Questions about Avast! Home

[Blaxtar]

I'm pretty new on Avast! so here is some questions from me. But please excuse my bad english 

1. If i scan a file that Avast think is a malware, the disable Avast and use/install the file. After that i delete the "infected" file, start up Avast and perform a scan of my computer that shows no malware. Can i be "sure" that the first scan of the file was a False Positive?

2. If i use the "Scan selected folders" option and select all folders, would it be the same as using the alternative "Scan local drives"?

3. Does avast scan the registry and files in the RAM-memory?

4. If a malware runs on Windows XP x86, would it run on Windows Vista x64?

[rassel]

Can i be "sure" that the first scan of the file was a False Positive?

You can check weather it was a malware or not by submitting the file to VirusTotal.

[Blaxtar]

Yes, but lets say that virustotal finds 7-8 suspicious malware in the file?

[ardvark]

Hi...

I know that avast scans the memory when you bring up the main program, I don't know if it scans the registry in any of the scans. Also, it's possible a x86 virus could run on Vista x64, although I think it would be a bit harder for it, given the increased security. This would depend on how it was written.

Best Regards...

[Blaxtar]

Thank you for the aswere about the memoryscanning. Anyone who can help me with my other questions?

[DavidR]

1. IMHO, that would be crazy as you haven't a clue what a suspect file might do, it could installs rootkit to hide malware from your AV. So disabling the AV running the file and then deleting it and scanning would be worthless in this example.

There is truly only one way to see if a detection is an FP and that is by analysis and not what you suggest. You can google the file name and see if there are any associations with malware, you can check here, in the Viruses and Worms forum, giving the file name, location and malware name of the detection.

You check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, etc.

2. They are different in that the local drives scans all hard disks/partitions/folders/files, the folder select only those that you actually select for scanning. If you put a check mark against all drives using the folder select option, then it would be the same, but that is a long way round, rather than select Local Disks.

3. Before an on-demand scan the memory will be scanned before the Simple User Interface, but it doesn't scan the registry. The only time it would go to the registry is if a spyware detection is made that it would try to find associated registry entries for the file. avast also does an anti-rootkit scan at the satrt of the on-demand scan, if the sensitivity is on Standard or Thorough.

4. It is quite possible that yes it would run on x64 OSes as that OS allows 32bit code to run and many of the applications installed on it are 32bit applications (avast is a 32bit program but is able to run on 64bit OSes, it uses different drivers though). The only deterrent would be that 64bit OSes are supposed to be tighter on security so may limit the potential, but it is possible, but not certain.

[Blaxtar]

1. Right, promise to send file to analysis before using them if Avast thinks thay are infected :-)
What's the easiest way to send files for analysis, through virustotal?

2. The problem with selecting "Scan local drives" is that Avast doesn't scan my network drives. So if I can use the option "Scan selected folders" and then select all folders/hard disks, and Avast make the same deep analysis as in the option "Scan local drives" that's great!

3. Thanx for the excellent explanation!

4. Thanx for the answer =)

[DavidR]

By clicking on the blue text link in my post, then bookmark the web page so you have it for the future.

There is obviously a possible complication as avast would believe the file is infected and get in the way if you try working with it outside the avast chest.

You can - Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[Blaxtar]

Already using virustotal for scanning suspected files  But if I upload them on virustotal, will Avast team get the information about the file so they can analyse the file and declare if it is malware or just at False positive? And if so, how long does it usually takes?
Will create a Suspected folder =)

One more question;
Is it possible for malwares to run on there own? For example, if someone uploads a file on my FTP-server that doesn't have antivirusprogram, can the file malware infect the server without anyone touching it? Or does it require that someone hack the server from outside?

[DavidR]

You are best to send the sample direct to avast as you know it has been sent. Whilst VirusTotal send samples to those who don't detect a piece of malware, it doesn't (as far as I'm aware) send notifications of a possible FP, how would it know that avast just wasn't the first to detect it.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

An FP once identified is usually quickly corrected.

Short answer on malware running on its own, no.
Longer answer - For malware to run there has to be a run command and that could come from many different sources.
That could be:
1. in your registry.
2. or if you visited an infected/hacked site it is possible to download in the background a file and then be run from an on-line command.
3. It is more common to try and trick the user to run what they believe to be a helpful or benign file only to find that they have run malware (social engineering) commonly from emails to either run the attachment of visit a link in the email body (note 2.) and infect your system.
But for it to run on every boot it has to have a run command in the registry, etc.

[Blaxtar]

Will send files that I suspect can be FPs 

Okey, so I don't have to worry about malwares running by them self on the server =). I'm really careful about which files I install/use and I always scan the files on my desktop computer (with Avast), online @ virustotal and on the server (with Clamwin) before installing/using them. With this routines, should it be nearest to impossible for a malware to install a run-command in the registry? (I'm not using any web-browser on the server)

What I can't understand is how visiting webpages can infect my computer without download anything?

[DavidR]

You personally don't start a download, but it can go on in the background. Visit a site that has a hacked page (or the whole site) with either a javascript of iframe tag in the page/s and the action of opening the page can run the script or iframe, this could run a remote executable file to download save/install and run malware.

So a good firewall might help and these types of exploit are frequently caught by the web shield e.g. anything coming down the http port 80 pipe will be scanned before it gets on your system.

[Blaxtar]

Thanx for the information. I have both a hardware firewall and the same software firewall as you, Outpost =)

[DavidR]

You're welcome.