Author Topic: Web Shield do not detect a virus that avast! actually can detect  (Read 5035 times)

0 Members and 1 Guest are viewing this topic.

Offline XMAS

  • Avast translator
  • Super Poster
  • ***
  • Posts: 1211
  • Santa is watching you ;)
    • avast! in Bulgarian
Hello to all :)

I've just noticed one very strange thing. While I was browsing one site with virus collection ( I was collecting virus samples that avast! do not detect - and unfortunately from 60 viruses that I've tested avast! detected only 50, I'll send the samples later today ) I've found 2 viruses that the Web Shield doesn't detect, but when I do a manual scan when the file is downloaded avast! detects the virus. How is this possible - avast! Quick Scanner detects the sample, but the Web Shield do not detect it?

Here is the link to the folder with the samples ( the link is not direct link to the virus and the link is with spaces, so that nowone can click it by misstake)
http:// www. vx.netlux.org /vl.php?dir=Trojan-Dropper.Boot.InstallDisk - the folder contains 4 samples, the first two and the last are not detected from the Web Shield. Can anyone confirm this or it's only happening to me.  :-\

BTW I am using Firefox 1.5.0.4
You've Got To Get Close To The Flame To See What It's Made Of...

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Web Shield do not detect a virus that avast! actually can detect
« Reply #1 on: June 03, 2006, 08:01:18 PM »
I believe it's caused by the fact that the quick scanner scans as thoroughly as possible (it has the "Ignore virus targetting" flag set, for example).
Web Shield, on the other hand, scans only for the relevant viruses in the downloaded files... and since the link you posted leads to some boot viruses... it's rather unlikely to get infected by a boot-virus using a web browser :)

It's just a theory, I didn't really check the code.

Offline XMAS

  • Avast translator
  • Super Poster
  • ***
  • Posts: 1211
  • Santa is watching you ;)
    • avast! in Bulgarian
Re: Web Shield do not detect a virus that avast! actually can detect
« Reply #2 on: June 03, 2006, 08:09:12 PM »
I believe it's caused by the fact that the quick scanner scans as thoroughly as possible (it has the "Ignore virus targetting" flag set, for example).
Web Shield, on the other hand, scans only for the relevant viruses in the downloaded files... and since the link you posted leads to some boot viruses... it's rather unlikely to get infected by a boot-virus using a web browser :)

It's just a theory, I didn't really check the code.


OK, thanks for the answer Igor :)
But for example the 3th sample in the folder is a boot-virus too and it's detected by the Web Shield.
You've Got To Get Close To The Flame To See What It's Made Of...

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Web Shield do not detect a virus that avast! actually can detect
« Reply #3 on: June 05, 2006, 09:58:26 AM »
Might be a hybrid variant (a boot-virus that also infects files)...

Offline XMAS

  • Avast translator
  • Super Poster
  • ***
  • Posts: 1211
  • Santa is watching you ;)
    • avast! in Bulgarian
Re: Web Shield do not detect a virus that avast! actually can detect
« Reply #4 on: June 05, 2006, 07:46:08 PM »
Might be a hybrid variant (a boot-virus that also infects files)...
OK, thanks again   ;D
You've Got To Get Close To The Flame To See What It's Made Of...

DaveD

  • Guest
Re: Web Shield do not detect a virus that avast! actually can detect
« Reply #5 on: June 05, 2006, 10:10:10 PM »
Web Shield, on the other hand, scans only for the relevant viruses in the downloaded files...

Does this mean that Web Shield does not make use of the entire signature database that avast! has, instead using only a limited amount of those signatures?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Web Shield do not detect a virus that avast! actually can detect
« Reply #6 on: June 05, 2006, 10:55:44 PM »
It is not about Web Shield; avast! tasks have various sensitivity options (you can change them for custom tasks in the Enhanced User Interface). One of the options is to "Ignore virus targetting" - which means to look for everything everywhere. By default, however, avast! scans the particular object for the malware that may infect it (or rather, it doesn't scan for the malware that certainly cannot infect it). For example, it doesn't have much sense to scan .COM files for macroviruses, does it? Similarly, scanning files (e.g. those checked by the Web Shield) for boot viruses that can exist on the boot sector only... is not really necessary.

So, I'm trying to say that it's not a limitation... but rather some kind of optimization of the scanning process.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Web Shield do not detect a virus that avast! actually can detect
« Reply #7 on: June 05, 2006, 11:00:42 PM »
Igor, maybe this should be the difference between Normal and High mode (slider in Web Shield). Normal with virus tarhgeting and High without it for a bit more thorough scan. Just a thought to make use of those sliders ;)
Visit my webpage Angry Sheep Blog

DaveD

  • Guest
Re: Web Shield do not detect a virus that avast! actually can detect
« Reply #8 on: June 06, 2006, 12:27:06 AM »
It is not about Web Shield; avast! tasks have various sensitivity options (you can change them for custom tasks in the Enhanced User Interface). One of the options is to "Ignore virus targetting" - which means to look for everything everywhere. By default, however, avast! scans the particular object for the malware that may infect it (or rather, it doesn't scan for the malware that certainly cannot infect it). For example, it doesn't have much sense to scan .COM files for macroviruses, does it? Similarly, scanning files (e.g. those checked by the Web Shield) for boot viruses that can exist on the boot sector only... is not really necessary.

So, I'm trying to say that it's not a limitation... but rather some kind of optimization of the scanning process.


Perfectly understood. I appreciate you taking the time to explain that. I knew the difference between scanning by file extensions and all, but never knew it was optimized quite like that. And it does make perfect sense to me. No point in wasting resources.

Thanks,
Dave

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Web Shield do not detect a virus that avast! actually can detect
« Reply #9 on: June 06, 2006, 03:04:25 AM »
Scanning by file extensions
In fact, avast recognize the contents and not just 'read' the extension, it identifies the content  ;)
The best things in life are free.