Author Topic: Virus known, but not found when writing file to disc  (Read 8069 times)

0 Members and 1 Guest are viewing this topic.

Jeronim0

  • Guest
Virus known, but not found when writing file to disc
« on: September 08, 2008, 09:04:37 PM »
Hello,

I have an issue, that a file contains a virus and it is not found. I downloaded an nzb-file from the Internet and used Alt.binz to download the related rar-file. I had doubts about the file I downloaded, but Avast made no mention of any virus. Not even when extracting the exe-file from the rar-file. However when I scan the exe-file Avast noticed the virus, it also does when scanning the rar-file (archive).

[Embedded#XORER]
Win32:Trojan-gen {Other}
Virus/Worm

Now I know I have the standard shield enabled at standard level (it also did not alarm me when setting was at high). Also the Log does not make notice of the virus (log level at Error).
I am using Windows Vista x64 SP1 Dutch Home Basic. I did use vLite to remove some components from Windows prior to installation, but I do not think they are dependant or are there critical part of Windows that without it Avast will not function (but will also not report this to the user)?

I can post any file-related information, but I asume this will be handled through Private Message?

wyrmrider

  • Guest
Re: Virus known, but not found when writing file to disc
« Reply #1 on: September 09, 2008, 12:20:57 AM »
I know this is not what you are after but such this a -gen hit  can you upload to virus total so we can see exactly what this is and upload to virus @ avast.com with a link to the virus total results?
great question
I'd be interested to see if it misses on the highest setting

Jeronim0

  • Guest
Re: Virus known, but not found when writing file to disc
« Reply #2 on: September 09, 2008, 07:13:13 AM »
Beware the attached file contains a virus!

I could post the file here, but it is 1.5MB in size. If you are familiar with downloading from newsgroups I can give you a link to the nzb-file.
I am not quite sure what you mean by "a link to the virus total results".

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Virus known, but not found when writing file to disc
« Reply #3 on: September 09, 2008, 03:14:36 PM »
Please submit it to VirusTotal and let us know the result (i.e., post the link of the analysis page after the scanning finished).

Also, you can send the file to virus@avast.com for analysis (maybe mentioning in the body a link to this thread).
The best things in life are free.

Jeronim0

  • Guest
Re: Virus known, but not found when writing file to disc
« Reply #4 on: September 10, 2008, 10:45:38 PM »
I ran it through VirusTotal (thanks for the tip)
http://www.virustotal.com/nl/analisis/1050544f022998945f931fed23378ef1

I also checked a few other things, with the eicar-testfile asmongst others and it seems that the Webshield is functioning. However when I disable it, remove the proxy-settings and download the files and make a copy, then the virus/testfile is not detected/recognized at all.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Virus known, but not found when writing file to disc
« Reply #5 on: September 10, 2008, 11:10:57 PM »
@ Jeronim0
Here is why the standard shield didn't detect anything initially.

Archive (zip, rar, etc.) files are by their nature are inert, you need to extract the files and then you have to run them to be a threat. Long before that happens avast's Standard Shield should have scanned them and before an executable is run that is scanned.

So with the standard shield on the Normal sensitivity doesn't scan archive files by default as at that time they aren't an immediate risk.

With a view to the eicar test file again there are many types and like the above statement only those with an immediate, executable risk would be scanned by the standard shield (the web shield differs in that it scans 'all' http traffic), e.g. eicar.com and eicar.exe, etc. but not a zipped version of it nor non-executable file formats like eicar.txt.
However, you don't say what the file type was that you downloaded ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jeronim0

  • Guest
Re: Virus known, but not found when writing file to disc
« Reply #6 on: September 10, 2008, 11:23:51 PM »
I downloaded the 2 zip-versions through http (no ssl). I also just redid a test with my original virus and with the standard shield at high (webshield disabled) and when I open the archive and extract the file I do not get a message.

Corrrect me if I am wrong, but I would like to know when I write a virus to disc not when I execute it. I also do not believe that other Anti-Virus program with real-time scanning work in such a way.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Virus known, but not found when writing file to disc
« Reply #7 on: September 10, 2008, 11:37:45 PM »
If the file format doesn't present an immediate risk and an archive file doesn't then it doesn't need to be scanned at that time.

Files that are executable present an immediate risk and as such are scanned like eicar.com, just downloaded.

I downloaded both zip files and on extraction they both alerted and my standard shield is set to Normal. So I don't know what is going on with your set-up.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jeronim0

  • Guest
Re: Virus known, but not found when writing file to disc
« Reply #8 on: September 10, 2008, 11:45:09 PM »
I understand, however the file within the rar-file is an exe-file and with standard shield at high, I can not understand why it remains undetected.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Virus known, but not found when writing file to disc
« Reply #9 on: September 11, 2008, 12:33:47 AM »
It's caused by the setting of unpackes. The extractor of the embedded files belongs to the "Installer" packer - which is not enabled by default for the Standard Shield. That's why it's not detected immediatelly.

There are some plans to improve that behavior in the (near) future - however, the installers extract the contained files to disk first (i.e. the code is not executed directly like in runtime [WinExec] packers) - at which moment they would be detected & blocked anyway.

Jeronim0

  • Guest
Re: Virus known, but not found when writing file to disc
« Reply #10 on: September 11, 2008, 06:54:32 AM »
It's caused by the setting of unpackes. The extractor of the embedded files belongs to the "Installer" packer - which is not enabled by default for the Standard Shield. That's why it's not detected immediatelly.

There are some plans to improve that behavior in the (near) future - however, the installers extract the contained files to disk first (i.e. the code is not executed directly like in runtime [WinExec] packers) - at which moment they would be detected & blocked anyway.


I would like to have it (scanning of "Installer" packer files) enabled and from your message I understand that this should be possible. I am using the Dutch version so I might have overread where I can enable it, as I can not find the setting. Also the "Understanding avast.ini file" did not show, I only found this post which could be what you mean. Could you confirm this or point me towards the setting.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Virus known, but not found when writing file to disc
« Reply #11 on: September 11, 2008, 07:04:29 AM »
The option you appear to want is not currently available as a default in the Home edition (regardless of language choice).

If you use a download function that allowed you to specify an anti-virus scan of downloaded files and had you used the appropriate avast function (ashquick.exe) which provides a thorough scan of downloaded files (archive files included) then I believe that your problem file might have been immediately revealed on download.

Jeronim0

  • Guest
Re: Virus known, but not found when writing file to disc
« Reply #12 on: September 11, 2008, 07:21:56 AM »
Well I am using Firefox and I have no possibility to add scan of downloaded files, however they have something that allows automatic scanning, because there is a setting Browser.download.manager.scanWhenDone for it.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Virus known, but not found when writing file to disc
« Reply #13 on: September 11, 2008, 07:34:32 AM »
Sorry but ... .nonsense!

I use Download Statusbar and many others in this forum use other Firefox Add-ons.

Jeronim0

  • Guest
Re: Virus known, but not found when writing file to disc
« Reply #14 on: September 11, 2008, 08:48:39 AM »
Sorry but ... .nonsense!

I use Download Statusbar and many others in this forum use other Firefox Add-ons.

Bit of a harsh reaction, but you are correct non the less. I did a search on add-ons with text "virus scan" and it only came up with "Dr. Web". I knew the Download statusbar add-on, but I did not know it allowed for virus scanning after download. I wil try it, thank you.
(beside that, that I thought "commandline scanning" was for the commercial version of Avast, but I am grateful non the less for ashquick).