Avast Add-in

Hello,

I was recently making a program that deals with the registery when I found a something that could be used by Avast to scan Executable files as they are ran, I wa so execited about my new discovery that I made the program right away.
So I would like to share it with you if Alwil Software lets me :wink:

Al968

Avast use the on-access shield to scan executables as they run already. So it don’t need nothing new to do that. I don’t know why you get excited.

avast to be completely correct scans executable files ‘before’ they are run, if an infection is found it stops it from being executed.

Thanks for the tough responce :wink:

Al968

I don’t see your point in this threat, every antivirus has a resident shield that scan files before they are executed, how you didn’t know it?

Are you sure, because I just ran a test with the file eicar.com and when I try to launch the program Avast does detect it however the program is still launched ???
While with my program the file only gets executed if the file is clean :slight_smile:
Please don’t mistake me as a Mr.Perfect, in fact I hope that I am wrong but from what I can see it seems not.

Al968

If you don’t see the point in this thread please feel free not to participate, also please try to relax your comments I am just an Avast user like you (hopefully ;D) and I am just trying to help perfect it.
If nothing was ever challenged we would still be living happily in the stone age without our computers :cry: ;D
So calcu007 as you can see discutions are very informative and pften solve many problems. :slight_smile:

Al968

I believe it should, that is meant to be what the on-access scanner does, when you access an executable avast should effectively intercept the call, scan the file and if clean allow the call to continue.

However, I think I know what your are talking about. I have a copy of eicar.com in my exclusions folder (for various things that avast would alert on. Now if from explorer I double click eicar.com, first a command window opens as this is a dos file and shortly after that I get the avast alert, finished of by bad command or file name. So I don’t know if it is being executed, as effectively there is no executable code inside the eicar.com file, perhaps that is where the bad command or file name comes from (See image 1).

If however I choose delete rather than no action at the end of it I get access denied (See image 2) so I don’t know if that is an overall denial or not.

If I copy it out of my excluded folder avast alert immediately so it isn’t even being called to be executed and the creation of a new file is being intercepted and if you opted for deletion, etc. it wouldn’t exist to be executed.

So I don’t know if you have stumbled on a strange occurrence in the way avast intercepts .com files or if this is because the com file only has the eicar string inside it.

But for that test only you should choose the “No action button” as we are trying to see if Avast detects it when the program is launched. Because in reality a file could be created on your computer and not yet known as a virus by Avast, however at the time when the file is ran(which is sometimes right after it is copied) the file might be detected by Avast. At least that’s how I understand it(I may be wrong after all I am Human ;D)

Al968

I did both, first chose no action because I wanted the file to remain on the c:\ drive to run a second test to choose delete.

It is entirely possible to download a file that isn’t on the VPS (undetected), which in the future is added to the VPS, then if executed it should be detected then you choose an action.

It would be a slightly false test to choose no action to simulate an unknown virus. avast has already detected the eicar string in the file when it was executed and then comes the choose an action, you can choose no action before running the eicar.com file.

Even when you choose no action upon detection avast should stop the execution of an infected file, the no action relates to leave the file there, don’t delete it, move to chest, etc. Why do you thing we need to add FPs to the exclusions in order to be able to run an .exe file detected as infected, even if you choose no action the file won’t run.

I don’t know if this differs with com files, but the use of the eicar.com cause its own problems (the eicar string doesn’t represent a valid command) in that it isn’t a valid com file, e.g. it doesn’t have any actions that we can test, even if that were a print to screen command.

So I don’t see an easy to test this for certain with eicar.com.

Kudos to al968 for being a contributor to this forum willing to think, to question and to test avast.

Isn’t that what makes a great contributor? We can have any numbers of avast fans waving the flag … saying it is the best thing since sliced bread.

What I like most about this forum is that we have supporters who want to see this product improve and who are willing to make the effort to see that it happens. If, once in a while, we may slip up in our enthusiasm to make it happen then they can join the likes of me and others who sometimes “put our foot in our mouths” and may wish we had not made that post. It is honest, it is human, it is what makes this the best forum I know.

Well said!!

Thank You 8) ;D

Al968

What makes you think that the eicar.com program is (after detection) still launched? It certainly shouldn’t be.

I hope I can join this team…

Al968, it’s difficult to talk with a numbered name ;D, if you click ctrl+alt+del is there a processes named eicar.com running?

I don’t think that it will appear in the task manager as eicar is not resident or long-running process.
I think it will be better to start ‘command’ or ‘cmd’ window and run the eicar.com executable from there. Then you can see if eicar.com program printed out its ‘EICAR-STANDARD-ANTIVIRUS-TEST-FILE’ test string or not.

I must say that no I don’t see the eicar string :stuck_out_tongue: ;D
Then I am glad that I was wrong :wink:

Al968