Author Topic: running eicar from network/shared drive  (Read 12120 times)

0 Members and 1 Guest are viewing this topic.

Offline jockel

  • Jr. Member
  • **
  • Posts: 23
  • Chase the arrow !
running eicar from network/shared drive
« on: October 21, 2004, 11:54:12 AM »
Hi,

is it o.k. that, while running AVAST!, I can download "eicar.com" from a website,
store it on a networked/shared drive on an other PC and execute it with the
downloading PC ?
If I execute it stored locally I get a warning message, if I execute it from the
network, I get no warning at all.

Does this mean, that files, executed from a network are not scanned ?

Regards
Jo

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11791
    • AVAST Software
Re:running eicar from network/shared drive
« Reply #1 on: October 21, 2004, 12:52:16 PM »
You are right - in the Home/Pro version, the network drives are not scanned (on-access) because the avast! service runs under SYSTEM account (i.e. doesn't have access to network).
The network edition of avast! should scan the network drives as well.

Offline jockel

  • Jr. Member
  • **
  • Posts: 23
  • Chase the arrow !
Re:running eicar from network/shared drive
« Reply #2 on: October 21, 2004, 01:38:48 PM »
Hi,
don´t you think this is kind of inacceptable ?
Even using the pro and having your both home PCs protected
with AVAST, you can simply download a virus, store it on a shared
drive and execute it wihtout beeing noticed ?

Or do I miss something ?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:running eicar from network/shared drive
« Reply #3 on: October 21, 2004, 01:58:45 PM »
Even using the pro and having your both home PCs protected
with AVAST, you can simply download a virus, store it on a shared
drive and execute it wihtout beeing noticed ?

If you configure avast Pro correctly, it shoul detect the local virus file or trojan in one or the other computer. I think, maybe I'm wrong, that Igor is just saying that if you have avast Pro in one computer, it won't detect (on-access) the virus file in the other computer, but only in the same its installed.
The best things in life are free.

Offline DukeNukem

  • Sr. Member
  • ****
  • Posts: 335
Re:running eicar from network/shared drive
« Reply #4 on: October 21, 2004, 02:58:11 PM »
Even using the pro and having your both home PCs protected
with AVAST, you can simply download a virus,


I am using avast 4.1 home ed, When i click on the eicar.com on the site below

http://www.eicar.org/anti_virus_test_file.htm

avast immediately says warning virus on your computer.

If you are able to download the eicar.com then you need to configure avast.






Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31311
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:running eicar from network/shared drive
« Reply #5 on: October 21, 2004, 03:05:09 PM »
In simple words. Avast (home/pro) works on the system it is installed on, not on systems it is not on. So a remote system is not scanned. But av software on the remote system should give a alert.

Offline jockel

  • Jr. Member
  • **
  • Posts: 23
  • Chase the arrow !
Re:running eicar from network/shared drive
« Reply #6 on: October 24, 2004, 06:59:13 PM »
I am using avast 4.1 home ed, When i click on the eicar.com on the site below
http://www.eicar.org/anti_virus_test_file.htm
avast immediately says warning virus on your computer.
If you are able to download the eicar.com then you need to configure avast.

DukeNukem,
this is not what I proposed! Download !to! a network-drive!
Then execute the virus from this network drive. You will see,
that you can download and execute the file !

Jockel  

Offline jockel

  • Jr. Member
  • **
  • Posts: 23
  • Chase the arrow !
Re:running eicar from network/shared drive
« Reply #7 on: October 24, 2004, 07:36:34 PM »
Eddy, Technical,
In simple words. Avast (home/pro) works on the system it is installed on,........
no Eddy, it doesn´t. If it would do, then I would not be able to load a virus
into the memory of the PC it is installed on!

Please, proof me to be wrong if you can:
This behaviour is nothing but the AVAST way of enforcing AVAST installation
(purchase) for every computer. I tried different other scanners, and they all
alert when the eicar file from the network is executed. AVAST also alerts,
when you execute the file from internet resources. AVAST does not alert, while
the file is executed from the local network drive.

My point: I definitely accept the need of AV companies to put in some
limitations in their scanner to help sales to sell a licence per networked PC.
But I think this limitation I see here is nothing a user has to expect while
his PC has the status of "beeing protected with a purchased licence of AVAST".
At least, unless this unusual behaviour of "executing virusses from a network
drive" is not outlined to me on installation.

Can you name me other AV scanners that allow executing a virus from a local
network drive? Do you realy consider it acceptable to use a virus scanner, who
allows to execute an infected file from a local network drive?

Please think about that AVAST! I am certain you can find an other way or better
acceptable limitation ! Beside that I would like to ensure the AVAST team, that I
am very pleased with your software. I can live with that shortfall, now as I know it.
I just think, that this behaviour of your scanner is something you might put some
thoughts on !

