Author Topic: [SOLVED] File Shield won't block EICAR/first time EICAR ran with avast!  (Read 8258 times)

0 Members and 1 Guest are viewing this topic.

Offline adfagqeg

  • Jr. Member
  • **
  • Posts: 68
hello, its been 1-2 months since i installed avast for mac edition.
the problem is that i don't have a virus chest in that anti virus, plus, when i downloaded eicar (web shield is off because it conflicts with little snitch 2) system shield poped up for a "not a virus" message, then.. nothing!
thats it! only pop up, i could even open the eicar, i tried numerous times and every time avast just poped up and did nothing!

so.. what's the meaning for the system shield? it only speaks without doing anything?
the only way i could remove the "virus" was to manually scan the file and then delete it.

no virus chest like in the old version, system shield didnt even TRY to remove eicar.

someone.. answers? i really love the avast for windows and its a shame im thinking of moving to sophos (for mac)- avast for windows is still the best.

thanks from advance.

avast is in the latest version.
mac os: 10.7.3
and yes.. file shield is working with a green checkmark (V) next to it, detecting but fails one after one with EICAR (and i assume it will happen with a real virus too).
test with Avast! and LS, Avast! with WEB SHIELD ON (web shield blocked eicar while dl) but file shield without web shield doesnt do a thing!
« Last Edit: February 27, 2012, 04:11:52 PM by itsjustme2 »

Offline tumic

  • Moderator
  • Advanced Poster
  • *
  • Posts: 724
Re: File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #1 on: February 20, 2012, 11:40:53 AM »
system shield poped up for a "not a virus" message, then.. nothing!
thats it! only pop up, i could even open the eicar, i tried numerous times and every time avast just poped up and did nothing!
so.. what's the meaning for the system shield? it only speaks without doing anything?

The file shield does two things - it detects the malicious code and prevents it's execution.
Opening a virus code for reading can not cause any harm.

the only way i could remove the "virus" was to manually scan the file and then delete it.
no virus chest like in the old version, system shield didnt even TRY to remove eicar.

The virus chest is nothing else than a given folder where the infected files are moved to. You can
achieve the same result by manually moving the file. The same applies for deletion - it can be done
manually using finder.  The fileshield does not make any proactive actions as it can cause more damages than benefits.

Note, that this may change in the future, and there will be an option to configure the fileshield to do automatic actions on virus detection.

Offline adfagqeg

  • Jr. Member
  • **
  • Posts: 68
Re: File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #2 on: February 20, 2012, 04:47:04 PM »
no, u didn't understand me at all.
Fileshield didn't blocked EICAR, he didn't remove it, he only poped up a message once and once when i opened the .com file.

YES! THE FILE WASN'T TXT IT WAS EICAR.COM
avast! failed with eicar1.com eicar2.com eicar3.com even when eicar executed a bash/bin command in terminal which made avast alert once again for "bin/bash" but, didnt do a thing (why.. why?!?!)

oh and the avast installed in my macbook pro isn't corrupted, i tried it again on a clean mac (mac os journaled) with eicar, and i was able to run the eicar.com file which successfully opened the terminal and wrote "EICAR TEST FILE..." (which isn't a txt format and should be terminated).
btw sophos does block and remove it to quarantene manager (equal to virus chest).

igor, someone? i need to know what's up with avast for mac, this is avast fault and it has nothing to do with the way i installed the program.
« Last Edit: February 20, 2012, 04:50:44 PM by itsjustme2 »

Offline adfagqeg

  • Jr. Member
  • **
  • Posts: 68
Re: File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #3 on: February 21, 2012, 01:08:05 AM »
Bump!

Offline tumic

  • Moderator
  • Advanced Poster
  • *
  • Posts: 724
Re: File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #4 on: February 22, 2012, 11:39:33 AM »
no, u didn't understand me at all.
Fileshield didn't blocked EICAR, he didn't remove it, he only poped up a message once and once when i opened the .com file.

As already said, the fileshield informs about the infection and prevents the execution of the malicious code

YES! THE FILE WASN'T TXT IT WAS EICAR.COM

Just a note on EICAR. Apart from the fact, that the EICAR file is a DOS executable, it is also a simple text file - it uses only printable ASCII characters, this was the goal when the EICAR file was designed. So you can also consider it a text file.

avast! failed with eicar1.com eicar2.com eicar3.com even when eicar executed a bash/bin command in terminal which made avast alert once again for "bin/bash" but, didnt do a thing (why.. why?!?!)
...
oh and the avast installed in my macbook pro isn't corrupted, i tried it again on a clean mac (mac os journaled) with eicar, and i was able to run the eicar.com file which successfully opened the terminal and wrote "EICAR TEST FILE..."

