Author Topic: Eicar test file  (Read 17359 times)

0 Members and 1 Guest are viewing this topic.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Eicar test file
« Reply #15 on: May 28, 2003, 07:02:06 PM »
As I said, the expected behavior is that it is picked immediately (on download) when the resident protection level is set to High, and when executed with the level set to Normal. This is how it works under WinNT/2K/XP/2K3 with build 211, and this is how it will work under Win9x in the next update.

Quote
When will the new program build come out?

I don't want to promise, but I'd say less then a week.

Vlk
If at first you don't succeed, then skydiving's not for you.

NuffSaid

  • Guest
Re:Eicar test file
« Reply #16 on: June 05, 2003, 03:21:21 AM »
Just came from the TrendMicro website.

Went to dl Eicar test file and Avast picked up on it immediately.

Jeeze I love this program...   :D

Job well done!

Vincent

  • Guest
Re:Eicar test file
« Reply #17 on: June 08, 2003, 08:44:52 PM »
Just to be sure we are talking about the same thing: I went to
http://www.thepcmanwebsite.com/virus_test.shtml to check avast against Eicar test files.

I selected the first one, i.e. eicar.com and avast triggered an alarm before the file was opened: I could delete the file from my temp directory from avast and after this cancel the download operation from Mozilla.

For the second file, I could download it, save it to disk and when I tried to open it, then avast blew the siren.

With the zip files, XP automatically opens a dialog displaying the content of the archive and when trying to extract this content, then avast warns you.

As far as I'm concerned, this looks quite good to me, I don't know how other anti-virus programs behave, but just for my own knowledge: wouldn't it be possible to make avast behave in all cases as it does for the first file ? Just asking...

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Eicar test file
« Reply #18 on: June 08, 2003, 10:15:18 PM »
Vincent, as I said, it should be enough to switch the resident protection level from Normal to High (in a window that appears when you double-clicj the avast a-ball tray icon).

Vlk
If at first you don't succeed, then skydiving's not for you.

Vincent

  • Guest
Re:Eicar test file
« Reply #19 on: June 09, 2003, 01:14:06 PM »
No, my resident protection level is high, and the behavior of avast! is what I mentionned before.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Eicar test file
« Reply #20 on: June 09, 2003, 03:29:54 PM »
Vincent, sorry. You're right. I thought you were refering to a different site.

Anyway, you can set up avast to trigger the alarm automatically in all four cases - no problem. The way you'd do it depends on whether you have the Home or the Professional Edition. In Professional Ed., it's quite easy: start the Enhanced User Interface, edit the resident task, in the Standard Shield Settings, move the slider to Custom, on the second page of Standard Shield enable scanning of created/modified files and insert the asterisk (*)  to the box with file extensions - to scan all files. Also, turn on ZIP file scanning (or any other archives you want) on the Packers page.

If you have avast Home, the first thing can be done by clicking on the avast a-ball tray icon, clicking "Details", double-clicking the Standard Shield, and changing the settings on the second page as described above. To turn on the packers is sligtly more complicated - you'll need to edit the file called deftasks.xml - for more info, see http://www.avast.com/forum/index.php?board=2;action=display;threadid=15;start=0 .

Hope this helps,
Vlk
« Last Edit: June 09, 2003, 03:32:10 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Vincent

  • Guest
Re:Eicar test file
« Reply #21 on: June 09, 2003, 07:21:44 PM »
I'm impressed: it works perfectly !

A small detail, though: for three of the files eicar.com and the ZIP files, avast! now triggers an alarm just after clicking on the file, as you said.
But in the case of eicar.com.txt, when I click, the content of the file is displayed in my browser. Now if I save it to disk, avast! detects the "virus" string.

I have no idea if this is a potential weakness that viruses could take advantage of, and again, I'm already very impressed by avast!, but I wanted to mention this for completeness...

Thanks for quick help !

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Eicar test file
« Reply #22 on: June 11, 2003, 08:47:39 AM »
Quote
But in the case of eicar.com.txt, when I click, the content of the file is displayed in my browser. Now if I save it to disk, avast! detects the "virus" string.

Yes, this is because IE downloads the "page" (the text file, in this case) and directly displays to for you - no disk involved. Only when IE puts the file to the cache avast starts the alarm - it has no chance to do it any sooner. But this is zero security risk.

Anyway, both of the options you set may quite slow down your computer (as avast is much much busier now) - have you noticed any slowdowns?

Vlk
If at first you don't succeed, then skydiving's not for you.

Vincent

  • Guest
Re:Eicar test file
« Reply #23 on: June 11, 2003, 12:03:40 PM »
Yes, maybe it's a bit slower now with these settings, but nothing that I can't bear (although I don't have much memory - 256Mb - I have quite good CPU - AMD XP 2000+ - and ADSL: maybe this is why the slowdown is not so much noticeable...)