Author Topic: Strange scanning inconsistencies  (Read 8177 times)

0 Members and 1 Guest are viewing this topic.

Offline Zim

  • Newbie
  • *
  • Posts: 6
  • Invader of D00M!
Strange scanning inconsistencies
« on: January 18, 2004, 10:58:46 AM »
I've just started using Avast. I tested it with the eicar test file (see below). On the first scan 10 out of 12 files are found (the best score yet). Re-scanning some time later only seven files are found. Later again, only six. If i copy the files to a new folder and re-scan 10 out of 12 files are again found. Each time i had the scanner set to Thorough and archive files ticked.

What's happening here?
« Last Edit: January 18, 2004, 11:00:27 AM by Zim »
I shall bring D00M to the filthy stink beasts! Oh such D00M i shall briing!

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11808
    • AVAST Software
Re:Strange scanning inconsistencies
« Reply #1 on: January 18, 2004, 11:30:11 AM »
I believe it's caused by the fact that you didn't specify the highest possible scan sensitivity. How did you perform the scan? What was the setting of the scan?

When the scanner finds a virus (which is a rare event on an ordinary user's computer), it automatically switches itself to so called "paranoid mode" - setting the sensitivity to highest possible, scanning all the files, the whole files, etc.

Offline Zim

  • Newbie
  • *
  • Posts: 6
  • Invader of D00M!
Re:Strange scanning inconsistencies
« Reply #2 on: January 18, 2004, 11:48:32 AM »
Each scan i used these settings:

Thorough Scan
Scan archive files

These are the only scanning options i can find.
I shall bring D00M to the filthy stink beasts! Oh such D00M i shall briing!

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11808
    • AVAST Software
Re:Strange scanning inconsistencies
« Reply #3 on: January 18, 2004, 11:52:33 AM »
Hmm, maybe the "paranoid mode" is still more than the "thorough scan"  :-\
Can you check what files are/aren't detected when you scan them one by one (i.e. always only one at a time)?

Offline Zim

  • Newbie
  • *
  • Posts: 6
  • Invader of D00M!
Re:Strange scanning inconsistencies
« Reply #4 on: January 18, 2004, 12:18:41 PM »
I copied all the files into another directory, deleted the originals and moved the copies back into the orininal folder. Now 10 out of 12 are detected again. Weird..

The two files Avast does not seem to be able to look into are:

eicar.com.7z
eicar.com.7z.exe

7zip is a free file compresser. 7zip files are no very common yet, but i have been seeing more of them around latley.
I shall bring D00M to the filthy stink beasts! Oh such D00M i shall briing!

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11808
    • AVAST Software
Re:Strange scanning inconsistencies
« Reply #5 on: January 18, 2004, 12:44:22 PM »
Hmm, maybe I didn't read the original post properly... you re-scanned them in the same folder, without moving the file in between, and the results were different? (I thought that if you moved them somewhere, the order of the files in the directory may have changed, resulting in the strange begavior). But it's probably not the case... it's really strange.
Don't you have some other antivirus installed (whose resident protection may conflict with avast!)?

You are right, 7zip is not supported (yet). I believe it's planned to be added as well.
In fact, the results are even more strange than I thought... ZIP and RAR are supported, including their SFX versions. 7zip is not, however - so it's strange that any of the 7z versions got actually detected. It's probably due to the fact that eicar is a short file, and it wasn't really compressed - just "stored" - so the eicar content was still visible "in plaintext".

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:Strange scanning inconsistencies
« Reply #6 on: January 18, 2004, 05:45:26 PM »
The author of 7zip archive is in agreement with using his source code in avast scanning engine - so, we plan to support this archive in future, but I think it will not be in short time; 7zip isn't still too popular, there's no linux-support and the author is not going to work on it.

Quote
It's probably due to the fact that eicar is a short file, and it wasn't really compressed - just "stored" - so the eicar content was still visible "in plaintext".

Yes, eicar content will be visible - but not detected like eicar. I think all 7zip archives will not be unpacked & scanned - maybe report file would help here.

Offline Zim

  • Newbie
  • *
  • Posts: 6
  • Invader of D00M!
Re:Strange scanning inconsistencies
« Reply #7 on: January 18, 2004, 05:59:58 PM »
I should have explained myself a little better. :) I'll try to clear things up a bit.
----------------------------------------------
Installed Avast
Selected the directory that contained the EICAR files.
Selected Thorough Scan
Ticked Scan archive files
Clicked |> (start button)
10 out of 12 files were found with the eicar test virus
Scanned about 30 minutes later and 9 out of 12 files were found
An hour later 7 out of 12 were found
The next day only 6 out of 12 files were found
---
I then copied the test files from /EICAR/ to /EICAR/temp/
I scanned the files in /EICAR/temp/ and 10 out of 12 files were found with the eicar test virus
I deleted the files in /EICAR/ and moved the files from /EICAR/temp/ to /EICAR/
I scanned the new files now in /EICAR/ and 10 out of 12 files were found with the eicar test virus
------------------------------------------------

I do have eTrust EZ Antivirus and AVG anitvirus installed. None of these have their resident scanner active now or in the past.