This is completely weird. You can really not execute the EICAR code on a Mac OS X as it uses the INT21h DOS routine to print the string to the terminal unless You use DOSbox or some other virtualization/emulation tool. And bash is really not such a tool... So what most probably happened was that bash was trying to interpret the file and printed some syntax error message containing the EICAR-STANDARD-ANTIVIRUS-TEST-FILE string.

igor, someone? i need to know what's up with avast for mac, this is avast fault and it has nothing to do with the way i installed the program.

This is not a avast! failure. The eicar code was not executed as it is not an Mac OS X executable. Would it be a Mac OS X executable (or a script executable on Mac OS X), its execution would be blocked by the avast! fileshield.

Offline adfagqeg

  • Jr. Member
  • **
  • Posts: 68
Re: File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #5 on: February 22, 2012, 07:30:05 PM »
no, u didn't understand me at all.
Fileshield didn't blocked EICAR, he didn't remove it, he only poped up a message once and once when i opened the .com file.

As already said, the fileshield informs about the infection and prevents the execution of the malicious code

YES! THE FILE WASN'T TXT IT WAS EICAR.COM

Just a note on EICAR. Apart from the fact, that the EICAR file is a DOS executable, it is also a simple text file - it uses only printable ASCII characters, this was the goal when the EICAR file was designed. So you can also consider it a text file.

avast! failed with eicar1.com eicar2.com eicar3.com even when eicar executed a bash/bin command in terminal which made avast alert once again for "bin/bash" but, didnt do a thing (why.. why?!?!)
...
oh and the avast installed in my macbook pro isn't corrupted, i tried it again on a clean mac (mac os journaled) with eicar, and i was able to run the eicar.com file which successfully opened the terminal and wrote "EICAR TEST FILE..."

This is completely weird. You can really not execute the EICAR code on a Mac OS X as it uses the INT21h DOS routine to print the string to the terminal unless You use DOSbox or some other virtualization/emulation tool. And bash is really not such a tool... So what most probably happened was that bash was trying to interpret the file and printed some syntax error message containing the EICAR-STANDARD-ANTIVIRUS-TEST-FILE string.

igor, someone? i need to know what's up with avast for mac, this is avast fault and it has nothing to do with the way i installed the program.

This is not a avast! failure. The eicar code was not executed as it is not an Mac OS X executable. Would it be a Mac OS X executable (or a script executable on Mac OS X), its execution would be blocked by the avast! fileshield.
ok, first of all, i want to thank you for all the help (you're the only one who cared enough to assist me, and i admire you for that).
secondly, back to avast! when i opened the eicar.com, it opened the terminal and i saw something like:
----------------------------------------------------------------------------------------------------
command (i dont remember what..) c:\users\documents\something..
EICAR-FILE TEST something something (yes it was a text string in this line)
commands completed.
----------------------------------------------------------------------------------------------------
while the terminal opened with these wierd unknown command, avast! popped up and said "bash/bin command something blocked" and i saw in the header of the terminal "Terminal - Locked".
avast! didn't remove the file and it didn't even block it from execution, but i think avast! actually did something behind the scenes, but itsn't enough for me.
i know that other antivirus softwares for mac do remove eicar when it has .com extension (i know that txt isn't an executable file so it won't be detected automatically) but .com is a file which run in terminal too and
that's why i don't see why avast let it even run, it should have been deleted instead of letting it run commands.

and it was downloaded from the main site of eicar (eicar.com).
so yes, i do believe that avast! tried to block eicar because it said that on the popup and the terminal changed to terminal-locked but it actually seems like avast! failed.

so you telling me that if this result isn't enough for me, i should abandon avast! for mac? because now im not quiet with avast! mac, because im afraid that when it will be a real virus it will happen the same.
is there a test i can make that will prove to me that it only ignores eicar and not other files?

one more important question: is it ok if i only use fileshield and mail shield without web shield because i must use little snitch 2, and as you know LS2 won't work with web shield because all localhost (127.0.0.1)
requests are automatically allowed.
i know that mac cant really be exploited by viruses without downloading and installing the infected malware with the approval of the administrator (opposite from win32), so is it a red alert if i close web shield
and i use only fileshield and mailshield?

note that little snitch 2 is something that i cant uninstall because im really afraid of keyloggers etc and i can't really believe that web shield can tribute to my mac defense more than LS2.
and if the only difference between web shield on and off is that it will block the file before it was downloaded to the harddisk, then its fine with me as long as i have a good fileshield, because the infected file can't
make any harm because the web shield and fileshield works on the same database, if it passed the fileshield it will pass the web shield as well. oh and i don't like TCPBlock (altrenative outgoing firewall for mac)- LS2 is amazing!!
+ is it ok if i use avast! with CalmXav (its a scan-on-demand antivirus only).

just tell me if im right and im good to go..
« Last Edit: February 23, 2012, 06:13:03 PM by itsjustme2 »

Offline adfagqeg

  • Jr. Member
  • **
  • Posts: 68
Re: File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #6 on: February 24, 2012, 05:29:18 PM »
bump

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5087
Re: File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #7 on: February 25, 2012, 05:03:21 PM »
If you must use little snitch then leave the web shield off. ClamAv also shouldn't conflict as long as you're not using a background scanner.

