Author Topic: Malware not blocked by webshield  (Read 13509 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83807
  • No support PMs thanks
Re: Malware not blocked by webshield
« Reply #15 on: February 28, 2012, 04:24:19 PM »
I take it you have contacted him again ?
The problem being is as you have said, initially the web shield alerts, it attempts to abort the connection, but n the background that may have completed. So essentially avast is detecting it (as confirmed in the support reply).  I don't know if in your contact with support you made it clear that the web shield was detecting it, but the real problem is that it isn't blocking it from being downloaded.

Generally the web shield will abort the connection to stop the content being downloaded, but some browsers may disregard the abort connection and complete it. I think I recall something like that before in relation to chrome in the forums.

The secondary problem is that the file system shield doesn't scan zip files by default (as they are inert), so it isn't being picked up when the abort connection doesn't drop the connection or the browser disregards the abort and tries to complete the download.

You could of course change the file system shield, expert settings, Scan when writing and check the Scan all files. This would effectively be scanning 'all' newly created/writing files and this would include files written to the hard disk. However this could have an impact on system performance
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2429 (build 20.8.5653.561) UI-1.0.562/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline phyniks

  • Jr. Member
  • **
  • Posts: 62
Re: Malware not blocked by webshield
« Reply #16 on: February 28, 2012, 06:45:12 PM »
Dear David
I tried all my best to explain the case,but as I said he might not read it carefully
here is my firt expression:


I have received a spam in my yahoo mail which contained a virus
while downloading(chrome as the browser) the webshield warned and said the malware is blocked:

http://www.avast.com/lp-security-information-fp2?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_70_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ww%2Fvirus-alert-challenger2&p_vir=Win32:Ufraie-J&p_prc=&p_obj=&p_var=.%2Ffa%2Fen-ww%2Fvirus-alert-default2&p_pro=0&p_vep=7&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=369&p_lng=en&p_lid=en-ww&p_elm=7&p_vbd=1407

but surprisingly the download process was not terminated and the malware(which was in a zipped file)come through my MY DOCUMENTS!!!
scanning the file showed the virus was there,it was not harmful because it was in a zipped file but the webshield could not block the download process
I dont know if it is a bug or I have to change the setting(set by default)
I m using avast 7 free 7.0.1407 and my system is hp laptab dv6000se,amd,quadcore,win7 home premium,browser is chrome 17


after his firs response I explain it again this way:

Oh sir
pleaze...
did you read the problem carefully?!!
offcourse it was in your database,my problem was avast webshield unability to stop the download process by google chrome
in 50% cases it just warns and says it is blocked,but it does not terminate the downloading and the file come to MY DOCUMENTS
(sometimes avast warning is before the download and it is fully blocked,but sometimes it started after the dl process and it does not terminate it)



Let's hope he get the case. . .

all the story is here (I dont know if you can access):
https://support.avast.com/index.php?_m=tickets&_a=viewticket&ticketid=1996615
« Last Edit: February 28, 2012, 06:48:50 PM by phyniks »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83807
  • No support PMs thanks
Re: Malware not blocked by webshield
« Reply #17 on: February 28, 2012, 06:55:07 PM »
I can't access the support tickets, I'm an avast user like yourself.

In the meant time if your system isn't lacking in resources you could try what I suggested and see if any file that isn't aborted is subsequently detected by the file system shield; plus check if there is an appreciable performance hit with that setting.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2429 (build 20.8.5653.561) UI-1.0.562/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline phyniks

  • Jr. Member
  • **
  • Posts: 62
Re: Malware not blocked by webshield
« Reply #18 on: February 28, 2012, 07:12:30 PM »

But the advantage of webshied(if works properly) is that the malware is blocked before  they get through
I mean this kind of protection is one step superior
I dont wanna compare products but the advantage of Avast Free over Avira Free (for example)  is the shields,otherwise,even avira can detect and catch the zipped file just after being downloaded (if you change its setting to scan archived files)
« Last Edit: February 28, 2012, 07:20:18 PM by phyniks »

Offline phyniks

  • Jr. Member
  • **
  • Posts: 62
Re: Malware not blocked by webshield
« Reply #19 on: February 28, 2012, 07:26:04 PM »
Update

