Sobig not caught on file copy?

[ericblz]

I am in the process of converting machines to Avast from Sophos.

A pc with Sophos antivirus found the Sobig virus after they opened an email - it caught the file while being stored in an Explorer temporary directory (didn't execute).

As a test I copied the file (wicked...scr) to the desktop on my machine (with Avast 4 installed and running) - nothing noticed.  I even opened the file in notepad - nothing detected.  Avast on demand scanning of c:\windows\desktop did find it.

I am concerned that the file could have been executed on my machine?  Why was it not detected by the resident protector during the copy process or opening it in notepad?

Eric

[mantra]

can u tell me what kind of setting are u using?

if u click on the resident shied..u can see

standard shield u must have
scanner advanged
turned on
scan files on open
and
scan files created/modified

for both u can select the extensions.....

are u using home or pro version?

[ericblz]

Under basic, it looks like currently 'files being executed' are scanned but not files being copied, etc - probably for speed in normal use?


Found resident task, scanner (advanced),

scan files on open is checked but has WS? as extension - can I scan all files being opened?  Do I just put '*'?  Is that slow?

I didn't have created/modified checked, activated that.

If I install on all 5 PCs on our peer to peer network, can I import these settings somehow so everyone's the same?

Eric

[igor]

Yes, you are right - in default settings, only the executed files are scanned (which should be enough - if the virus isn't allow to execute, it cannot spread).
If you select "scan files on open", the files will be scanned whenever you access them, e.g. when you open them in Notepad, copy, etc.
You can specify the extensions of the files to be scanned; and yes, if you put * in the edit box, all files will be scanned. Of course, it will slow down your computer to some extent.
Additionally, you can even scan created/modified files.

[ericblz]

Excellent responses - thank you!  Only scanning executables makes sense - that should catch the 'execute on preview email' type viruses, too...?


Question on updates - I was surprised to see that the software's last update was August 22.  I manually updated and it came up with something from today... makes me worry that it wasn't updating properly?  Or was it just a coincidence that my pc hadn't phoned home yet today even now I leave it on all the time, always connected to the 'net.

Eric

[igor]

E-mail viruses are detected & stopped by the corresponding resident providers: Outlook plugin for full Outlook and Exchange, and Internet Mail for any other POP/IMAP/SMTP e-mail clients. So, they are detected before they arrive to your mailbox. In case of full Outlook, I think the scanning can be performed even on viewing.

But I guess that's not what you were asking about. Well, I think that if you use an unpatched (buggy) Outlook and preview the infected message, it will be catched by the "executable" scanner as well - since the virus will be executed, and that's what the Standard Shield is looking for.

As for the updates (I guess you mean the virus database, not the software itself) - if no dangerous virus appears, the database is updated twice a week (but if a dangerous virus starts spreading, such as Sobig recently, the update is released immediatelly, even multiple updates during one day). So, it's easily possible that there was no update since August 22, and when you performed the manual update, you got the one just released. You can check your configuration of the updates in the program Settings.

[Pavel Baudis]

As for the updates (I guess you mean the virus database, not the software itself) - if no dangerous virus appears, the database is updated twice a week (but if a dangerous virus starts spreading, such as Sobig recently, the update is released immediatelly, even multiple updates during one day).

This is right - there was an update Friday 22nd and then today ie. 26th... If nothing happens during several next days, the next update will be released on Friday again...

Hope this helps
Pavel

[whocares]

Question on updates - I was surprised to see that the software's last update was August 22.  I manually updated and it came up with something from today... makes me worry that it wasn't updating properly?  Or was it just a coincidence that my pc hadn't phoned home yet today even now I leave it on all the time, always connected to the 'net.

Hi Eric,
I had the same problem (especially with the dial-In setting
useras=1 (see AVAST FAQs):

even a day or so after the Email-notification that a new update was available, the autoupdate didn't get me the update...  

see:
http://www.avast.com/forum/index.php?board=2;action=display;threadid=772

especially first and last 2 postings

so far, not resolved

[Lisandro]

Hey avast team...
Lots of users are relating that "even a day or so after the email-notification that a new update was available, the autoupdate didn't get the update..."
What´s going on?  

[Vlk]

To find out what's going on, you can send us the ZIPed setup.log from the <avast>\setup directory.

Can't say much more without any further info, sorry.

Thanks
Vlk

[mantra]

IGOR
" Yes, you are right - in default settings, only the executed files are scanned (which should be enough - if the virus isn't allow to execute, it cannot spread). "

and if u run a DOC(macro) virus only with the setting check the executed files.....

what can happen?

[igor]

Well, when I was talking about the default settings, I meant that the options on the first page of the Stardard Shield configuration (Scanner - Basic) are turned on. Besides the scanning of the "executed" files, there's a special checkbox to scan OLE documents there; you are right, technically they are scanned on "open", not "execute" - but I sort of put it together. It's on by default, and it should be, of course.

[mantra]

thanks igor

in the scanner advanced what kind of files it scans

is there a default setting?

or should we put every files we want to scan?

because in scan created/modified files , i can see " default extension set"

but in the scan files on open i can see only a blank empty box , where we can put our files

[Vlk]

Just a reminder -- 4.0.235 contains a bug (as already discussed earlier on this forum) that prevents the 'scan created/modified files' feature from workin (Windows NT/2K/XP/2K3 only).

This will, of course, be fixed in the upcoming update.

Vlk

[igor]

Only the files with extensions written in the box are scanned on open - i.e. if it's empty, no files are scanned on open.