Help with Eicar Tests

[galloway_777]

Hi everyone. I'm a newb here so let me start by saying "hello."

I have Avast 4.7 and I have a couple questions about the Eicar test files. Awhile back I went to http://www.eicar.org/anti_virus_test_file.htm and tested avast against all four of the files on that site. It detected all of them, and I would click delete, and avast would close the download box. NOW, when I do it, it detects the first one, but will not close the download box after pressing delete. The second file opens some kinda script page, and the 3rd and 4th aren't detected! Anyone know why this could be?

I'm worried that perhaps avast isn't performing as well as it should be due to a glitch or something.

[Tarq57]

Been there, done that! No problem at all. Unless I'm wrong, you saved the file rather than running it. (This hopefully mimics real life.) Avast doesn't detect the second file because it is simple text, not anything executable. If you tried to run it it would alarm. The third and fourth files are zipped and double zipped respectively. Nothing (I believe) can run from a zipped file until it is unzipped. (The 4th one needs 2 unzippings.) Try it, and you'll see what happens.
If you go to the Eicar site again, and just click to run each of these in turn from the upper menu, Avast won't even let the page load-it will block it.
This was kindly explained to me by one of the more senior people here when I had a similar query. http://forum.avast.com/index.php?topic=24566.msg201358#msg201358

[igor]

If the Eicar file is detected during download (i.e. the "Virus found!" window has the "Abort connection" button), then it's detected by the Web Shield provider. If you don't get this detection anymore, Web Shield is probably not scanning the traffic. This could be e.g. because
- you stopped/disabled it (check the status of this resident provider)
- your web browser configuration bypasses Web Shield somehow (what browser and operating system do you have? Do you use any proxy)?
- the Eicar test file is already in browser's cache, so it's not really downloaded from web anymore when you click the link (could happen if you previously downloaded these files with avast! disabled)

[galloway_777]

Been there, done that! No problem at all. Unless I'm wrong, you saved the file rather than running it. (This hopefully mimics real life.) Avast doesn't detect the second file because it is simple text, not anything executable. If you tried to run it it would alarm. The third and fourth files are zipped and double zipped respectively. Nothing (I believe) can run from a zipped file until it is unzipped. (The 4th one needs 2 unzippings.) Try it, and you'll see what happens.
If you go to the Eicar site again, and just click to run each of these in turn from the upper menu, Avast won't even let the page load-it will block it.
This was kindly explained to me by one of the more senior people here when I had a similar query. http://forum.avast.com/index.php?topic=24566.msg201358#msg201358

Well previously avast would detect the file before I was given the chance to save or run. That's when it would either say "abort connection" or "delete." Would click whichever one was available and it would shut out the download box.

And I did unzip the 3rd one by the way, and Avast didn't tell me anything. Even tried a custom folder scan where I saved the file. Nothing. Finally caught it when I right-clicked the file and chose scan with Avast. I have a feeling I may need to reinstall this thing...

[galloway_777]

If the Eicar file is detected during download (i.e. the "Virus found!" window has the "Abort connection" button), then it's detected by the Web Shield provider. If you don't get this detection anymore, Web Shield is probably not scanning the traffic. This could be e.g. because
- you stopped/disabled it (check the status of this resident provider)
- your web browser configuration bypasses Web Shield somehow (what browser and operating system do you have? Do you use any proxy)?
- the Eicar test file is already in browser's cache, so it's not really downloaded from web anymore when you click the link (could happen if you previously downloaded these files with avast! disabled)

1) WebShield provider is on. All scanners are set to "high."
2) This is occuring in both IE and FireFox. (Didn't used to be a problem in either one, and the change seemed to be simultaneous)
3) XP Media Center
4) Don't know what a Proxy is
5) I clean my cache daily with ZoneAlarm Pro. So I believe I can rule that out.

Thanks for the replies. Maybe this is normal, but it didn't use to do this. I'm positive that I recall a time when if I clicked any one of the four test files, Avast would alert me, and I would click abort connection BEFORE I could save or run. And Avast would abort the connection. Now, it only detects the first one and says delete (also before I save or run). Then it proceeds to let me carry out the download if I wanted to (download box doesn't disappear) 

[igor]

And I did unzip the 3rd one by the way, and Avast didn't tell me anything. Even tried a custom folder scan where I saved the file. Nothing. Finally caught it when I right-clicked the file and chose scan with Avast. I have a feeling I may need to reinstall this thing...

I guess you just didn't select the needed scan sensitivity (the "right click scan" uses maximum possible sensitivity with archive scanning enabled).

[igor]

Now, it only detects the first one and says delete (also before I save or run). Then it proceeds to let me carry out the download if I wanted to (download box doesn't disappear) 

Where does it detect it (i.e. what's the filename)?
If you open the On-access scanner console, select Web Shield and watch the "Last scanned" item during browsing - does it change?

[galloway_777]

Hmmm....doesn't say anything actually. That doesn't seem good. 

[igor]

So, the number of scanned items is 0 for Web Shield?

[galloway_777]

Looks like this---

Last Scanned:
Last Detected:

Scanned Count: 0
Infected Count: 0

Task Name: Resident Protection

[Tarq57]

Might seem a bit obvious, but check all the providers you want running are actually running, not paused or off.
Sounds perhaps like a fresh install might be in order?
Any other significant events around the time you first noticed this problem? eg: new programs installed, sys restore, anything?

[galloway_777]

Well nothing is paused. I just went to my desktop comp, and it's exhibiting the same behavior across the board. It wouldn't have anything to do with the serial number would it? I believe I used the same serial number for both installs.

[DavidR]

Does the link for the download begin with https: (secure, encrypted connection) that would/could be the reason for it not being scanned by the web shield as it doesn't monitor https: traffic.

You can use the same registration key for any number of installs so long is it is still in date, you would get an error when entering it if there were any problems.

Does this eicar test alarm when you click the link ?
http://www.eicar.org/download/eicar.com

[galloway_777]

Yes it does alert me, but that brings me back to my initial problem. Avast won't divert me away from the download. I can either move/rename it, repair, delete, or send to chest. After chosing one, Avast just leaves the download box there waiting for me to download a virus. I used to not do that!!! 

[galloway_777]

Would ZoneAlarm Pro have anything to do with these problems?