Author Topic: Malware not blocked by webshield  (Read 13522 times)

0 Members and 2 Guests are viewing this topic.

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 712
  • A Good Old Indian!
Re: Malware not blocked by webshield
« Reply #30 on: February 29, 2012, 08:34:27 AM »
I also tested with eicar zip blocked instantly no delay faced...i have even been playing with downloading malware in chrome on another machine but havent seen a piece of malware that gets past the web shield even after it aborted the connection atleast with version 7

Thats why i have been suggesting avast team to make file shield to scan many more packers like RAR And ZIP packers where malware can be hiding[if not all] as we can get the chance of detecting something earlier and not waiting till the last moment of the file being extracted or something like it....

More ever,i feel that chrome is in some way incompatible with web shield.But i do know its very rare that malicious downloads complete even after web shield blocks them but are eventually blocked by file shield[however in this case the file shield doesnt react due to the packer setting]thats why i hope avast team will make some changes to the default packers to be scanned of file shield otherwise web shield is always perfect in its job and i find it very accurate in blocking and aborting connection.I also know that chrome is very sensitive and very granular as if u visit a malicious site with an iframe redirection in chrome avast will block the site but still chrome will say the site is loading and it results in blank page....this doesnt happen in IE as if the same is done in IE as soon as u see the web shield alert u can see IE saying site not found.


Thanks.
« Last Edit: February 29, 2012, 09:03:28 AM by papu »

Offline akama1

  • Sr. Member
  • ****
  • Posts: 286
  • Never give up on anything!
Re: Malware not blocked by webshield
« Reply #31 on: February 29, 2012, 01:54:48 PM »
isn't this issue for avast web shield suppose to be quiet normal? as sometimes the alert is given by the webshield but the file was dropped at the last second and the alert kicked in? this actually happens sometimes.... it should be pretty normal though :/
win7 ultimate 32 bit/ 3gb ram/intel core 2 duo 2.1 ghz/ avast 7 free / comodo firewall 5.9/ mbam free/ emsisoft emergency kit/ CCE

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1878
    • AVAST Software
Re: Malware not blocked by webshield
« Reply #32 on: February 29, 2012, 03:27:54 PM »
Hi, WebShield blocks the connection as soon as the virus is detected. In ZIP files, where the directory of the zip container is at the end and the end of the file is needed for unpack, the detection is actually only possible once almost whole archive has been downloaded.

When the file is small, all works as you expect, the content is found and stopped. When the file is larger, the start might have already been delivered to the browser.

Have you tried to open the zip? Since not whole file is downloaded by the browser, the content should actually be corrupted and impossible to open as a zip file. Some browser is such case (aborted download) don't save anything - since it was aborted before the end, other browsers save what they have. In any case, the file saved shouldn't be complete.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11764
    • AVAST Software
Re: Malware not blocked by webshield
« Reply #33 on: February 29, 2012, 03:35:10 PM »
To activate the malware, you have to unpack it from the archive anyway - and it would be detected at that moment.
Yes, you can save an archive containing some malware to your disk (though it normally shouldn't happen with WebShield active) - but we won't change the defaults, because it would have a very negative impact on your machine, without real security benefit (as the first sentence says).
You can enable the unpackers for your installation, it's up to you - but don't be surprised if you copy an archive from one folder to another and your machine freezes for a minute.

Offline phyniks

  • Jr. Member
  • **
  • Posts: 62
Re: Malware not blocked by webshield
« Reply #34 on: February 29, 2012, 03:45:16 PM »
Hi, WebShield blocks the connection as soon as the virus is detected. In ZIP files, where the directory of the zip container is at the end and the end of the file is needed for unpack, the detection is actually only possible once almost whole archive has been downloaded.

When the file is small, all works as you expect, the content is found and stopped. When the file is larger, the start might have already been delivered to the browser.

Have you tried to open the zip? Since not whole file is downloaded by the browser, the content should actually be corrupted and impossible to open as a zip file. Some browser is such case (aborted download) don't save anything - since it was aborted before the end, other browsers save what they have. In any case, the file saved shouldn't be complete.

yes I tried to unzip the file and it was intact (fileshield picked the malware inside on extraction)

Do you think is a good idea to let tick the RAR and ZIP files all the time?

NO ,because zipped file are not harmfull (till this time!!!) and activating this option will impact system performance,it was just a test to show webshield download bypassing by google chrome


I also tested with eicar zip blocked instantly no delay faced...i have even been playing with downloading malware in chrome on another machine but havent seen a piece of malware that gets past the web shield even after it aborted the connection atleast with version 7

I have an idea,someone(valounteer)gives me an email of his,I ll forward the spam to him,he checks it(downloads it 8 times using chrome) and tells us the results
« Last Edit: February 29, 2012, 03:49:43 PM by phyniks »

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1878
    • AVAST Software
Re: Malware not blocked by webshield
« Reply #35 on: February 29, 2012, 03:46:51 PM »
Do you have the link for the infected zip file?

Offline phyniks

  • Jr. Member
  • **
  • Posts: 62
Re: Malware not blocked by webshield
« Reply #36 on: February 29, 2012, 03:51:36 PM »
Do you have the link for the infected zip file?
No,it is in a spam mail
« Last Edit: February 29, 2012, 04:32:35 PM by phyniks »

Offline The Kitchen Sink

  • Jr. Member
  • **
  • Posts: 45
Re: Malware not blocked by webshield
« Reply #37 on: February 29, 2012, 08:05:45 PM »
Maybe I'm just tired at the moment. Is there a way to add archive formats for Avast to scan inside those as well? I think it should be a feature to scan inside before user opens the file. If I have half the files archived on my system holding infected files and someone elses machine does not have good enough anti virus software to find it when they open it. This is a problem when passing files around.

