« previous next »
Pages: 1 [2]   Go Down

Author Topic: Malfunctioning Standard Shield  (Read 9048 times)

0 Members and 1 Guest are viewing this topic.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Malfunctioning Standard Shield
« Reply #15 on: August 21, 2004, 05:06:25 PM »
A .exe can still be a (pasword protected) archive.
Logged

satishincbs

  • Guest
Re:Malfunctioning Standard Shield
« Reply #16 on: August 21, 2004, 05:12:11 PM »
maybe so, but shouldnt the process still be stopped?

unfortunately i deleted the files in question so i wouldnt be able to say.
Logged

satishincbs

  • Guest
Re:Malfunctioning Standard Shield
« Reply #17 on: August 21, 2004, 05:16:36 PM »
also, even if the .exe files were encrypted or archived, the would be extracted in some temporary location to be executed, so shouldnt the process be stopped at that time atleast??

in my case, warnings started to pop up everywhere showing windows system files to be infected....
Logged

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Malfunctioning Standard Shield
« Reply #18 on: August 21, 2004, 09:38:00 PM »
You are right, of course - the infected file should never be started. I would certainly like to know how it really happened. I know how the Win9x part of the Standard Shield works... and it's really strange.

You're saying that "warnings started to pop up" - it means that the virus was already active in memory and started infecting the files. The warnings came from the Standard Shield scanning "created/modified files". This feature (scanning created/modified files) checks the files "on close" - so it cannot prevent the intection, the warning occurs when the file is already infected (and it cannot be done in a better way).

The scanning of the executed files (and scanning "on open"), however, is performed before the files are accessed (unless the file is on the list of avast! exlusions) - and if they are found infected, the access is denied, of course. So, the question is how the infected file was started at the first time. If it were started before avast! was loaded during Windows startup, it would be possible - but how would the file get to your hard disk if your Standard Shield setting is on High ???
Logged

satishincbs

  • Guest
Re:Malfunctioning Standard Shield
« Reply #19 on: August 22, 2004, 07:38:02 AM »
hi

this must all seem pretty strange to you and it is... ::)

ok, so here's what actually happened. my office 97 cd developed a crack on the inner hole and i was afraid it would get bigger and damage the cd, so i gave it to a friend (who has a cd writer) to make a backup of it.

unfortunately, he seems to be infected with the Parite virus and somehow ended up infecting all .exe files in the office 97 package.

but somehow, the setup file remained uninfected (dont know how  ???). i know this for sure because later on i scanned the cd and found a lot of exe files like word, access etc infected while the setup itself was clean.

so my guess is that when i executed the setup from the cd, it must have executed the infected exe files somehow and that ended up infecting windows and that is when i saw warnings pop up all over.

i am sure the infection came from this very source since i had scanned my computer with avast! just earlier in the day and everything was ok then.

so if you want to replicate this incident, you could take a copy of the office 97 package and infect all exe files other than the setup file, copy it on to a cd and then try running the setup on a win98se machine with avast! resident shield on high sensitivity.

pretty unusual huh!! ;)

thnx and regards

satish
Logged
Pages: 1 [2]   Go Up
« previous next »