Author Topic: not detecting virus in eicar test file  (Read 10528 times)

0 Members and 1 Guest are viewing this topic.

Offline angel6700

  • Newbie
  • *
  • Posts: 4
  • I'm NOT a llama! jjj
not detecting virus in eicar test file
« on: March 25, 2004, 11:26:03 PM »
Hello,
I´m testing the antivirus and it looks quite fine, but I went to www.eicar.org and tried to download the test files in the 3 different formats (.com, .txt, .zip).

Using the option to scan only files with know extensions (In the resident module) it only detects the virus in the com file, what is logical because it is the only extension in the list. OK.

but checking the option to scan ALL files, it was able to detect the virus in the txt file but not in the zip. Why is this happening??

anyway the scaner (on-demand) works well and detect the virus in the files. Even more, if I try to unzip the file, it is also detected, so I fell safe qith the antivirus. But, why is wasn´t detected whe it was downloaded from internet???

Thank you all.

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5080
Re:not detecting virus in eicar test file
« Reply #1 on: March 25, 2004, 11:36:49 PM »
add .ZIP to the files scanned list and it should unpack it because avast DOES have the ability to unpack archives
"People who are really serious about software should make their own hardware." - Alan Kay

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re:not detecting virus in eicar test file
« Reply #2 on: March 26, 2004, 12:18:40 AM »
But, why is wasn´t detected whe it was downloaded from internet???

If you not check the 'High' sensitivity or customize the .zip extension at the created/modified files to scan, zip won't be detected by avast! Of course, when you try to extract the files, the virus file will be detected.
So, your system is perfect, it's being protected as much as you configure it to be. No reason for worries...  ;)
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9343
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:not detecting virus in eicar test file
« Reply #3 on: March 26, 2004, 06:55:50 AM »
Only avast! Pro can scane inside ZIP (+other) archives. avast! Home Edition is limited to non compressed only. Anyway archive scanning kills practically any machine if there is lots of archives in one folder.
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11754
    • AVAST Software
Re:not detecting virus in eicar test file
« Reply #4 on: March 26, 2004, 09:36:51 AM »
angel, how exactly did you test the files? On-demand or on-access?

RejZoR, avast! Home is able to scan exactly the same archives as the Professional version. The difference is that in the Home version, you cannot configure the archive unpacking capabilities for the resident protection (or at least not "easily") - and by default, only some of the archives are processed. For the on-demand scanning, you can turn on "all" archives unpacking in Home version; in the Professional version, you can configure it more in detail, one by one.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re:not detecting virus in eicar test file
« Reply #5 on: March 26, 2004, 01:25:04 PM »
angel, how exactly did you test the files? On-demand or on-access?

RejZoR, avast! Home is able to scan exactly the same archives as the Professional version. The difference is that in the Home version, you cannot configure the archive unpacking capabilities for the resident protection (or at least not "easily") - and by default, only some of the archives are processed. For the on-demand scanning, you can turn on "all" archives unpacking in Home version; in the Professional version, you can configure it more in detail, one by one.

RejZoR, Igor is correct.
If avast! Home is well configurated it will catch the virus: after the download (if the sensitivity are High or well Customized) or when the user tries to extract the files from the .zip archive (if the settings are Normal)...  ;)
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9343
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:not detecting virus in eicar test file
« Reply #6 on: March 26, 2004, 04:53:48 PM »
By default Home Edition cannot scan ZIP archives. It can do this only with Explorer Extension,On-Demand scan or if you mess with the config files manually.

If you ask me,scanning of archives is stupid (not just for this AV,but for all on the market) and just kills the performance. Files will be scanned anyway when they are launched directly from archive or when extracted. They always need to go into some temp folder at extraction and this is the point where antivirus catches possible virus.

Just set to sensitivity to High and live long and peacefully.
For specific archives,use Explorer Extension scan.
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11754
    • AVAST Software
Re:not detecting virus in eicar test file
« Reply #7 on: March 26, 2004, 05:24:04 PM »
OK, I just missed that "by default" in the previous post  ;)

You are mostly right - the files in archives are not dangerous, and they would be detected when extracted. However, sometimes scanning of archives may have some sense... e.g. when scanning e-mails (e.g. on mail-servers, or even on home computer) - it makes it possible to delete the infected messages/attachments automatically even when they are compressed - without bothering the user (don't forget that many user are likely to "panic" when they got a warning that they just received a virus!).

Of course, we are talking about "regular" archives, like ZIP, RAR, etc. Executable compressors are certainly different...