Even as an option this just makes sense to keep adding many archive formats, even as an option. Not having such a feature is rather lazy because it doesn't slow anything down if it is an optional turn on/off at user discretion based upon the user behavior.

Offline TheFireflame11

  • Jr. Member
  • **
  • Posts: 23
  • TheFireflame11
Re: Malware not blocked by webshield
« Reply #38 on: February 29, 2012, 08:32:37 PM »
This might have something with the corrupted installer. Idk, but search fix update for avast! 6x or 7x if it is the case.
Gateway MT6705, Windows 7 Ultimate SP1 32bit, avast! Free Antivirus 7.0.1426, Internet Explorer 9.x, Nightly 14.0a1, Google Chrome 17.x, Safari 5.1.5, Opera 11.61, Malwarebytes Anti-Malware 1.60.1.1, Intel(R) Pentium Dual-Core inside(TM) T2060 processor.

Offline logos

  • Avast √úberevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: Malware not blocked by webshield
« Reply #39 on: February 29, 2012, 08:33:56 PM »
This might have something with the corrupted installer. Idk, but search fix update for avast! 6x or 7x if it is the case.

nope, absolutely unrelated  :D
w7 - ais7

Offline TheFireflame11

  • Jr. Member
  • **
  • Posts: 23
  • TheFireflame11
Re: Malware not blocked by webshield
« Reply #40 on: February 29, 2012, 08:59:09 PM »
Virus Total didn't detect anything with that site. I went to that site and avast! blocked it.
Gateway MT6705, Windows 7 Ultimate SP1 32bit, avast! Free Antivirus 7.0.1426, Internet Explorer 9.x, Nightly 14.0a1, Google Chrome 17.x, Safari 5.1.5, Opera 11.61, Malwarebytes Anti-Malware 1.60.1.1, Intel(R) Pentium Dual-Core inside(TM) T2060 processor.

Offline phyniks

  • Jr. Member
  • **
  • Posts: 62
Re: Malware not blocked by webshield
« Reply #41 on: March 02, 2012, 11:49:13 AM »
After all these downloading,first i scanned MY Documents(downloads) with avast and removed all the malwares missed by webshield, then I disabled avast and scan my system with ESET 5
the software found 4 malwares in chrome cash!!!
I scaned them with jotti (virus total has blocked my cuntry) and here is the result:

http://virusscan.jotti.org/en/scanresult/5c595911894ba767c67c37047d4e43a006ed49ad

http://virusscan.jotti.org/en/scanresult/449bde9a447fb09e6032fc58594276b525773ee8/10b8a707edfe449282dd3e755a6936468de99731

http://virusscan.jotti.org/en/scanresult/449bde9a447fb09e6032fc58594276b525773ee8/a47a5a51087b6e156528c7ab69c00efbf7df1838

http://virusscan.jotti.org/en/scanresult/a5874318f3fdb8e5141fa74748bca29ede05babe/36100f7e4e10e19c58ed5934780987ab1e88cc7e

as you know jotti is not updated so I zipped them and sent the packed file to avira online sample submission and here is the result:

we received the following archive files:
File ID    Filename    Size (Byte)   Result
26609062    New_folder_3_.zip   175.37 KB   OK
A listing of files contained inside archives alongside their results can be found below:
File ID    Filename    Size (Byte)   Result
26602678    IMG04958.exe    35.5 KB    MALWARE
26609006    n31.exe    210.5 KB    MALWARE
26607534    unp2335604128.tmp    42.5 KB    MALWARE

Please find a detailed report concerning each individual sample below:
 Filename   Result
 IMG04958.exe    MALWARE

The file 'IMG04958.exe' has been determined to be 'MALWARE'. Our analysts named the threat Worm/Gamarue.E.4. The term "WORM/" denotes a worm that is able to spread itself for instance over the Internet (using eMail, peer-to-peer networks, IRC networks etc.). Detection is added to our virus definition file (VDF) starting with version 7.11.21.116.

 Filename   Result
 n31.exe    MALWARE

The file 'n31.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/Delphi.Gen. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system. This file is detected by a special detection routine from the engine module.

 Filename   Result
 unp2335604128.tmp    MALWARE

The file 'unp2335604128.tmp' has been determined to be 'MALWARE'. Our analysts named the threat TR/Yakes.VB. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system. Detection will be added to our virus definition file (VDF) with one of the next updates.


this is microsoft analysis:

Analysis of the file(s) in Submission ID MMPC12030214442183 is now complete.

This is the final email that you will receive regarding this submission.

The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 3/2/2012 2:16:09 AM Pacific Time.
Below is the determination for your submission.

========
Submission ID MMPC12030214442183

  Submitted Files
  =============================================
  New folder (3).zip [Worm:Win32/Gamarue.E]
  +---n1.exe [PWS:Win32/Zuler.B]
  +---f_000070 [Worm:Win32/Gamarue.E]
      +---IMG04958.exe [Worm:Win32/Gamarue.E]
  +---unp233560128.tmp [Worm:Win32/Gamarue.F]



three of these 4 are in avast database (they are not in" jotti scan"  result because of its uotdating)
As you see there were  malwares in chrome cash so maybe the webshield is not working properly
« Last Edit: March 02, 2012, 05:52:10 PM by phyniks »