Author Topic: Eicar test fails on Avast Free  (Read 12236 times)

0 Members and 1 Guest are viewing this topic.

Guilap

  • Guest
Eicar test fails on Avast Free
« on: September 21, 2010, 12:31:22 PM »
Pause Avast

Create eicar.com with notepad, by pasting (file should be 68 bytes)
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Enable Avast
Run cmd.exe, go to eicar folder, type eicar.com

Eicar runs! Why is that?

You can try copying the file around also, but nothing happens (no warning, no copying, nor deleting the original file)

Did the exact same test on Avira free (in which is possible to pause on access scanning) and got an warning when trying to run eicar.com on command prompt

There's definitely something wrong here  :-\


Avast 5.0.677
Virus Definitions 100921-0

Win XP SP3

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Eicar test fails on Avast Free
« Reply #1 on: September 21, 2010, 01:51:49 PM »
Well, it's certainly not right - but it's also not how avast! behaves on other computers.
Did you fully uninstall Avira before doing this, for example?

spg SCOTT

  • Guest
Re: Eicar test fails on Avast Free
« Reply #2 on: September 21, 2010, 01:58:00 PM »
I don't see this problem.

avast! alerts on eicar whether it is run from the commmand prompt or just double clicking it.

Have you changed any settings within avast?

Guilap

  • Guest
Re: Eicar test fails on Avast Free
« Reply #3 on: September 21, 2010, 03:31:35 PM »
Thanks for the replies!

Only Avast was running when I did this tests. I uninstalled all antivirus software and installed a clean Avast Free (unless it remembers previous settings, but I don't remember messing the settings before).

Now, I've just booted the PC, waited for everything to be started, and I was able to run eicar.com (in my desktop) with no warnings.

Then I decided to check the settings. File System Shield options were:
- "Scan when executing" screen:  all checked
- "Scan when opening" screen: just "Scan Documents when opening" checked

Now, if I check "Scan all files" in the last screen, voilà: I receive an warning from Avast and eicar.com doesn't run. But if I disable this option, I can run eicar.com again (I left half a dozen in my desktop for testing).

Is this the expected Avast free behaviour? It appears Avast free thinks eicar.com is a document, not a program (and a document type it shouldn't verify). What are the default settings?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Eicar test fails on Avast Free
« Reply #4 on: September 21, 2010, 03:37:53 PM »
No, a .COM file is certainly not considered a document.
Can you post a screenshot of the popup when it was detected?

Guilap

  • Guest
Re: Eicar test fails on Avast Free
« Reply #5 on: September 21, 2010, 03:50:20 PM »
Here you go! (remember, it only appears with "Scan all files" checked)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Eicar test fails on Avast Free
« Reply #6 on: September 21, 2010, 04:17:27 PM »
How about exclusions - do you have any set?

Hermite15

  • Guest
Re: Eicar test fails on Avast Free
« Reply #7 on: September 21, 2010, 04:25:23 PM »
can't really test that here, downloading the eicar file with fdm gives an Avast file system shield alert (and no need to turn on the "all files" setting), but turning the shields off, and downloading eicar.com, then run it from the command prompt or just clicking on it is a no go as it's not recognized a valid extension on 64 bit Windows.

Atani

  • Guest
Re: Eicar test fails on Avast Free
« Reply #8 on: September 21, 2010, 04:33:17 PM »
This may be completely unrelated but I'll mention it anyways:
I went and tried out the eicar.com test (I'd never heard of it)
After double-clicking the file, avast! moved it to the virus chest.
I restored the file, clicked it again, same thing.
After restoring and running a third time, avast! and the command prompt kinda formed some sort of endless loop.
The command prompt will not go away, no matter what I do, and I cannot move the file to the chest or delete it.
If I clicked move to chest or delete, the threat warning would pop up again and again.
Though selecting block worked.

Guilap

  • Guest
Re: Eicar test fails on Avast Free
« Reply #9 on: September 21, 2010, 04:39:00 PM »
Just these (attached)

spg SCOTT

  • Guest
Re: Eicar test fails on Avast Free
« Reply #10 on: September 21, 2010, 05:36:36 PM »
When I try this, without 'Scan All files' checked, I get an alert on the eicar file, but with the process ntvdm.exe (the Windows NT Virtual DOS Machine, the exectuable that runs 16 bit programs: http://en.wikipedia.org/wiki/Virtual_DOS_machine)

Possibly something relating to XP? (im using Vista for this)

Offline NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5475
  • Whatever will be, will be.
Re: Eicar test fails on Avast Free
« Reply #11 on: September 21, 2010, 05:49:05 PM »
Issue partially confirmed :-\

Once eicar.com is successfully created (with avast disabled), I don't have any alert when executing eicar.com.
However, when I copy eicar.com to other place, alert appears.

I don't check "Scan all files".

P.S. tested on Win7 32bit.
« Last Edit: September 21, 2010, 05:54:50 PM by NON »
Desktop: Win10 Pro 22H2 64bit / Core i5-7400 3.0GHz / 32GB RAM / Avast 23 Premium Beta(Icarus) / Comodo Firewall
Notebook: Win10 Pro 22H2 64bit / Core i5-3340M 2.7GHz / 12GB RAM / Avast 23 Free / Windows Firewall Control
Server: Win11 Pro 23H2 64bit / Core i3-4010U 1.7GHz / 12GB RAM / Avast One 23 Essential

Avast の設定について解説しています。よろしければご覧ください。

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Eicar test fails on Avast Free
« Reply #12 on: September 21, 2010, 06:18:27 PM »
Yep. That's because
- COM is not scanned on-open by default
- the execution of COM files is somewhat special (not really execution in the classical sense of Windows).

You can add COM to the list of custom files in the "Scan when opening" section, this should help.

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5475
  • Whatever will be, will be.
Re: Eicar test fails on Avast Free
« Reply #13 on: September 21, 2010, 06:46:26 PM »
Yep. That's because
- COM is not scanned on-open by default
- the execution of COM files is somewhat special (not really execution in the classical sense of Windows).

You can add COM to the list of custom files in the "Scan when opening" section, this should help.

Thanks
Vlk

Alert appears, working confirmed. :)

Off topic: it seems we should have new "eicar", which is native Win32 binary :P
Desktop: Win10 Pro 22H2 64bit / Core i5-7400 3.0GHz / 32GB RAM / Avast 23 Premium Beta(Icarus) / Comodo Firewall
Notebook: Win10 Pro 22H2 64bit / Core i5-3340M 2.7GHz / 12GB RAM / Avast 23 Free / Windows Firewall Control
Server: Win11 Pro 23H2 64bit / Core i3-4010U 1.7GHz / 12GB RAM / Avast One 23 Essential

Avast の設定について解説しています。よろしければご覧ください。

Guilap

  • Guest
Re: Eicar test fails on Avast Free
« Reply #14 on: September 21, 2010, 07:18:27 PM »
Quote from: Vlk
You can add COM to the list of custom files in the "Scan when opening" section, this should help.

Did that. Then if I try to run eicar.com from cmd window I receive "Access is denied" and eicar is deleted. If I try running eicar from the desktop, the eicar file simply disappears. Either case there are no warning messages from Avast (though it is shown in shield traffic screen as the "last file infected").

Ok, eicar.com prevented from running, but it feels somewhat strange...

Quote
- COM is not scanned on-open by default
- the execution of COM files is somewhat special (not really execution in the classical sense of Windows).

But don't you think this could be exploited by an attacker? I mean, if you somehow manage to create a .com file in the target computer's filesystem, you could run malicious code without any warning from Avast. (as long as it is a 32-bit OS)