Maybe it's best to call this one an X-File and leave it be. :). If i can recreate the problem i'll let you what i find.
« Last Edit: January 18, 2004, 06:01:14 PM by Zim »
I shall bring D00M to the filthy stink beasts! Oh such D00M i shall briing!

Offline Zim

  • Newbie
  • *
  • Posts: 6
  • Invader of D00M!
Re:Strange scanning inconsistencies
« Reply #8 on: January 18, 2004, 06:05:39 PM »
Quote
maybe report file would help here.

I have the files on a web site if you want to look a them or do you mean reporting using Avast?

I'm glad to hear support for 7zip files is coming. eTrust EZ Antivirus can not even see in side rar files. :o
I shall bring D00M to the filthy stink beasts! Oh such D00M i shall briing!

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:Strange scanning inconsistencies
« Reply #9 on: January 18, 2004, 06:09:56 PM »
Something like: Settings/ReportFile/Create report file
and set "OK files", "Skipped files", "Soft errors" to ON
and cut&paste your report file where 10 files from 12 are detected like eicar. Thanks.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:Strange scanning inconsistencies
« Reply #10 on: January 18, 2004, 06:12:32 PM »
Maybe .7z.gz means the eicar file is compressed with GZ then with 7zip - then 7zip archive is not recognized, but GZ archive is unpacked (cos of its small size, it's stored with no compression in 7zip archive) - then it would be OK.

Offline Zim

  • Newbie
  • *
  • Posts: 6
  • Invader of D00M!
Re:Strange scanning inconsistencies
« Reply #11 on: January 18, 2004, 07:29:54 PM »
The test files are named so i can remember how i created them. This is how to to interpret the file names.

eicar.com.rar.zip.exe means:

eicar.com   - the eicar.com test file
.rar      - i used WinRar to create the file
.zip      - i selected zip file compression using WinRar's options
.exe      - i selected the self-expanding archive option

So eicar.com.rar.zip.exe is simply eicar.com in a zipped self-extracting archive. The file name does NOT mean compressed into a rar file, then put into a zip file, then put into a self-extracting archive. When i first made these files the naming system only needed to be understood by me, not other humans. :P

I hope that clears things up a bit. :)

Here is the report file:

E:\TEMP\EICAR\00_eicar_test_readme.txt\UnnamedStream_1
  • is OK

E:\TEMP\EICAR\00_eicar_test_readme.txt
  • is OK

E:\TEMP\EICAR\eicar.com [L] EICAR Test-NOT virus!! (0)
E:\TEMP\EICAR\eicar.com.7z
  • is OK

E:\TEMP\EICAR\eicar.com.7z.bz2\eicar.com.7z [L] EICAR Test-NOT virus!! (0)
E:\TEMP\EICAR\eicar.com.7z.bz2
  • is OK

E:\TEMP\EICAR\eicar.com.7z.exe\[UPX]
  • is OK

E:\TEMP\EICAR\eicar.com.7z.exe
  • is OK

E:\TEMP\EICAR\eicar.com.7z.gz\eicar.com [L] EICAR Test-NOT virus!! (0)
E:\TEMP\EICAR\eicar.com.7z.gz
  • is OK

E:\TEMP\EICAR\eicar.com.7z.tar\eicar.com [L] EICAR Test-NOT virus!! (0)
E:\TEMP\EICAR\eicar.com.7z.tar
  • is OK

E:\TEMP\EICAR\eicar.com.7z.zip\eicar.com [L] EICAR Test-NOT virus!! (0)
E:\TEMP\EICAR\eicar.com.7z.zip
  • is OK

E:\TEMP\EICAR\eicar.com.rar\eicar.com [L] EICAR Test-NOT virus!! (0)
E:\TEMP\EICAR\eicar.com.rar
  • is OK

E:\TEMP\EICAR\eicar.com.rar.exe\eicar.com [L] EICAR Test-NOT virus!! (0)
E:\TEMP\EICAR\eicar.com.rar.exe
  • is OK

E:\TEMP\EICAR\eicar.com.rar.zip\eicar.com [L] EICAR Test-NOT virus!! (0)
E:\TEMP\EICAR\eicar.com.rar.zip
  • is OK

E:\TEMP\EICAR\eicar.com.rar.zip.exe\eicar.com [L] EICAR Test-NOT virus!! (0)
E:\TEMP\EICAR\eicar.com.rar.zip.exe
  • is OK

E:\TEMP\EICAR\eicar.txt [L] EICAR Test-NOT virus!! (0)
I shall bring D00M to the filthy stink beasts! Oh such D00M i shall briing!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:Strange scanning inconsistencies
« Reply #12 on: January 18, 2004, 07:56:21 PM »
I do have eTrust EZ Antivirus and AVG anitvirus installed. None of these have their resident scanner active now or in the past.

Care Zim!
Now or in the future you can have trouble with more than one av installed at the same computer even you do not have the residents activated...
Windows Registry, files processing (Virtual Device Drivers) and so on could have problems... There are a lot of forums discussing this.

avast! and AVG at the same computer have buggy behaviors sometimes  :-\
I know you seem to be an expert on this but, just my suggestion, take care man.
The best things in life are free.