Author Topic: Zipped Eicar test fails (Read 2749 times)

PlanB · « **on:** May 22, 2008, 08:36:55 PM »

Hi,

I just installed avast on a clean XP SP3 install on VirtualBox, anti virus on host system disabled to avoid interference. Typical install, scanner sensitivity set high, otherwise default config.

Downloading the eicar files via http triggers virus alarm .. probably due to http scan... so far so good, but ..

I can download the zipped or double zipped eicar files via https ... http scan does not help since encrypted, nothing unusual here, but I can also save and open the archives without avast on access scanner triggering any alarm at all ... well, after unzipping while opening eicar.com , the AV finally throws an alarm.

Is there an option to enable scanning of archives?

Thx, Mike

DavidR · « **Reply #1 on:** May 22, 2008, 09:27:48 PM »

HTTPS isn't scanned by the web shield as it can't unencrypted the traffic (even if it could it would put a crimp in your browsing).

Zip files aren't scanned by the standard shield (sensitivity on Normal) as they are effectively no danger in a zipped form.

Archive (zip, rar, etc.) files are by their nature are inert, you need to extract the files and then you have to run them to be a threat. Long before that happens avast's Standard Shield should have scanned them and before an executable is run that is scanned.

So no real problem here, if you want zip files to be scanned by the standard shield, bump the sensitivity up to High, that effectively scans all files but may have an impact on performance depending on your system specifications. Personally I would leave things as they are.

igor · « **Reply #2 on:** May 22, 2008, 09:47:31 PM »

Well, not exactly... setting higher sensitivity for Standard Shield will make it scan more files, but it won't unpack the archives (i.e. they'll be scanned just "from outside").

To enable it, you'd have to modify the packers for the corresponding provider in Resident Protection task (possible only in avast! Professional, not Home) - but as David wrote, it's not really a good idea (and unnecessary anyway).

alanrf · « **Reply #3 on:** May 23, 2008, 01:26:56 AM »

Most browsers provide some mechanism for allowing you to have all files you download automatically scanned by avast. The program used for this scan in avast does provide a thorough scan of the download and unpacks archives like zip.

PlanB · « **Reply #4 on:** May 23, 2008, 07:02:31 AM »

Thx guys,

I generally prefer not to not limit recursion depth at all, especially not for writing.
+ I use download manager av command line to get a "second" opinion from a non resident av

This is not because the archived virus itself is dangerous, but it signals that the site I just visited is.

- If there is a time difference between downloading and opening and I get an virus alarm then ... I might not remember where I got the file from in the first place and if there might be other potentially dangerous files on my computer from that site ... since there is such a thing as zero day attacks, I wouldn't want to open any files from that site.

- A site that spawns viruses might also spawn other malware that is not necessarily detected by AV (keyloggers, rootkits) and I might want to check on current processes before entering passwords anywhere ...

Lisandro · « **Reply #5 on:** May 23, 2008, 02:41:14 PM »

Quote from: PlanB on May 23, 2008, 07:02:31 AM

+ I use download manager av command line to get a "second" opinion from a non resident av

This way, avast should detect the eicar file (use ashQuick.exe in the command line).

Author Topic: Zipped Eicar test fails (Read 2749 times)

PlanB

Zipped Eicar test fails

DavidR

Re: Zipped Eicar test fails

igor

Re: Zipped Eicar test fails

alanrf

Re: Zipped Eicar test fails

PlanB

Re: Zipped Eicar test fails

Lisandro

Re: Zipped Eicar test fails