avast! 4.8 Home misses EICAR in Windows\System32\Drivers

[tommyj]

Hi all,

I switched from AVG to avast! in May and have not spent a lot of time with it yet.  Today I went in search of a solution to the 'keep scanning after finding a virus' problem in the Home version.

Found the 'plant a dummy virus' answer and did that.   

Originally, I placed the file in the first folder listed in the status window (after the Windows\System32\Drivers folder, which was scanned first).  avast! found the dummy and stopped scanning, just as expected.

But, since it took more than a minute to get there, I thought I'd move the dummy to the Windows\System32\Drivers folder, which seems to get scanned first no matter what drive I have asked avast! to start with.

Unfortunately, the dummy is not found.

If I move it back to the folder I had originally placed it in, it is again reported found by avast!

Can anyone explain?  Is there a bug here?  Am I missing something entirely?

Thanks,

tommyj

[DavidR]

Well there is insufficient information to explain anything.

What is the eicar file name (file type is important) that you placed in the system32\drivers folder ?

What type of scan are you doing, Quick, Standard, Thorough, with or without archives selected, etc. ?

I don't believe you can say which folder to start in with the Home on-demand scan unless you used the folder selection (not including local disks) option which only scans the specific folder you select. If you also selected local disks, you would effectively get a duplicate scan of those folder plus all local disks.

I think the files being scanned in the drivers folder could be drivers so that may be your problem, plus I guess the reason why avast first scans the drivers folder it is a very important folder.

[wyrmrider]

interesting question and good solution
Only a minute?

fire up the Avast- update- run scan
go brush teeth
click "remember this decision"
go to bed
check log later
what's not to like?

Thanks for the info

[DavidR]

I can't recall who first suggested it, but I have been posting it as a work around for some time now.

[tommyj]

Hi DavidR & wyrmrider,

Thanks for the replies . . .

DavidR - the file name for the dummy virus is eicar.com; it was created according to the instructions here http://www.avast.com/eng/eicar-antivirus-test-file.html.  The scan was a standard local disks scan with archives.

And no, I cannot tell the on-demand scan where to start, but the avast! user interface does report where it is working at any given moment.  That's how I noticed that it always starts with the windows drivers folder.

And to wyrmrider, yeah, I know, a minute.  But hey, at my age, every minute is precious . . .

Anyway, I'm still concerned that avast! doesn't report the virus when scanning the drivers folder at the beginning of a 'Local disks' scan.

Today it occurred to me to try doing just a folder scan of the drivers folder.  Lo and behold, the virus is discovered.  So now I'm doubly confused.

Is it possible that the reported scan of the windows drivers folder isn't really scanning the full folder but rather some subset (even though it seems to count up to around the total number of files in the folder before switching to the next location)?  If so, does that leave a vector open for the bad guys?

If anybody knows . . .

Thanks again,

tommyj

[igor]

avast! scans what you tell it to scan.
If you see some other paths in the beginning of the scan, it might be the rootkit scan - but it doesn't scan the content of the files.

[Lisandro]

Anyway, I'm still concerned that avast! doesn't report the virus when scanning the drivers folder at the beginning of a 'Local disks' scan.

Won't avast scan this particular folder later?

Is it possible that the reported scan of the windows drivers folder isn't really scanning the full folder but rather some subset (even though it seems to count up to around the total number of files in the folder before switching to the next location)?  If so, does that leave a vector open for the bad guys?

There is no vector... it there is one, Standard Shield will block it, not the on-demand scanning.

[DavidR]

You're welcome.

I don't know if being in the drivers folder as a .com file if that would get scanned when most drivers are .sys files. This may be similar to before starting any on-demand scan, first avast scans the memory as if there is a piece of malware in memory it may impact on the scan, the same might be true of scanning the system drivers first before starting the rest of the scan.

But, I don't know enough about the inner workings of the avast scans. However, since it worked when in another folder that was my reasonable guess (well I thought reasonable). However, hopefully Igor has cleared up that possibility (going to do a little test not to see about something).

I don't know if by doing a folder selection rather than all local drives it acts differently, you also didn't say what type of scan you did of the drivers folder ?

If you did a context scan, right click on the drivers folder that uses ashQuick.exe to scan and that is the most thorough scan of all the the scans.

@ Igor
Since this is a Local Disks, Standard scan all folders would be scanned, certainly .com files, the drivers folder I would have thought would also be scanned ?

[DavidR]

Well my little test is just about done.

I set off a local disks scan but Quick sensitivity as this doesn't do a rootkit scan and it didn't appear to enter the system32/drivers folder early on in the scan, starting of at the start of the C:\ folder in my first folder, BJPrinter (my Cannon printer folder).

It does get round to the system32/drivers folder later in sequence so if on a standard scan it was able to detect the eicar.com file in a different folder why not in the system32/drivers folder.

[DavidR]

OK did another test after placing eicar.com in the system32/drivers folder and only did a Local Disks, Quick scan and that detected the eicar.com file when it got to the system32/drivers folder at abiut 43% of my scan so it isn't scanning that folder first in the on-demand scan.

So as Igor said it looks like what you are seeing is the anti-rootkit scan at the start of the on-demand scans (Standard or Thorough sensitivity, why I did the Quick scan).

So I don't know why this didn't work for tommyj when it clearly worked for me.