Author Topic: Outlook and zip files  (Read 5055 times)

0 Members and 1 Guest are viewing this topic.

Gary

  • Guest
Outlook and zip files
« on: June 15, 2003, 03:55:22 AM »
Using Avast! 4 Home edition.

XP Pro SP1 with Outllook 2002: Zip files are not being scanned when useing Outlook. E.g I can recieve email with attached eicar.com in a zip file, there is no warning upon receipt and I can double click on the zipped file to reveal the contents and then double click eicar.com which executes the application. That is: I can exectute a virus from within a zipped file using Outlook without any warnings!

XP Pro with Outlook Express: Same configuration different Windows login account.
The Zip file is scanned upon receipt and a warning presented. If the warning is ignored another warning is presented when eicar.com is executed from within the zip file.

I have uninstalled and re-installed avast to establish default settings and the same occurs.

DefTasks.xml has the following:
<OUTLOOK--InvalidEntry>1</OUTLOOK--InvalidEntry>
<OUTLOOK--ScanPackers>EXE;ZIP;MIME;RAR;ARJ;TAR;GZ</OUTLOOK--ScanPackers>


Is this behaviour normal?

Gary

« Last Edit: June 15, 2003, 03:57:11 AM by Gary »

techie101

  • Guest
Re:Outlook and zip files
« Reply #1 on: June 15, 2003, 06:55:10 PM »
Gary,

Avast will not alarm you to a virus contained in a zip file until the file is unzipped and an attempt made to execute the file.
Then, Avast will sound the alarm and will want to know how you wish to handle the virus, that is, delete, move to chest or open.
The Eicar test file is used to test the virus program ONCE you attempt to execute the file.
Does Avast alarm you to the file when you attempt to open it.....
If so, then Avast is on the job.
I use Avast in my XP with Outlook, and it reacts very similar to what you describe.
I don't think anything is wrong.  Avast is an excellent program and once installed, usually runs fine.

Good Luck

Other members...thoughts on this????

techie101

  • Guest
Re:Outlook and zip files
« Reply #2 on: June 15, 2003, 11:56:02 PM »
Gary,

I did some more research on the Eicar test virus and Avast.  Here is an excerp from www.eicar.org:

"Once downloaded run your AV scanner. It should detect at least the file "eicar.com". Good scanners will detect the 'virus' in the single zip archive and may be even in the double zip archive. Once detected the scanner might not allow you any access to the file(s) anymore. You might not even be allowed by the scanner to delete these files. This is caused by the scanner which puts the file into quarantaine. The test file will be treated just like any other real virus infected file. Read the user's manual of your AV scanner what to do or contact the vendor/manufacturer of your AV scanner.

Ok...so I was off a little on my earlier remarks, but you starting me thinking so I wanted to check it out.

Make sure you have the Avast scanner set to high sensitivity and check "archives" for scanning on the main skin interface.

Run a full Avast scan and see if it picks up the Eicar test file in the zipped file.

Let me know.  More examination may be needed to get to the bottom of the problem.
 :-\

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Outlook and zip files
« Reply #3 on: June 16, 2003, 12:22:51 AM »
Gary, you quite figured it out correctly that you need to add the line to the deftasks.xml. That is right (I hope you added it to the correct position, i.e. to the properties of the resident task - *DefTask0).

However, for the changes to take effect, you'll probably have to delete the file <avast>\data\avast4.mdb. Just go ahead and delete it - it should be regenerated using the new deftasks.xml automatically.

But first stop the avast service (Control Panel / Administrative Tools / Services), otherwise the file will be locked and you won't be able to delete it.

Hope this helps,
Vlk
If at first you don't succeed, then skydiving's not for you.

Gary

  • Guest
Re:Outlook and zip files
« Reply #4 on: June 16, 2003, 02:55:09 AM »
Fixed now.  Deleting the mdb file rectified the problem.

Note: I used eicar as an example the problem was actually brought to my attention with Win32:Dialer-B [Trj] in a zip file.

The deftasks.xml file was not edited, the required entries were there by default.  I was just pointing out that it was allready there.

Thanks

Gary