For Eicar, as has been said its not a OS X executable file, and was designed for DOS. You are still getting an alert when  trying to execute the file. Currently the file shield on the Mac version does not take an automatic action like can be configured on windows. This is something likely coming in a future release and seems to be what you are asking for. Remember this release is still in a beta stage.
"People who are really serious about software should make their own hardware." - Alan Kay

Offline adfagqeg

  • Jr. Member
  • **
  • Posts: 68
Re: File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #8 on: February 25, 2012, 10:32:46 PM »
If you must use little snitch then leave the web shield off. ClamAv also shouldn't conflict as long as you're not using a background scanner.

For Eicar, as has been said its not a OS X executable file, and was designed for DOS. You are still getting an alert when  trying to execute the file. Currently the file shield on the Mac version does not take an automatic action like can be configured on windows. This is something likely coming in a future release and seems to be what you are asking for. Remember this release is still in a beta stage.
omg that was a perfect answer, just one more thing:
let's say i accidently run a installation which is a virus, will avast block the installation from running or will it just pop up a msg?

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5087
Re: File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #9 on: February 27, 2012, 09:11:50 AM »
Quote
omg that was a perfect answer, just one more thing:
let's say i accidently run a installation which is a virus, will avast block the installation from running or will it just pop up a msg?

It will display the pop up message AND prevent the malicious file from executing. Again in a future release it should be possible to configure Avast to take an automatic action on the infection (Such as delete or move to Chest).
"People who are really serious about software should make their own hardware." - Alan Kay

Offline adfagqeg

  • Jr. Member
  • **
  • Posts: 68
Re: File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #10 on: February 27, 2012, 04:11:13 PM »
Quote
omg that was a perfect answer, just one more thing:
let's say i accidently run a installation which is a virus, will avast block the installation from running or will it just pop up a msg?

It will display the pop up message AND prevent the malicious file from executing. Again in a future release it should be possible to configure Avast to take an automatic action on the infection (Such as delete or move to Chest).
thank you very much.

Offline mjthompson

  • Newbie
  • *
  • Posts: 1
Re: [SOLVED] File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #11 on: February 28, 2012, 01:01:04 AM »
I noticed the exact same thing - I went to download EICAR. Clicking the link to view the txt in browser didn't work, Avast webrep blocked it. But when I right clicked > save link as avast said warning but didn't delete it.

The fact it is a COM or TXT file shouldn't matter, by that I mean Avast should treat it as a bad virus even though it's not an executable. The whole idea behind EICAR test files is to see how your antivirus responds to threats. I'd like to see automatic quarantine in the next version - but I'm sticking with avast for now as even more developed software can't beat your speed and lovely interface ^_^
« Last Edit: February 28, 2012, 01:03:46 AM by mjthompson »

Offline adfagqeg

  • Jr. Member
  • **
  • Posts: 68
Re: [SOLVED] File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #12 on: February 28, 2012, 03:23:59 AM »
I noticed the exact same thing - I went to download EICAR. Clicking the link to view the txt in browser didn't work, Avast webrep blocked it. But when I right clicked > save link as avast said warning but didn't delete it.

The fact it is a COM or TXT file shouldn't matter, by that I mean Avast should treat it as a bad virus even though it's not an executable. The whole idea behind EICAR test files is to see how your antivirus responds to threats. I'd like to see automatic quarantine in the next version - but I'm sticking with avast for now as even more developed software can't beat your speed and lovely interface ^_^
I've decided to keep with avast too  8)

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5087
Re: [SOLVED] File Shield won't block EICAR/first time EICAR ran with avast!
« Reply #13 on: February 28, 2012, 01:44:53 PM »
I noticed the exact same thing - I went to download EICAR. Clicking the link to view the txt in browser didn't work, Avast webrep blocked it. But when I right clicked > save link as avast said warning but didn't delete it.

The fact it is a COM or TXT file shouldn't matter, by that I mean Avast should treat it as a bad virus even though it's not an executable. The whole idea behind EICAR test files is to see how your antivirus responds to threats. I'd like to see automatic quarantine in the next version - but I'm sticking with avast for now as even more developed software can't beat your speed and lovely interface ^_^

Yes this is the expected behavior. I am confident that you will see the action on infection in an upcoming release, the Mac Version and Windows version are becoming more feature complete with each release.  :)
"People who are really serious about software should make their own hardware." - Alan Kay