Avast leaves virus on system after unpacking

[sowen]

I run a full system scan (all disks, all files) on the computer running my mail-server. The eicar virus was contained in an email which I had been using to test.

Avast correctly detected the virus in my email (very impressive, because it's in SMTP/uuencode format .

Later in the scan, Avast found the virus again in
       C:\WINDOWS\Temp\_avast4_\unp21303\eicar.com

Now I know I could exclude the c:\windows\temp\_avast4_ directory, but it seems to me that Avast should clean up after unpacking virusses, rather than leaving virusses on the system.

[Vlk]

Hmm, the proper cleanup of temp files is something we fight all the time... Avast now features about 20 independent unpackers and to keep them all clean up things propertly is not easy...

I'd need more info: are you sure that this particular eicar is related to the one you sent via email? (I mean, you are appearently doing a lot of experiments so I want to make sure that it's really the MIME unpacker...). Maybe a retry of that 'test' would be useful...


Thanks
Vlk

[sowen]

I'll retry the test this evening. Or, rather, I'll let my system do it, as I'll probably be out of it on champagne!  

Although if it isn't the scan, then another part of Avast is leaving the virus on the system.

[sowen]

An update on that: I just checked the c:\windows\temp\_avast4_ directory, and there are several files with names beginning with 'unp', plus a file called 'clnr0.dll'.

I checked the contents of all the 'unp' files, and they all begin with the letters "PK", so my guess is the PKZIP unpacker isn't cleaning up properly.

[Vlk]

Actually if they begin with PK it doesn't mean it's the ZIP unpacker at all... I mean, the unp* files are the unpacked files, not the containers (that the unpacker is unpacking). I.e. these are ZIP files that were originally contained in a parent container.

Maybe you could identify the files by opening them in WinZIP... (their contents could ring the bell)

Vlk

[sowen]

Well I was just guessing

The files are apparently valid PKZIP files, as I can open them with WinZip, but all are empty (i.e. contain no files). Perhaps they got cleaned during the scan last night.

[Vlk]

Were you testing ZIPed eicars (and their deletion)?

After all, it might've been be the ZIP unpacker then

[sowen]

Yes, I was testing the eicar virus in a zip. I can't seem to reproduce the problem however.

[Vlk]

Try attaching a ZIPped eicar to an email and upon detection, tell avast to delete it. See what happens.

Thanks
Vlk

[sowen]

Nope, I can't seem to reproduce this one, using either email attachments or by creating tasks and schedules. Perhaps it will happen again during the night-time scan, when nobody's watching.