 I change the setting this way:

file system shield, expert settings,packers..........tick "all"

first,dl process started,then webshield warned,dl was finished completely,then file shield warned and quarantined the file
as you see the webshield was bypassed....
« Last Edit: February 28, 2012, 07:36:22 PM by phyniks »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83807
  • No support PMs thanks
Re: Malware not blocked by webshield
« Reply #20 on: February 28, 2012, 09:07:08 PM »
OK, my bad, forgot it isn't all packers that are scanned by default only selective ones (executable ones, self-extracting).
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2429 (build 20.8.5653.561) UI-1.0.562/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: Malware not blocked by webshield
« Reply #21 on: February 28, 2012, 09:18:51 PM »
OK, my bad, forgot it isn't all packers that are scanned by default only selective ones (executable ones, self-extracting).

default is "all packers" for the web shield.
w7 - ais7

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83807
  • No support PMs thanks
Re: Malware not blocked by webshield
« Reply #22 on: February 28, 2012, 10:11:54 PM »
OK, my bad, forgot it isn't all packers that are scanned by default only selective ones (executable ones, self-extracting).

default is "all packers" for the web shield.

But we are talking about the file system shield settings, as the file is not aborting as it should it isn't being blocked by the web shield. So the intention is to provide a second line of defence for archives that get past the web shield abort connection.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2429 (build 20.8.5653.561) UI-1.0.562/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: Malware not blocked by webshield
« Reply #23 on: February 28, 2012, 10:33:06 PM »
oh okay ... but I tell you, the user is gonna go nuts if he sets all packers for the file shield. I gave it a shot once for fun years ago, that slows down the whole system, especially install and uninstall operations, just don't do it ;)

ps: not sure, but I think MIME and "installer" archives are the worse to scan
« Last Edit: February 28, 2012, 10:38:47 PM by logos »
w7 - ais7

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83807
  • No support PMs thanks
Re: Malware not blocked by webshield
« Reply #24 on: February 29, 2012, 01:01:50 AM »
The user has been made aware of the possible performance hit.

But what I want to know is why when the abort connection is the only option, why Chrome is completing the download.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2429 (build 20.8.5653.561) UI-1.0.562/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: Malware not blocked by webshield
« Reply #25 on: February 29, 2012, 01:09:35 AM »
noticing something strange here while testing with Eicar in Chrome: connection instantly aborted with the eicar files, while it takes a little while until the web shield takes a decision with archived eicar files, like 15-20 seconds (spinning annimation in tab) and then the alert comes ... this delay to react with archives here isn't normal at all, especially when one considers the size of an Eicar archive.
w7 - ais7

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83807
  • No support PMs thanks
Re: Malware not blocked by webshield
« Reply #26 on: February 29, 2012, 01:29:11 AM »
This is exactly what we have been trying to find out why. It is almost that Chrome ignore the abort connection or if it does abort it, it then re-establishes the dropped connection and concludes the download.

Edit: just tested with firefox 10.0.2, whilst there was a delay that you mentioned I got the alert (mine is set to ask though) and aborted the connection, I got a second web shield alert (aborted again). I checked my downloads folder and no eicar_com.zip.

So working as expected in firefox.

EDIT2: I just wonder if the delay we are experiencing between the clicking the download and the alert is down to the File Rep cloud check (as presumably because this is a download it would be checked) ?
« Last Edit: February 29, 2012, 01:48:28 AM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2429 (build 20.8.5653.561) UI-1.0.562/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline phyniks

  • Jr. Member
  • **
  • Posts: 62
Re: Malware not blocked by webshield
« Reply #27 on: February 29, 2012, 04:51:51 AM »
Unfortunately the incompatible browser (chrome) is suggested by Avast installer and is my favorite  :-[

Offline hardov

  • Jr. Member
  • **
  • Posts: 77
Re: Malware not blocked by webshield
« Reply #28 on: February 29, 2012, 05:01:40 AM »
Update

 I change the setting this way:

file system shield, expert settings,packers..........tick "all"

first,dl process started,then webshield warned,dl was finished completely,then file shield warned and quarantined the file
as you see the webshield was bypassed....


Do you think is a good idea to let tick the RAR and ZIP files all the time?
Sony VAIO i3, 300 GB hard disc, 4 GB RAM , Windows 7 Home Premium 64 bit, Chrome, Avast 8 Free, ZoneAlarm free firewall, Malwarebytes

Offline AntiVirusASeT

  • Poster
  • *
  • Posts: 466
Re: Malware not blocked by webshield
« Reply #29 on: February 29, 2012, 05:45:29 AM »
tested with eicar_com.zip & eicarcom2.zip through http with google chrome, both blocked before download

dunno if it is my settings which helped in the blocking
also check if u have docs pdf/powerpoint viewer by google in ur extensions i found out if i enabled it, the webshield fails to block completely

google chrome v17.0.963.56