Author Topic: Avast 4.7 Home missed email eicar Test Virus  (Read 14888 times)

0 Members and 1 Guest are viewing this topic.

acegap

  • Guest
Avast 4.7 Home missed email eicar Test Virus
« on: July 18, 2006, 09:53:30 PM »
I just installed an email application for the first time and sent a standard base64 MIME encoded eicar.com file as a Virus Test to see how I am doing so far...

Congratulations... this newbie now has a Virus Test File sitting on his hardrive that got past Avast 4.7 Home Edition without a whimper...

Anyone tell me what I should do now?

Thanks in advance

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #1 on: July 18, 2006, 10:05:19 PM »
What is the e-mail client, and was Avast configured to scan incoming?  Is it a secure client

acegap

  • Guest
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #2 on: July 18, 2006, 10:24:21 PM »
Thanks Essex - Robin Hood here lol

I've set up Thunderbird 1.5.0.4.

In the Help of Avast I found:

"The avast! package contains the Mail Protection Wizard that can be used for easy settings of mail protection. This program can be started via Start button on Windows taskbar, Start ® Programs ® avast! Antivirus ® Mail Protection Wizard."

..but there is no such thing in my Start Menu..!

I only have:

1) avast! AntiVirus
2) avast Web site
3) Help


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #3 on: July 18, 2006, 10:48:38 PM »
..but there is no such thing in my Start Menu..!
This is only for Windows 9x or Me.
You don't need it for XP.
Which is your Standard Shield security level? High or Normal?
The best things in life are free.

acegap

  • Guest
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #4 on: July 18, 2006, 11:02:59 PM »
Thanks Tech. I've done a bit of searching and I had better say right now I am using Windows 2000 - fully updated. However, Avast has been installed for about three weeks. About one week ago I installed XP 64-bit as a secondary operating system (running OK but I'm too busy on W2000 to have had much time on it yet). And it is only yesterday that I installed Thunderbird.

According to my searching in this forum so far, the Mail Protection Wizard should be in my Start Menu, but it ain't.

Resident Scanner says 'Standard' but surely a standard eicar test should trigger it? There was a large list to choose from and I chose what looked to be the most simple test to start off with.

acegap

  • Guest
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #5 on: July 18, 2006, 11:14:17 PM »
ahh...  Internet Mail:  "the provider is currently running"    "scan inbound mail" = enabled    sensitivity "normal"


man, I only just found this after two days at it! I don't want to be judgemental but there does seem to be a lot of stuff scattered everywhere in Avast. The Help isn't accessible from the System tray either. Anyway, that's just how a newbie is seeing it...

Getting back to my virus, it look's like it's scanning but not getting the very basic test to me.

Hmm..

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #6 on: July 19, 2006, 12:26:36 AM »
I assume that you sent it as an attachment, try saving the attachment to your HDD. Thunderbird (sorry I don't use it) has a different method of storing emails and that can and does cause some problems, like if a virus isn't found on the way in and you do an on-demand scan avast might find it in the email folder and in trying to remove it, avast can't extract the infected email part of the folder and can delete the whole file, losing all email in that folder. This is on the FAQs for Thunderbird not to use the inbox for general storage as this can happen with many AVs.

I don't know how avast would deal with an encrypted (base64 or otherwise) infected email/attachment, after all that is the whole point of encryption is to secure the email. I would expect untill it is decrypted it won't be detected, that is why I suggest saving the attachment to your HDD as that should remove the encryption ?

Try it on a standard email attachment and see what happens.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #7 on: July 19, 2006, 02:04:41 AM »
The Help isn't accessible from the System tray either. Anyway, that's just how a newbie is seeing it...
Right click the i-icon in the system tray, then click "What is avast! VRDB?".  This will open the help file on that topic buts its easy enough to navigate from there.

Or. just consider the forum your help file.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #8 on: July 19, 2006, 02:27:22 AM »
The location for the help file is C:\Program Files\Alwil Software\Avast4\ENGLISH\HELP\help.chm you can also create a desktop shortcut for it.
You can also use the windows Start, All Programs, avast! Anti-virus, Help.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #9 on: July 19, 2006, 06:01:30 AM »
Quote
Thunderbird (sorry I don't use it) has a different method of storing emails and that can and does cause some problems

Sorry David, I do use Thunderbird and I am very familiar with its internals and  workings and your comment is completely without foundation.

