How to scan standard-extensions on open with RS ?

[igor]

I'm afraid ALWIL Team is not very familiar with AVG  

If you want to make sure that AVG resident shield is disabled, you can check by trying to start the EICAR test file. Personally, I would think that removing the AVG startup items should be enough, but of course, you may not overlook anything...

[rlndsgrb]

Thanks.
I've seen how it works. AVG uses two drivers VxD for the Resident Shield and e-Mail . I 'd disable and enable those VxD then adjust the settings..........I prefer Avast! and I've uninstalled AVG.
About EICAR test ..........As I've reported in a preceding post , EICAR.com is checked (and there is the alarm) both if there is "COM" in "Scan file on open" box or without "COM"........(when I double click on it). I don't see why.
Regards,rolando

[igor]

Well, i meant to use Eicar to check whether the AVG Resident Shield is really disabled, but anyway:

"Scan file on open" means scanning the file when "opening the file for reading or writing". It means, for example, that it is scanned when you open the Eicar.com file in Notepad. Of course, if you doublelick (execute) the file, it is read (and scanned) as well.

However, even when you disable "Scan file on open", it is still scanned when you try to execute it (i.e. on doubleclick) - that's the first page of the Standard Shield settings - "Scanner (Basic)" - Scan executed programs. However, it wouldn't be scanned in this case if you open the file in Notepad.

[rlndsgrb]

Exact ! Thanks a lot,rolando.

[rlndsgrb]

I'm reading the Resident task settings instruction.
About "Blocker" ..........The block is related to a = (Virus found + extension condition satisfied + type of operation ) or the virus condition is not needed ?
If it is the last case what is the purpose ?
Thanks.

[Vlk]

The virus condition is not necessary.

It's a behaviour blocker, that is a feature that can pinpoint suspicious behavior in this system. It's quite a historical thing (this method was quite popular back in the DOS days) and can be considered as a legacy feature in avast 4. By default, it's turned off...

Vlk

[rlndsgrb]

Thanks.
Legacy feature in avast!4 ....then not fundamental.
I've tried it : this feature has to have a memory of a preceding my answer because it doesn't ask again, then it isn't too heavy. I could try for some days.
Thanks a lot.

[rlndsgrb]

Sorry if I come back to Resident Protection > scan files on open / scan create-modify files .
The Eicar test has success (virus found!) only for "COM,EXE,CMD,BIN,DLL" and disregard every other extension . S0METIMES it fails also with these extension....??!!!!!!!!! I don't get what is the changed condition (no one in my opinion ).
Regards
 

[rlndsgrb]

Why don't you say that Avast!,as other AV,scan only the
executable (exe,com,cmd,dll,bin)? It should be enough !
This isn't a bug , you have only tried to make the Standard shield GUI richer, with more panels to make a good impression on users ! Four panels instead of one !
About when it doesn't work properly.....it is a random bug (there is its trace in the Faultlog.txt in WinMe ) or may be after the famous Error 0x00046101.

[igor]

If you look at the list of "executable" extensions posted at the start of this thread, you'll see that (exe,com,cmd,dll,bin) is not enough.

As for making the GUI richer just to "impress" the user - I really don't think that's the case. An ordinary user would rather get confused, instead of impressed. But it's simply the options that the Stardard Shield offers.
Page 1: here you configure what gets scanned when executed, i.e. when you start it as a program.
Page 2: here you configure what gets scanned when you open a (existing) file (open in the meaning "prepare to read or write") - for example, when loaded into Notepad. You can also configure the scanning of newly created or modified files (unlike the "scan files on open", this means that the file will be scanned after it is written to and closed).
Page 3: here you can configure what (suspicios) operations you want to be blocked - there is no scanning for viruses here, it's just blocking selected operations, no matter if the file is infected or not!
Page 4: here you can set exceptions (what files or folders should not be scanned at all) and some additional options (e.g. silent mode).

Do you really think any of the 4 pages are redundant?

If you have any error logs, could you please send them?

[rlndsgrb]

Code: [Select]

>Do you really think any of the 4 pages are redundant?
 
