I was recently making a program that deals with the registery when I found a something that could be used by Avast to scan Executable files as they are ran, I wa so execited about my new discovery that I made the program right away.
So I would like to share it with you if Alwil Software lets me
Are you sure, because I just ran a test with the file eicar.com and when I try to launch the program Avast does detect it however the program is still launched ???
While with my program the file only gets executed if the file is clean
Please donât mistake me as a Mr.Perfect, in fact I hope that I am wrong but from what I can see it seems not.
If you donât see the point in this thread please feel free not to participate, also please try to relax your comments I am just an Avast user like you (hopefully ;D) and I am just trying to help perfect it.
If nothing was ever challenged we would still be living happily in the stone age without our computers ;D
So calcu007 as you can see discutions are very informative and pften solve many problems.
I believe it should, that is meant to be what the on-access scanner does, when you access an executable avast should effectively intercept the call, scan the file and if clean allow the call to continue.
However, I think I know what your are talking about. I have a copy of eicar.com in my exclusions folder (for various things that avast would alert on. Now if from explorer I double click eicar.com, first a command window opens as this is a dos file and shortly after that I get the avast alert, finished of by bad command or file name. So I donât know if it is being executed, as effectively there is no executable code inside the eicar.com file, perhaps that is where the bad command or file name comes from (See image 1).
If however I choose delete rather than no action at the end of it I get access denied (See image 2) so I donât know if that is an overall denial or not.
If I copy it out of my excluded folder avast alert immediately so it isnât even being called to be executed and the creation of a new file is being intercepted and if you opted for deletion, etc. it wouldnât exist to be executed.
So I donât know if you have stumbled on a strange occurrence in the way avast intercepts .com files or if this is because the com file only has the eicar string inside it.
But for that test only you should choose the âNo action buttonâ as we are trying to see if Avast detects it when the program is launched. Because in reality a file could be created on your computer and not yet known as a virus by Avast, however at the time when the file is ran(which is sometimes right after it is copied) the file might be detected by Avast. At least thatâs how I understand it(I may be wrong after all I am Human ;D)
I did both, first chose no action because I wanted the file to remain on the c:\ drive to run a second test to choose delete.
It is entirely possible to download a file that isnât on the VPS (undetected), which in the future is added to the VPS, then if executed it should be detected then you choose an action.
It would be a slightly false test to choose no action to simulate an unknown virus. avast has already detected the eicar string in the file when it was executed and then comes the choose an action, you can choose no action before running the eicar.com file.
Even when you choose no action upon detection avast should stop the execution of an infected file, the no action relates to leave the file there, donât delete it, move to chest, etc. Why do you thing we need to add FPs to the exclusions in order to be able to run an .exe file detected as infected, even if you choose no action the file wonât run.
I donât know if this differs with com files, but the use of the eicar.com cause its own problems (the eicar string doesnât represent a valid command) in that it isnât a valid com file, e.g. it doesnât have any actions that we can test, even if that were a print to screen command.
So I donât see an easy to test this for certain with eicar.com.
Kudos to al968 for being a contributor to this forum willing to think, to question and to test avast.
Isnât that what makes a great contributor? We can have any numbers of avast fans waving the flag ⌠saying it is the best thing since sliced bread.
What I like most about this forum is that we have supporters who want to see this product improve and who are willing to make the effort to see that it happens. If, once in a while, we may slip up in our enthusiasm to make it happen then they can join the likes of me and others who sometimes âput our foot in our mouthsâ and may wish we had not made that post. It is honest, it is human, it is what makes this the best forum I know.
I donât think that it will appear in the task manager as eicar is not resident or long-running process.
I think it will be better to start âcommandâ or âcmdâ window and run the eicar.com executable from there. Then you can see if eicar.com program printed out its âEICAR-STANDARD-ANTIVIRUS-TEST-FILEâ test string or not.