Avast! efficiency problem!

[Dimza]

There is a site providing files to test your antivirus software, called
http://www.attac.net/testavus.html  
It uses different variations of the eicar file. I tried most of them and here is what I found:

1/ Avast! did not detect greater levels of compression.
2/ Avast! allowed downloading most of the files and sounded the alarm only when I made it scan them. Other AV software I have used woudn't let me download them!
3/ Even when scanning them, Avast! did not give any alarm on the following files:
     LEVEL2UUE.BIN
     eicarhqx.bin
     eicaruue1.bin

Can someone give me a sensible explanation why this happened and will it be remedied in v 4.5?

Regards!

Dimza

[RejZoR]

Well,EICAR was intended to be detected only in its original form.
Transforming it into some strange form will not prove anything.

[Dimza]

Not good enough reply!
Other antivirus software detected it in the other forms too.

dimza

[Vlk]

If other AVs are detecting it (and I know not of all of them do), it is only because they want to save their tech support for questions like this .

But seriously.... please read carefully the definition of the eicar test file: http://www.eicar.com/anti_virus_test_file.htm . The definition is pretty strict and actually DOESN'T allow for any modifications.

Here's the relevant part:

"It is also short and simple - in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the  test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses only upper case letters, digits and punctuation marks, and does not include spaces. The only thing to watch out for when typing in the test file is that the third character is the capital letter "O", not the digit zero."


Hope this helps,
Vlk

[RejZoR]

Well EICAR sample is just to test if antivirus really intercepts the file.
You can also send it to yourself thorugh mail to see if mail scanner really checks the mail.
You can also test with it Normal and High Sensitivity modes (first detects it only on excution,while second detects it on copy/move/execute commands).
Nothing more. Thats its purpose.

[Dimza]

Thanks, Vlk, but your reply does not address the issue either.
What is modified in those files is not the content but the form, to check whether AV software will recognize it even under disguise.

dimza

[RejZoR]

No you're missing the point which was explained by Vlk.
EICAR sample File MUST be recognized only as exact sequence of characters (plus those extrathings also mentioned in Vlk's post).
EICAR was never meant to be modified.
Packers and polymorphic engines are for such purposes,not EICAR sample which is manly for usage explained by me in post above.

[Vlk]

I see your point now. I guess your primary concern is that avast doesn't recognize the file on download. To enable that, you'd have to set the on-access level to High (instead of Normal).

But anyway, the avast unpackers are not enabled by default for the on-access scanner (this is the case with most AV software as unpacking files in real-time can be very time consuming).

[Lisandro]

But anyway, the avast unpackers are not enabled by default for the on-access scanner (this is the case with most AV software as unpacking files in real-time can be very time consuming).

Vlk, is there a way to set the sensibility to High while downloading a file (or email attach) and only Normal for the Standard Shield. The majority of the virus nowadays come through email and we can save time... Am I messing any concept here? RejZoR forgive me the silly questions  

[igor]

You cannot distinguish between downloading a file and modifying it in a different way. So, you basically have to enabled the "Scan created/modified files" option of the Standard Shield pvovider.

[Lisandro]

You cannot distinguish between downloading a file and modifying it in a different way. So, you basically have to enabled the "Scan created/modified files" option of the Standard Shield provider.

What a pity!  :'(