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9343
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:not detecting virus in eicar test file
« Reply #8 on: March 26, 2004, 05:48:16 PM »
Ofcourse this option (scanning inside archives) is logical for Mail Server scanners :)
Visit my webpage Angry Sheep Blog

Offline angel6700

  • Newbie
  • *
  • Posts: 4
  • I'm NOT a llama! jjj
Re:not detecting virus in eicar test file
« Reply #9 on: March 26, 2004, 06:33:04 PM »
Ok, Thank you all.

Igor, I have tested the two flavours: downloading the file from internet to my HD. In this one only the virus in .COM and .TXT (with all files checked) was discovered.
After this, I tried the 'on demand' way. And the virus was detected also in the zip file. (Not in the file eicarcom2.zip, which is a file ziped inside another zipped file).

But I understand you and I think you are right. It is a madness to look in real time all files, even inside zip, rar, ... Mainly if the AV program will scan them when I extract the files.

The question was to know how the program works, and I think it is fantastic. My questions appeared when I tried the optoin 'scan all files' and the .zip files wasn't scaned  ???  but the rest is OK. Anyway I would like to know how to say the AV what to scan manualy in that config file you talk about.

Thank a lot again.

Cheers.  ;)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11754
    • AVAST Software
Re:not detecting virus in eicar test file
« Reply #10 on: March 26, 2004, 08:30:29 PM »
I guess you are talking about the residen protection. The problem is that selecting all files to be scanned (but putting an asterisk into the corresponding field) doesn't automatically turn on the scanning of archives. So, the zip file is scanned with "all files" setting - but only as a simple binary file - without trying to read it "as a ZIP archive" and look inside (unpack it). So, the packed eicar inside is not detected.
In the Professional version, you can simply modify the properties of the resident protection task (specify the archive formats that should be unpacked); then, zipped eicar would be detected, of course. In the Home version, you may try to tweak the deftasks.xml file somehow to achieve the same (there was a number of posts about it on the board) - but it suffers from some problems I think (the deftasks.xml file is occasionally reverted to the original version).

Offline Iso-G

  • Avast translator
  • Full Member
  • ***
  • Posts: 141
  • I'm a llama!
    • Grandpa's Notebook
Re:not detecting virus in eicar test file
« Reply #11 on: March 26, 2004, 09:10:58 PM »
Hello,

If the extention "ZIP" was added into the adsditional extention list of "Scanner (advanced)" of the Standard Shield, does avast! detect eicar in ZIP files on downloading ?

Iso-G
Windows XP Home SP3 / avast! 6.0 Free Antivirus (Japanese) / Microsoft Security  Essentials(v2,Japanese) / COMODO Firewall 5.3 (D+(full),English) / Secunia Personal Software Inspector (v2,English) / Opera / Thunderbird 3 / Open Office 3

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9343
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:not detecting virus in eicar test file
« Reply #12 on: March 26, 2004, 09:58:51 PM »
Igor already explained this one post above yours ;)
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11754
    • AVAST Software
Re:not detecting virus in eicar test file
« Reply #13 on: March 26, 2004, 10:37:55 PM »
There are 2 different things:
1. What files will be scanned
2. How the files will be scanned, specifically - if they will be considered archive files and will be "tried" to decompress (and additionally scan the decompressed files)

If the ZIP extension is added to the "additional extensions" box, the files with .zip extension will be scanned. But if the "archive scanning" is not turned on for the Standard Shield, the files will not be scanned as ZIP archives (they will not be unpacked) - only the "outer" binary file will be scanned... so, eicar file packed inside will not be detected. If you rename eicar.com to ZIP, it will be detected. But if you compress eicar.com into a ZIP file, it will not (if the archive scanning is not selected).

If you start the Enhanced User Interface, you can edit the resident protection task and on the Packers page, select the ZIP (or any other) archive. Then, the content of the ZIP file (for example, the packed eicar) will be scanned by the Standard Shield provider.

Sometimes, the files will be detected even when they are packed to ZIP and the archive scanning is not selected - because they are "stored" - it means that the file has a ZIP header, but the actual data are not compressed. It is a special form of ZIP file - and it's the case for a number of recent worms. However, the detecion of eicar is different (eicar must be at the very beginning of the file to be detected - that's how it should be) - so, eicar will not be detected even in this case.

Offline angel6700

  • Newbie
  • *
  • Posts: 4
  • I'm NOT a llama! jjj
Re:not detecting virus in eicar test file
« Reply #14 on: March 27, 2004, 12:08:53 AM »
Ok, now I have learned a bit more about the program and other things too.

Thanks a lot.

Althought I'm new here I will try to be in the forum to learn more, but also, as you and all the people here, help someone if I can.

Best regards everyone. And thanks again for your time.  :-*