ok this one's so big I can't belive no one brought this up before:
basically its IMPOSSIBLE to get the real-time file scanner to test files
on execution only (the only time when a virus/trojan gets dangerous)
btw scan on run-only are option that Eset & Kaspersky also have (but they work on these products)
I have several trojan exes (not mere leaktests) which I use to test the AVs. but I also edit some of them to change signatures to test the proactive aspects (heuristic & behavior blocking). problem is with Avast I can't to that unless I disable File Shield, else I throws up an alarm every time I access the infected files even if I dont double-click
this is very important since I've a slow drive (not them fancy SSDs) so if a file gets tested everytime it's written or even viewed then the whole system slows down
this a pity considering that the AV itself is low on resources (I chose to test this one when Avira went over to the Dark Side)
so this what I did:
ticked all 3 boxes in "scan when executing"
unticked everything in "scan when opening"
unticked everything in "scan when writing"
and IT DONT WORK. alarm goes off whenever I even right-click on an infected file (alert says something about explorer.exe)
AND if I also untick "scan programs when executing" (first box in "scan when executing" settings) I can at least right-click on a trojan file & open it with a hexeditor. but if I try to copy the file or any sort of writing, again an alert (again with explorer.exe)
in other words Avast confuses "executing" with "reading"
I even tried a workaround by adding a test folder to the file shield's exclusion list (ticked R & W, left X unticked) but again same error, even a right-click on a bad file triggers the alert
which means the RWX settings are also buggy
worse, I can get Avast to scan files when accessing (read/write) but NOT execute (in other words useless, and also the complete opposite of what I want)
so, question for the developers here: do you even test your products thorougly? I mean if you let such obvious bugs like that spoil a potentially good program then its a recipe for disaster. security progs like AVs & FWs are supposed to be released in working form, not pre-alpha or beta (unless specifically mentioned otherwise, but here v8.0.1483 is -supposed- to be final version)
but hey if you dont belive me you can test it yourself:
theres a reputable site called matousec where they test the outbound (leak) protection of firewalls, there's a leaktest called jumper.exe
there's several versions of the file, command line & GUI version which work in different ways, I'm talking about the GUI version (which is blacklisted by Avast, go figure why)
it's a leaktest that creates a dll and also tries to terminate explorer.exe. or something
http://www.matousec.com/downloads/windows-personal-firewall-analysis/leaktests/Jumper.zipso there we go, try to do the following:
put that exe in a custom folder (you gonna need to disable avast file shield first because of the bug) then see if you can tick the right options so that avast reacts
ONLY when you double-click on the file (ie. try to run it)
you must be able to open the file's folder, left-click on the file, right-click, open with notepad, with a hexedit...and make copy of it (to same folder or elsewhere)
without Avast reacting (no alerting no scanning no nothing)
see for yourself if it works :|