YES, because Page 2 doesn't scan all of the reported extensions,
but ONLY the executable (exe,com,cmd,dll,bin)  are scanned (as other AV having only one page !).
Do you really scan on open EICAR.htlm and the other extensions !!!!!!!!!!
Page 3, of course, often stops the process...could be used seldom..........
Page 4 I've tried...but I was not be able to exclude any scan....(may be my fault ,but it would be easy...) .
The Page Fault are below..........module unknown in c15c:1b10edbd...........

Data 06/29/2003 Ora  20:30
ASHSIMPL ha provocato un errore di pagina non valida nel
modulo <sconosciuto> in c15c:1b10edbd.
Registri:
EAX=040eff88 CS=016f EIP=1b10edbd EFLGS=00010246
EBX=040eff88 SS=0177 ESP=03ff0100 EBP=03ff0120
ECX=03ff01a4 DS=0177 ESI=81a5a394 FS=1c17
EDX=bff6682d ES=0177 EDI=03ff01cc GS=0000
Byte all'indirizzo CS:EIP:

 BX=0043104c SS=0177 ESP=006ce5bc EBP=006ce5c4
ECX=00000000 DS=0177 ESI=00000000 FS=23f7
EDX=00000000 ES=0177 EDI=007f1950 GS=0000
Byte all'indirizzo CS:EIP:
8b 01 52 ff 50 0c 33 c9 85 c0 0f 9d c1 8b c1 8b
Immagine dello stack:
006ce9e0 007f1ba0 006cfa88 0040d154 006ce9e0 006ce5cc 007f1950 2c6f0000
 bff613e2 0000016f 13e2424a 006ce5cc 41c10000 0177bff6 bff613e2 0000016f
**********************************************************************

REGARDS,rolando
 

Code: [Select]

Code: [Select]

[igor]

Page 2 scans what it is set to scan - if not, it's a bug, but not a trick to "impress the user".

I have just checked and it works correctly for me (with one exception - if the file does not have any extension, then it is not scanned - that is a bug).

When I set Scan files on open and write HT* into the "Scan files with these extensions", eicar.html is detected when I try to access it (e.g. open it in Notepad, in Internet Explorer, view by Total Commander Lister, ...).
If I'm even more paranoid and write just * (i.e. an asterisk) into the "Scan files with these extensions", again, the eicar file is detected, no matter what extension it has (except for that "no-extension" problem I noted above).
On the other hand, if I leave the "Scan files with these extensions" empty, it doesn't scan anything on open (not even .COM) - so it works exactly as I would expect it to.
I don't understand how is it possible that for you, it scans only executable files - there's no such setting for "Scan files on open".

Now, let's try "Scan created/modified files". I turn it on and check "Default extension set" (using the "Show..." link I verify that HT* is inside the default set, i.e. HTML files will be scanned).
Now, I start Notepad and create a new file e.htm; I paste the eicar string into the window and save the file; at that moment, I get a eicar-virus warning. Again, as I expected.

What are your exact settings on the second page in the moment EICAR.html is not detected? (and how are you working with the file?)


Thanks for the crash log. Even though it's from an older version of avast than the current build (I think?) I would guess that the problem occurs somewhere in MS Jet drivers. You can try to change the database setting, as posted here:
http://www.avast.com/forum/index.php?board=2;action=display;threadid=440;start=0

Maybe updating the Jet drivers might help, too...  
http://www.microsoft.com/downloads/details.aspx?FamilyID=fea50f92-923b-4f11-934d-5b6668598060&DisplayLang=en

[rlndsgrb]

I've tried again....and still doesn't work.
Of course I have all of those extensions typed in
the "scan open files"  box . In the "scan/created-modif " there are the DEFAULT ( you know,there are so many extensions). I have nothing more to say....

Regards,rolando

[igor]

Could you please copy & paste the content of your "Scan files with these extensions" box here?
How are you accessing the file (eicar.html, for example) - are you doubleclicking on it (i.e. starting the Internet Explorer) or something else?

Also, just for sure - do you have the latest build (235) of avast?

[rlndsgrb]

I have level 235.Below the copy/paste (I had added "HTLM" one more time !). The "scan created-modified files" has the its DEFAULT !!!!!!!!!!!!!!!!!!!!!!!
I open notepad and load  eicar.htlm >>>>
and the virus is loaded.
Then I save it as eicar.htm >>>> and it is saved .
COM,EXE,DLL,HTLM,SYS,SCR,OV?,VXD,BIN,CMD,HT?,VB?,WS?,BAT

Regards.