Virus in avast! file (or is it just a TEMP folder avast uses) ?

[Lars-Erik]

Now this is strange. Suddenly got a virus warning box on my system (wasn't watching the PC while it happened):

Virus found in file:
C:\WINDOWS\TEMP\_avast4_\unp243828822\eeihe.exe

Got it twice too (on the same file), could be because I scan on both open and modify. But why was it allowed to OPEN the file if it was detected on MODIFY (it was TWO virus-warning boxes as well).  Same that happened once before. The file was detected on MODIFY, but was allowed to run while the message was displayed (and infected me).

[igor]

Scanning the "created/modified" files is scanning "on close" - the file is scanned after it is written and closed, so the file is already there. It is not possible to deny "writing to a file".
Scanning the file "on open", however, is performed before the file is actually opened; and if the file is found infected, the opening is denied. So, the fact that you got two messages does not mean that the second one infected you.
In fact, I'm not even sure that the first one was done "on write", the second "on open".

However, I can't explain why you got the warnings at all... it shouldn't happen. First, the temporary file should not be kept in the temp dir, second - avast! shouldn't warn you about its own access to the infected file. So... some other program may have accessed it?  

What was the virus name?

[Lars-Erik]

The virus was a Swen32 type (don't remember the exact). Menybe a good idea would be a "Copy message" function in the alert box to cut out all the important info (the question "what was the exact message" keeps appearing here).

I think what happened was:

- I have setup the mail scanner to scanned ZIPped files
- Avast temporarily extracted a ZIPped attachement
- The on-access scanner check the file and triggered the alert

So could be some poor communcation between the mail-scanner and the oridinary scanner. But I still can't see why I got two messages. The first one SHOULD BLOCK all access to the file, right. So the 2nd message shouldn't ever be.

[igor]

So could be some poor communcation between the mail-scanner and the oridinary scanner. But I still can't see why I got two messages. The first one SHOULD BLOCK all access to the file, right. So the 2nd message shouldn't ever be.

Well, I don't know... I will check it, but I think there's not much communication that can fail. Did you do anything "special", such as renaming avast! files or things like that?

I don't think those 2 messages are that strange. As I said - the "scan on write" is "scan on close" - it doesn't block anything (unless you set it to automatic delete, maybe). And even if it was 2 messages from "scan on open" - it's quite common that an application accesses the file multiple times, even when the first request is denied.

I rather wonder why the message was given at all. You don't happen to have any special software installed that may access the file occasionaly... some kind of monitor, scanner, ...?
Btw, you are using Win9x, right?

[Lars-Erik]

Why doesn't "Scan on Close" block the file?  If a file is saved to my disk I'd like it to be block at once if avast! finds a virus in it (just to be sure). I though the "Virus Warning" dialog box (with the sound and animation) stopped ALL activity.

I have no renaming or other strange things, and this incident happened while my computer was idle - that's why I think it must have been a mail (auto check for mails).

I have no other sub-system or resident program that should access files w/o my notice. And, yes, I', running Win98se (w/all updates).

[igor]

Why doesn't "Scan on Close" block the file?

Vlk may have an exact info... I think it's caused by the fact that the scanning has to be done asynchronously in this case - the platform doesn't offer better possibilities.

If a file is saved to my disk I'd like it to be block at once if avast! finds a virus in it (just to be sure).

Scanning "on open" works this way... but scanning "on write" is different. I rather consider it as a notification in case of spreading through open shares, etc

I though the "Virus Warning" dialog box (with the sound and animation) stopped ALL activity.

For scanning "on write", no. For the other "types" of resident protection, yes (just that it doesn't block ALL activity, but only the call accessing the file).

[Lars-Erik]

Ha! It just happend again. And this time I saw it was an incoming mail. So I pressed OK on the two Virus Warnings. Then I got a third one. Pressed OK on that one as well.

BTW:  It's a bit confusing that if you DELETE the file in one of the Warning boxes, then you get error messages when you choose DELETE in the other boxes that opened. For a novice user they may panic ("why can't I delete the file") - they might not see that it's allready deleted.

Now, then I though the message would still be attached to the message, but all that was left of the message was a line in the body about avast! had to remove the attachment.

But if it removes infected attachments anyway why all the virus warnings (three of them) while scanning the message?

BTW:  I have received lots of Swen viruses before, but I have never gotten them as compress files before now (that is I don't now if they are compressed, but why else should avast! use a TEMP folder to extract them while scanning, it doesn't do that for .exe files does it - or is there anything wrong with my setting (the settings for all Packers is: EXE;ZIP;MIME;RAR;ARJ;TAR;GZ;CAB;ARC;ACE;ZOO;BZIP2;LHarc;WinExec  in the database, sure WinExec should be there?)

[igor]

Oops, it seems there may be a nasty bug there. You were probably right - the Standard Shield provider conflicts with the Internet Mail scanner.  

I have fixed the problem... and when Vlk is back, we will check once more.
Sorry for the troubles.

For now, you may try to put the TEMP folder to the Standard Shield exceptions (by default, there is TEMP\*.TMP there; if you put TEMP\* there, it should help).