Author Topic: resident doesn't see virus ..but on-demand catch it  (Read 5577 times)

0 Members and 1 Guest are viewing this topic.

Ascadix

  • Guest
resident doesn't see virus ..but on-demand catch it
« on: May 10, 2007, 04:30:32 PM »
a big pb with Avast and a least 1 virus.

AdobeR.exe witch spread via USB Key

The resident scanner doesn't see it at all, i can copy, run, move, edit it ( on local HD, or USB ... ) with absolutly no reaction.

But  when i launch the main Avast program, it catch it in the memory test.

.. The resident is active, if i test it with EICAR, it catch the file when a copy or move it, but for the virus .. it do nothing.
« Last Edit: May 10, 2007, 11:58:51 PM by Ascadix »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: resident doesn't see virus ..but on-demand catch it
« Reply #1 on: May 10, 2007, 04:53:19 PM »
The resident scanner doesn't see it at all, i can copy, run, move, edit it ( on local HD, or USB ... ) with absolutly no reaction.
Which is your Standard Shield sensibility? High, Normal, Customized (how)?

But  when i launch the main Avast program, it catch it in the memory test.
Can you send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
The best things in life are free.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: resident doesn't see virus ..but on-demand catch it
« Reply #2 on: May 10, 2007, 05:01:11 PM »
What was the malware name, it could be a newly added signature in a VPS update ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Ascadix

  • Guest
Re: resident doesn't see virus ..but on-demand catch it
« Reply #3 on: May 10, 2007, 11:48:36 PM »
The name for Avast is "Win32:Rjump [Wrm]"

It is not a new virus, it is months old.

The virus is well detected and deleted/quarnatined by on-demand scan ( it is also detected by the memory scan if it is loaded at the time i launch main Avast program . )

but the resident doesn't see it, same pb at all sensibility, normal / max / custom with all options ...

I have send it to virus@avast.com ....

Other info ... French version of Avast Home on XP SP2 ( Pro or Home ) Fr.

Many computer affected by same pb : lots of personal student laptop in my highschool are affected, since this worm propagate via USB key
« Last Edit: May 11, 2007, 12:00:28 AM by Ascadix »

AssistantX

  • Guest
Re: resident doesn't see virus ..but on-demand catch it
« Reply #4 on: May 11, 2007, 12:44:57 AM »
A while ago, through testing, I realized that the main On-Demand scanner has a stronger malware detection than both the Resident Shield and the Quick Scanner. Also, I realized that the Quick Scanner has stronger malware detection than the Resident Shield. Apparently, even with each at its highest setting, the On-Demand scanner can scan more thoroughly the other two.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: resident doesn't see virus ..but on-demand catch it
« Reply #5 on: May 11, 2007, 01:02:39 AM »
The ashQuick.exe is the most aggressive of the scanners, it will scan all files with all unpackers. On-Demand will only scan files depending on your settings (Thorough with Archives being the strongest). Resident, on-access scanners will also scan files depending on settings, but an .exe file should be scanned before execution.

@ Ascadix
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

Please post the results here.

the file might be running/loading something into memory that is being detected but the AdobeR.exe might not be what is being detected but something it is loading.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RJUMP.D
http://www.bleepingcomputer.com/startups/AdobeR.exe-16732.html
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Ascadix

  • Guest
Re: resident doesn't see virus ..but on-demand catch it
« Reply #6 on: May 11, 2007, 12:23:02 PM »
I know this 2 on-line scan, i use both of them since many time, both detect AdobeR.exe with all but 1 or 2 engines.
Avast engine catch it on both pages under "Win32:Rjump" name.

Some AV vendors tech pages said that AdobeR.exe may be dropped by another malware , but what i see is that it as a self-propagation capacity, at least by dropping copy of itself + special autorun.inf on removable drives like USB-key/disk and network mapped drives.

When a "filled" USB key is inserted on a clean system, depending on autorun setting, the worm is "autorun'ed"  by windows and the worm then:
- copy itself to windows folder
- stay in memory ( simple process, i haven't seen any rootkit capacity, it can killed with taskmgr )
- wait for another removable drive to fill

Ascadix

  • Guest
Re: resident doesn't see virus ..but on-demand catch it
« Reply #7 on: May 15, 2007, 10:11:21 AM »
No news ??? :-\

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: resident doesn't see virus ..but on-demand catch it
« Reply #8 on: May 15, 2007, 03:23:17 PM »
At least by dropping copy of itself + special autorun.inf on removable drives like USB-key/disk and network mapped drives.
Did you run avast at boot time?
Did you disable System Restore (cleaning the infected restore points) and then enable it again?
The best things in life are free.

Ascadix

  • Guest
Re: resident doesn't see virus ..but on-demand catch it
« Reply #9 on: May 17, 2007, 06:24:43 PM »
Computers are well cleaned, the on-demand scan do is job well.
This is not the pb.

The problem is that the resident simply ignore virus/malware that are known in the V-database, so..:
- the computer is clean
- the user plug/connect an infected media ..
- autorun launch the malware
- Avast resident ..do nothing .
- computer is infected
- user must manualy launch the main Avast programme to clean.

I have "recommanded" Avast to students in my high-school for many month, how can i tell them now that it is not a serious AV ?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: resident doesn't see virus ..but on-demand catch it
« Reply #10 on: May 17, 2007, 07:31:28 PM »
How can i tell them now that it is not a serious AV ?
Not a software is perfect. You have the right to claim for better detection.
But call avast not serious is going, in my opinion, too far and being unfair.
Hope Alwil team could give you priority on detection this malware.
The best things in life are free.