Best regards
Jockel

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31311
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:running eicar from network/shared drive
« Reply #8 on: October 24, 2004, 07:47:07 PM »
Quote
This behaviour is nothing but the AVAST way of enforcing AVAST installation (purchase) for every computer.
Definatly NOT true.

And why do you think there are network av's?

I tested here and Avast does alert when you access a virus (eicar) on a network drive. I think you should check your settings.

And do you still have this thing going on with 4.5 Beta?

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:running eicar from network/shared drive
« Reply #9 on: October 24, 2004, 07:53:41 PM »
1. Please calm down everybody.
2. To change the behavior to scan even network drives (on-access) is not difficult. In fact it's pretty trivial. All you have to do is go to Control Panel -> Administrative Tools -> Services -> avast! antivirus -> Properties, and change the account under which the avast service runs, to an account that HAS access to the network resources (e.g. a domain admin account in case of domain setup).

This works in both Home and Pro Editions.

Cheers
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline jockel

  • Jr. Member
  • **
  • Posts: 23
  • Chase the arrow !
Re:running eicar from network/shared drive
« Reply #10 on: October 24, 2004, 08:35:37 PM »
Definatly NOT true.
Hi Eddy,
I am certainly willing to do everything you recommend to check whether this begaviour is my fault. I am not aware, that I did anything else but a default installation of the latest release. I will download and install the beta and check again, romised!

Quote
And why do you think there are network av's?
Well, this does not fit to your previous remarks? I accept
definitely limitations as I see the need for a vendor to earn money.
But this limitations please should not surprise me in the way they work,
as the (probably/possibly) encountered behaviour did!

Quote
And do you still have this thing going on with 4.5 Beta?
Eddy, I will check !

Eddy, please don´t consider me to be some kind of "enemy"(who would dare beeing enfaced with your Avatar  ;) ).
I am extremely pleased with the software and with the responsiveness of this forum and just want to show up something that might be......improvable!

Best regards
Jockel

Offline jockel

  • Jr. Member
  • **
  • Posts: 23
  • Chase the arrow !
Re:running eicar from network/shared drive
« Reply #11 on: October 24, 2004, 08:49:58 PM »
1. Please calm down everybody.
I am calm, promised :)

Quote
......change the account under which the avast service runs, to an account that HAS access to the network resources (e.g. a domain admin account in case of domain setup).
If I understand this right, what I encountered may happen, but depends
on the setting of the network. You are right, the regular account the PC
is running on, is not automatically network enabled. This is probably quite unusual.
So most people (including Eddy) may not see that  behaviour. I will check that !

As I already said, incredible responsiveness !  :)

Best regards
Jockel

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:running eicar from network/shared drive
« Reply #12 on: October 24, 2004, 09:20:35 PM »
Quote
If I understand this right, what I encountered may happen, but depends
on the setting of the network. You are right, the regular account the PC
is running on, is not automatically network enabled. This is probably quite unusual.
So most people (including Eddy) may not see that  behaviour. I will check that !


No, not really.

Let me explain this in a bit more detail. Avast home/pro setup program installs the service to run under the "LocalSystem" account (also known as SYSTEM). This account has unlimited privileges on the local machine but no network access. This is by design (check out e.g. the MS docs for more info on this).

So this is why the avast home/pro on-access scanner (which runs inside the service) cannot access the network shares to scan the files.

If you, however, change the account that the service runs under, the on-access scanner will have the rights to access the remote files and will therefore scan them.

In the Network Edition of avast, the setup program asks the user for the username/password that will be used by the service. The home/pro edition setup program does not ask for this info as our experience shows that most users wouldn't understand what it wants from them and would possibly enter invalid data which would be even worse (the service wouldn't start at all).


Hope this helps,
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline jockel

  • Jr. Member
  • **
  • Posts: 23
  • Chase the arrow !
Re:running eicar from network/shared drive
« Reply #13 on: October 24, 2004, 11:36:54 PM »
Hi vlk,
but the conclusion of all said now is:
Running "AVAST Pro" on your local machine, never execute a file from a network
share, if you are not certain, that the PC "sharing" is running AVAST too, because
the file executed will not (by default) be checked ?
Is this understood right ?

Don´t get me wrong, I do not consider executing files from a network share,
where I am not aware of the security measures there, a good idea.
Probably your design has advantages, but to me this sounds a little risky
and quite a different behaviour from what you see with other scanners.
Maybe AVAST comes to think about that.

Best regards
Jockel

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:running eicar from network/shared drive
« Reply #14 on: October 24, 2004, 11:44:30 PM »
In simple words. Avast (home/pro) works on the system it is installed on,
no Eddy, it doesn´t. If it would do, then I would not be able to load a virus
into the memory of the PC it is installed on!

Are you using Professional version or Home version?
How is set your sensibility, High or Normal?
I tried to download a few minutes ago and the eicar file was alerted by the system. I can't try in a network, sorry.
The best things in life are free.