Author Topic: Avast alerting behavior  (Read 7759 times)

0 Members and 1 Guest are viewing this topic.

Firebytes

  • Guest
Re: Avast alerting behavior
« Reply #15 on: October 04, 2008, 05:48:13 AM »
OK, I did some more testing and this time I carefully read each pop-up, etc., that Avast generated. I found out I was in error on a few points. Please forgive a long post but I wanted to clear up my errors and provide as much detailed info as I could about why I came to my earlier conclusions and was concerned about whether Avast was behaving as it should. Here is what all I found out:

Malware sample downloaded with Webshield ON:
When I attempt to download the installer file to my desktop Webshield detects it and Avast does pause the download until I take action. However, a placeholder for the malware installer file is put on my desktop at this time. Next I click to abort the connection and the malware program then appears to finish downloading to the desktop, complete with it's correct icon. This is what made me think earlier that the program was able to download correctly despite Webshield. The entire program is not downloaded though. The file size is smaller than the malware file's size if downloaded unhindered with Webshield off. Also, if I attempt to run the malware file I am told that the file is corrupted. Avast also does not now alert on the file when "right click" scanned. So, Webshield neutralized the file after all, at least in my experience with this file. Maybe if alanrf is correct some files do manage to download correctly past the webshield. This one didn't.

Malware sample downloaded with Webshield OFF:
When I download the malware installer file to my desktop and then "right click" scan it, Avast detects the file as Win32:Rootkit-gen [Rtk]. I click "Move to chest". A second or two later Avast pops up and again states Win32:Rootkit-gen [Rtk] was found. I again click "Move to chest". A second or two later Avast again pops up but this time states "Win32:Trojan-gen {Other}" was found. I again click "Move to chest".  After a second or so a smaller window pops up and states, with some text cut off that (The system cannot find the file specified Cannot process "C:\Documents and Settings\username\Desktop\malware.exe\{sys}\drivers\{code:HideStringFunction}...). I click OK and then another pop-up states (The system cannot find the file specified Cannot process "C:\Documents and Settings\username\Desktop\malware.exe\msk.dll"file). I click OK and the Avast scanner completes and states that 3 infected files were found. (Avast catches the file as well if I just attempt to run it as opposed to "right click" scanning it.)

Due to me not taking the time to carefully read everything the first time, all the seperate alerts and then the pop-ups stating that the file could not be found made me think Avast had alerted more than once on the single installer file and then could not find it to move it to the chest because I had already sent it there on the first alert. A look in the Avast log shows however that the three alerts were for three seperate files within the malware's installer. Why I got the pop-ups aout not being able to find the files though, I still do not understand. Anyway, here is what the log showed for the file descriptions of the three detections:

Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C\Documents and Settings\username\Desktop\malware.exe\{win}\{code:MyFileName}\msk.exe" file

Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C\Documents and Settings\username\Desktop\malware.exe\{sys}\drivers\{code:HideStringFunction}...

Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C\Documents and Settings\username\Desktop\malware.exe\msk.dll" file

Sorry for the earlier confusion when I thought Avast Webshield was failing to stop the file from downloading and when I thought it was detecting one file several times. I wasn't taking the time to read as carefully as I should have earlier and I wasn't thinking about more than one file in the installer, etc. So, basically Avast is acting as I would expect with the exception of the pop-ups about not finding the file. If nothing else I learned a thing or two from all this. I hope someone else did too.

*edited to add two lines I had forgotten in the post earlier and to state here that "malware.exe" in the file path is of course not the real name of the file I was using to test*  ;)
« Last Edit: October 04, 2008, 12:37:31 PM by Firebytes »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89427
  • No support PMs thanks
Re: Avast alerting behavior
« Reply #16 on: October 04, 2008, 03:13:17 PM »
Yes where there are multiple alerts in an installer (exe archive) then avast would generate multiple alerts, but it would first halt all action on the first alert, when that is dealt with the next would alert and the next, etc.

The problem as I see it is if in the first alert the complete file is moved to the chest or deleted, etc. and action you chose in subsequent alerts would fail as the installation file is no longer there.

I think the main thing is as you say the web shield isn't failing and the malware isn't getting off the hook and allowed to run.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11655
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Avast alerting behavior
« Reply #17 on: October 09, 2008, 04:34:38 PM »
The virus alert dialog indeed does suspend the download - otherwise, it would be almost useless.
For an explanation of the phenomenon, please see here:

Quote from: Vlk
The "Abort connection" button does exactly what it says: closes the connection.

Of course, it is entirely up to the browser what it will do with the incomplete download then. From my experience, IE (at last v6, I'm not sure about v7) discards the file, while Firefox keeps it on the disk (doesn't delete it).

When Firefox closes the file, it gets scanned by the Standard Shield. And if it contains enough data for a detection (i.e. is incomplete, but not too incomplete) Standard Shield will trigger a second alert.
Cheers
Vlk
« Last Edit: October 09, 2008, 04:56:45 PM by igor »
If at first you don't succeed, then skydiving's not for you.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Avast alerting behavior
« Reply #18 on: October 09, 2008, 09:08:10 PM »
Edited.
Post moved to Evangelists' forum.
The best things in life are free.