Author Topic: Eicar Test File & Full System Scan...  (Read 6470 times)

0 Members and 1 Guest are viewing this topic.

Offline Dileep

  • Newbie
  • *
  • Posts: 17
Eicar Test File & Full System Scan...
« on: April 22, 2010, 04:15:41 AM »

  i placed an eicar antivirus test file(test code saved as a notepad file) in one of the folder in my pc. i first scan the system with 'Full system scan' option of avast,but unfortunately it doesn't detect the file as a 'threat'

when i scan the system with 'Select folder to scan' option,avast detect it as a 'threat'
        
      


   i want to know that why avast didn't detect eicar test file as a 'threat' in 'Full system scan' mode...?

      
  
  
      
« Last Edit: April 22, 2010, 04:17:31 AM by Dileep »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84782
  • No support PMs thanks
Re: Eicar Test File & Full System Scan...
« Reply #1 on: April 22, 2010, 04:39:04 AM »
See this extract from the avast help file on the Full System Scan (I have highlighted the relevant parts):
Quote
Full System Scan - This performs a more detailed scan of all your computer's hard disks and by default, all files are scanned according to their content, in other words, avast! looks inside every file to determine what type of file it is and whether it should be scanned. The whole file is tested, not just those parts of the file at the beginning or at the end where infections are normally found.

From this only files that present a risk, e.g. are executable, or targets for infection, etc. (a text file is effectively inert) so for those files considered at risk the complete file is scanned not just a small part of it.

There are less variables you can change in this scan, e.g. it sensitivity, etc. as it is a pre-defined scan. The Select Folder scan offers a few more variables and most notably the Scan, File Types, (Scan all files types is the default) and the Sensitivity can be increased. It is this first setting Scan all file types that will pick up the eicar.txt file.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Dileep

  • Newbie
  • *
  • Posts: 17
Re: Eicar Test File & Full System Scan...
« Reply #2 on: April 22, 2010, 04:47:16 AM »
See this extract from the avast help file on the Full System Scan (I have highlighted the relevant parts):
Quote
Full System Scan - This performs a more detailed scan of all your computer's hard disks and by default, all files are scanned according to their content, in other words, avast! looks inside every file to determine what type of file it is and whether it should be scanned. The whole file is tested, not just those parts of the file at the beginning or at the end where infections are normally found.

From this only files that present a risk, e.g. are executable, or targets for infection, etc. (a text file is effectively inert) so for those files considered at risk the complete file is scanned not just a small part of it.

There are less variables you can change in this scan, e.g. it sensitivity, etc. as it is a pre-defined scan. The Select Folder scan offers a few more variables and most notably the Scan, File Types, (Scan all files types is the default) and the Sensitivity can be increased. It is this first setting Scan all file types that will pick up the eicar.txt file.

   

   Thanks for the info...

   while considering the above measures 'Select folder scan' is better than 'Full system scan'...? :o

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84782
  • No support PMs thanks
Re: Eicar Test File & Full System Scan...
« Reply #3 on: April 22, 2010, 04:56:16 AM »
No, it entirely depends on what you want to do.

As I said only files that present a risk are scanned:
Quote
From this only files that present a risk, e.g. are executable, or targets for infection, etc. (a text file is effectively inert) so for those files considered at risk the complete file is scanned not just a small part of it.

So to me to scan anything else is a waste of time and processing effort, to you that might not be the case. I go even further I only do a Quick scan once a week and very occasionally a Full scan (normally to use it as an example in the forums) and that scans even less. Essentially it still scans only those files that present a risk, as that is what the other resident (on-access) elements of the antivirus are also looking out for.

You can use the Custom Scan button and set even more variables if you want to get into downright paranoid scan mode.

So there are more options than you can shake a stick at, it is up to you to choose what is best for you.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Firefox012

  • Newbie
  • *
  • Posts: 16
Re: Eicar Test File-String.... at RAM
« Reply #4 on: April 26, 2010, 01:43:41 AM »
Hello,

i have copied the string from eicar-testfile to RAM. Shouldn´t avast5 scan the RAM also, for to notice there is a virus-string ?
Or does avast 5 only notice that virus, if i scan the eicar-testfile  (X5O!P%@AP[4\PZ........)directly? ???

Or in other words: How i have to setup my avast for to scan the RAM continously ?

Currently i use avast 5 freeware 5.0.507

Thanks for your kindly response.

Firefox012

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11791
    • AVAST Software
Re: Eicar Test File & Full System Scan...
« Reply #5 on: April 26, 2010, 07:28:32 AM »
"Scan RAM continuously"? I'm not completely sure how you imagine it might work, but it's basically impossible (and if it weren't, it would slow down your machine incredibly).

Offline Firefox012

  • Newbie
  • *
  • Posts: 16
Re: Eicar Test File & Full System Scan...
« Reply #6 on: April 27, 2010, 01:00:12 AM »
Hello Igor,
so i understand you well, any virus could not discovered bei avast, if the string is only in RAM memory. But couldnt any virus´infect my system when it runs in RAM-memory? So for my understanding, any virus needs to have access to RAM for to "work".
If i copy the content of the infected file to RAM (in this special case the content of the eicar-testfile), avast have to notice that and have to alarm.

Thank you for explanation to me, for a better understanding!


Firefox012

doktornotor

  • Guest
Re: Eicar Test File & Full System Scan...
« Reply #7 on: April 27, 2010, 01:10:09 AM »
I have hard time understanding what are you after here. Merely copying a virus into RAM doesn't execute the virus, it just wastes some RAM.  ???

Also, from where are you going to copy that virus into RAM? Thin air? It's already gonna be detected once it lands on your HD or whatever other media.
« Last Edit: April 27, 2010, 01:12:56 AM by doktornotor »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11791
    • AVAST Software
Re: Eicar Test File & Full System Scan...
« Reply #8 on: April 27, 2010, 09:38:08 AM »
so i understand you well, any virus could not discovered bei avast, if the string is only in RAM memory.

I did not say that. Sure, memory can be scanned, by avast! as well - I just don't know how to scan memory continuously.

But couldnt any virus´infect my system when it runs in RAM-memory?

If it runs, as you write, you're already infected. The virus has to get into the memory from somewhere in the first place - and the sources (e.g. files) are scanned by avast!, so scanning memory should not be necessary.

If i copy the content of the infected file to RAM (in this special case the content of the eicar-testfile), avast have to notice that and have to alarm.

Not really. First, "copying into RAM" doesn't necessarily mean "execution". avast! distinguishes between scanning files "on execute" and "on open" (you can configure it in the File System Shield settings). While the first one is certainly very important because it prevents malware from being executed, the second one - simple reading the data into memory, e.g. to view them in Notepad, is just a waste of time (read: "slows down the computer without any significant security improvement"). Second, it doesn't really matter whether the source of the "copy" (i.e. the file, for example) or the target (the RAM, as you say) is scanned - so it's the first one, because the later would be technically rather hard to do.
Third, Eicar is not a good test file in this respect - it's supposed to be a file, and if you read the exact specification on eicar.org, you'll find out that this signature has to be in the very beginning of the file - otherwise it should not be detected. So, Eicar would not be detected during a memory scan even when other (real) malware would - because its specification says it shouldn't be.