New shutdown vulnerability

[igor]

Well, can you execute the eicar file?

[spg SCOTT]

I think you missed the point, it is blocked if something tries to execute it.
(at least that is how I read it)

igor,

What about the standard shield 'scan created/modified files'? should this not catch it?

oops, missed igor's post

[igor]

Scanning created/modified files is "on close" - so even if ashDisp.exe is running and avast! is able to ask, it asks after the file is created (or infected), i.e. when the malware is already on disk.
Here, it can't ask, so it doesn't do anything.

Silent mode could work as well... don't know.

[spg SCOTT]

Scanning created/modified files is "on close" - so even if ashDisp.exe is running and avast! is able to ask, it asks after the file is created (or infected), i.e. when the malware is already on disk.
Here, it can't ask, so it doesn't do anything.

Silent mode could work as well... don't know.

So that setting requires ashDisp?
Is that right?
It is still caught by other methods when executed though.

[RejZoR]

avast! "doesn't do anything". But can you execute EICAR? If file is left on disk, that doesn't mean avast! didn't prevent its execution. The execution was blocked, the file was just not deleted/quarantined. Thats all. So in the end avast! did detect the file, but since it's graphic user interface was terminated it just blocked the file and finishes at that. If GUI was available, it would have asked the user what do to with the file. So bottom line, i don't see this as vulnerability. Unless you can get the malware to execute when ashDisp.exe is terminated.

[jaikrishna]

Yes, the EICAR file can be executed. It opens command prompt and does something, then exits.