Base64 encoding is not about encryption or security. All (well almost all) POP3 non-text email attachments are base64 encoded in billions of emails around the world every day.  Base64 encoding is what makes it possible to make a binary file attachment look like regular numbers and letters and able to send them through the old as dirt SMTP protocol that was really only designed to transmit text.  Avast knows all about base64, it caches the attachments,  decodes them to turn them back into the real files and thoroughly scans the real files just as it would any other file.     

I recently spent quite some time sending every available eicar virus format I could find through to Thunderbird (1.5.0.4) ... and avast caught every one of them with the IM scanner setting at normal. 

Quote
Getting back to my virus, it look's like it's scanning but not getting the very basic test to me.

Can you tell us how you know it is being scanned - are you seeing the number of messages scanned in the Internet Mail scanner increasing?  Are you seeing the subject line of the eicar message recorded in the scanner?

I am just wondering how you are getting the eicar message delivered to Thunderbird at all when most major ISPs and mailing services include virus scans that will prevent even the eicar virus from being delivered. 

Could it be that the connection you used to deliver the eicar message from the mail server was a secure session?  Those cannot, by definition, be intercepted by avast to scan the messages and, if not stopped at the mail server, will be delivered to the Thunderbird messages store (or that of any other mail client for that matter).

Last but not least, I suspect this is a very short mail message.  Could you capture the view of the message source in Thunderbird (select message then View > Message source) ... obscure any personal details of yours and then post the result here, if not all of it then at least the message headers?
« Last Edit: July 19, 2006, 07:28:07 AM by alanrf »

acegap

  • Guest
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #10 on: July 19, 2006, 02:19:35 PM »
Many thanks guys.

alan: On Access Protection Control has everything functioning at default, including:
   
   Internet Mail:  "the provider is currently running"
   sensitivity: "normal"
   "scan inbound mail" = enabled

I sent the eicar from http://www.declude.com/Articles.asp?ID=99

I clicked on the attachment in the inbox today and of course Avast got it straight away. The Standard shield now has an infected count of 1.

So, I sent the eicar again this morning to the same Yahoo! account (Ypops running as well). Clicked on Get Mail in Thunderbird and there it is in the inbox again.

Internet Mail scanner is currently:
   Sensitivity = Normal
   POP Scan Inbound Mail = Enabled
   Scanned count = 0
   Infected Count = 0

..maybe it isn't scanning after all..?

I have attached a .png printscreen of Thunderbird inbox with eicar full message.

Dave: Thanks for the Inbox non-storage tip... Priceless info!

and mauserme: Thanks for the post but my whinge was really from the Programmers viewpoint - I just thought it was a bit stingy to allocate two full lines in a very full system tray menu to 'Upgrade to Professional..' and leave us to 'navigate' heaven knows where (newbie) to find Help - If I can get it setup to work OK it looks good but I just think the whole thing needs pulling together a bit more, imho. Settings and Scanner look like two different applications for instance - I'm not continuing the whinge, I am on ur side, just explaining. lol

Thank you for your time, all

acegap

  • Guest
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #11 on: July 19, 2006, 05:42:53 PM »
a quick update...

After roaming through the Ypops forum and Thunderbird forum I changed the port on Thunderbird accounts and Ypops to 111 from 110 (default) and changed the SMTP port on both to 26 from 25 (default) - I then sent the same virus to the same email address again and it got through Avast and is now sitting in the inbox in Thunderbird.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #12 on: July 19, 2006, 05:52:26 PM »
avast, by default, scans only 110 and 25 (the default ports).
In order to scan other ports communication, you need to set them into the 'Redirection' page of settings of the Internet Mail provider and boot  ;)
The best things in life are free.

acegap

  • Guest
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #13 on: July 19, 2006, 06:15:18 PM »
thanks Tech - I changed the settings to 111 & 26 in the Internet Mail / Redirect... rebooted the computer... sent the same eicar test to the same email address.. started up Thunderbird, downloaded email..

..and it got through.

Avast Internet Mail still at:

Scanned count = 0
Infected count = 0

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #14 on: July 19, 2006, 07:21:33 PM »
Are you using SSL communication? Which is your email server, I mean, what do you have after the @ on your email address?
Doesn't avast detect any of the eicar files? Or it just does not detect the archive files of the eicar ones?
The best things in life are free.