Avast and (win)rar

[Eddy]

If you have a rar file which has multiple infected files in it and you let Avast scan the file. It only detects the first one, repairs/deletes it and then stop scanning. In order to find and nuturalyze the rest you have to repeat the scan till all files in the archive are scanned.

I thought this issue was solved..... I know there is another thread with this problem somewhere, but couldn't find it. Apperently it is not solved or it has come back.

[pk]

you shouldn't be right, but send me please that archive, if it's bigger, i can open ftp for you.

[Eddy]

The mail is on it's way.

[Dwarden]

yeah i hope Pk u take look, it sounds similar to my issues

[Eddy]

This one is different from yours Dwarden. As I mentioned, someone had the same problem and posted here. Been searching for it, but sofar I haven't found that thread. What happens is this:
Avast scans the archive, find the first file infected and you can remove it. But instead of scanning the rest of the archive, Avast closes. So you need to start again and again till all files in the archive are processed. I have a test archive here with 592 different kinds of malware. So I have to start the scan 592 times before Avast has handled them all.

[pk]

yeah i hope Pk u take look, it sounds similar to my issues

Your problem was little different: archive file contained another packer (ntfs, i'd say) and after its unpacking, next packer wasn't found (i've already fixed that, but you have to wait for v4.5).

To Eddy: I asked Igor if he knows sth about it, because he improved archive remove/pack actions.

[igor]

Avast scans the archive, find the first file infected and you can remove it. But instead of scanning the rest of the archive, Avast closes.

How exactly did you scan the archive? Using the Explorer Extension, or Simple/Enhanced User Interface?

[Eddy]

Good morning Igor.

I scanned it with:

1] QuickScanner (right click the file, choosing scan from the menu)
2] from the simple interface, selecting the map where the file is in, thorough scan, scan archives enabled
3] scanned from the simple interface, standard scan, scanning archives enabled, selected the map the file is in.
4] Scheduled a task in the advanched user interface.

As you can see in the picture it scans 2.1Mb, the archive is 1.59Mb. The rest are some non infected files I placed there to see if that would make a difference.

All first 3 scannings stop after finding the first infected file in the archive. The last one says it scanned all, but only detects one infected file. Let me know if you want me to try something or change a setting.

[igor]

Strange... what was the action you have chosen? Delete? Do you have an automatic action set for the viruses, or use Interactive?

In any case, it seems to work here... as PK said, I did significant changes regarding the actions on infected files inside archives. I didn't encounter this kind of problems, so I didn't fix it specifically - but it's possible that it was fixed as a "side effect" of other fixes. If you could put the archive somewhere online and send me a link to it by IM, I can check the behaviour with the latest internal build of avast.

[Eddy]

Loacation of the file is send in a PM. Let me know if you have troubles getting it and I will make it available somewhere else.

[igor]

Thanks for the archive!
Here, it works as expected. I checked with an older version and it really processed a single file only each time. After upgrade to the latest version, it got fixed - so, I believe the problem is already corrected.

[Eddy]

Using the latest Avast Pro version (4.1.418) and VPS 434-2 here.

I checked with an older version and it really processed a single file only each time.

I know there was a problem with an older version, that's why I also thought it was solved. But apperently it is not, or at least not working on all systems.

As you can see in the last picture it finds only the first infected file. But it does scan the entire archive. Real strange.

[Eddy]

Just repacked the file with the latest version of WinRar. Use the quickscan (right click archive, choosing scan) First infected file is detected. I choosed remove, clicked on "don't show this screen anymore" and click on remove everything. First file is deleted. Scan terminated without scanning the rest of the archive.

Tried scanning from the simple interface. Same thing happens. Tried all different kind of settings. Still stays the same. Scan terminates after processing the first file in the archive.

XP Pro, SP1, all security patches/updates applied. Except for Opera no other application running.

[igor]

Oops, sorry for the confusion.

In my post, I meant:
"older version" = 4.1.418
"latest version" = 4.5.447 (i.e. an internal build, not publically available)

I was trying to say that the problem is/will be fixed in avast! 4.5.

[Eddy]

I see, lol. That's what you get when you are "spoiled" and already may use a version not available to the public

I will wait for that one and check again. If I find anything with 4.5 I sure will kick your ass (kidding)