get written to "Temporary Internet Files" and then started. And if the detect of a virus during saving of file will not stop it from running anyway (that takes an "open" as well) then the protection is not that good (doesn't help to detect a virus if the file can still be saved and started in the background - all access to the file should be halted at once)

Lars:

I agree and will refer to the programmers to address your problem when they return to the forum.  That is a very common infected file and shouldn't have been executed.  Was there any other factors involved that may have circumvented Avast via human error or perhaps a setting within Avast?

[Lars-Erik]

Have double checked. Basic settings are set to scan all executables on open, and advanced is set to scan all standard types on create/modify.

BTW:  I'd like a new check-box in advances. Under "Scan files on open" I'd like the "Default extension set" here as well (so that all common file types can be scanned on open too, it's not obvoius what files are scanned on open today)

[Walker]

Culpeper,

What about the 'Advanced' setting tab (in resident task settings). Aren't temp *.tmp files in the excusion list?

W.

[Culpeper]

Have double checked. Basic settings are set to scan all executables on open, and advanced is set to scan all standard types on create/modify.

BTW:  I'd like a new check-box in advances. Under "Scan files on open" I'd like the "Default extension set" here as well (so that all common file types can be scanned on open too, it's not obvoius what files are scanned on open today)

Okay, I see.  You will need to address this directly with the Avast Team members on this one because it is obviously a serious problem and they need to communicate with you directly.

[Lars-Erik]

*.tmp files are in exclusion, but it was saved as a .exe file, and avast! DID detect it when it was saved (and/or opened), but the problem is that it still was executed (it got into memory, and managed to change som system files). And I did NOT click any other buttons than "Delete" and "Move to chest" - and then I got a "avast! unable to ..... file" (because it was in use I guess). So the code inside did get executed.

[Culpeper]

Culpeper,

What about the 'Advanced' setting tab (in resident task settings). Aren't temp *.tmp files in the excusion list?

W.

Under the Advanced setting tab for the Standard Shield I do not have .tmp as an exclusion.  However, .tmp files is not included in the Blocker tab default extension set and the setting for allow operation is on if Avast cannot ask what to do.

[Culpeper]

*.tmp files are in exclusion, but it was saved as a .exe file, and avast! DID detect it when it was saved (and/or opened), but the problem is that it still was executed (it got into memory, and managed to change som system files). And I did NOT click any other buttons than "Delete" and "Move to chest" - and then I got a "avast! unable to ..... file" (because it was in use I guess). So the code inside did get executed.

Lars:

What operating system are you using?

[Lars-Erik]

I use Win98se (english language version)

[Walker]

On my system, you have to be very daft or determined to run an exe file from the temp folder. Windows tells me it's a security risk and unsafe!.

[Lars-Erik]

Yes, I don't do that either (the mail program warns about it). But not everyone reads warnings. And if you select to run the attachement it is first saved to a files (and is caught by the anti-virus allready then) and THEN it's run (and should be caught be the anti-virus again since it's an exe-file). But when I heard the virus-alert (only once) the virus was allready in the memory and avast! couldn't delete the file (because it was in use). Tried to delete it from Explorer as well and got a "file is in use by windows". Strange anyway.

[Walker]

Whilst I can see what this is all about, my opinion is it's impossible for any piece of software to prevent humans doing what they do best.. .. ignore warnings!.

Personally, I think it very ambiguos to say that it 'got past Avast'. Seems the warnings were there and Avast DID catch it.

Just mho from what I understand from the post.