system
1
Hello,
I was recently making a program that deals with the registery when I found a something that could be used by Avast to scan Executable files as they are ran, I wa so execited about my new discovery that I made the program right away.
So I would like to share it with you if Alwil Software lets me 
Al968
Avast use the on-access shield to scan executables as they run already. So it donāt need nothing new to do that. I donāt know why you get excited.
DavidR
3
avast to be completely correct scans executable files ābeforeā they are run, if an infection is found it stops it from being executed.
system
4
Thanks for the tough responce
Al968
I donāt see your point in this threat, every antivirus has a resident shield that scan files before they are executed, how you didnāt know it?
system
6
Are you sure, because I just ran a test with the file eicar.com and when I try to launch the program Avast does detect it however the program is still launched ???
While with my program the file only gets executed if the file is clean 
Please donāt mistake me as a Mr.Perfect, in fact I hope that I am wrong but from what I can see it seems not.
Al968
If you donāt see the point in this thread please feel free not to participate, also please try to relax your comments I am just an Avast user like you (hopefully ;D) and I am just trying to help perfect it.
If nothing was ever challenged we would still be living happily in the stone age without our computers 
;D
So calcu007 as you can see discutions are very informative and pften solve many problems.
Al968
I believe it should, that is meant to be what the on-access scanner does, when you access an executable avast should effectively intercept the call, scan the file and if clean allow the call to continue.
However, I think I know what your are talking about. I have a copy of eicar.com in my exclusions folder (for various things that avast would alert on. Now if from explorer I double click eicar.com, first a command window opens as this is a dos file and shortly after that I get the avast alert, finished of by bad command or file name. So I donāt know if it is being executed, as effectively there is no executable code inside the eicar.com file, perhaps that is where the bad command or file name comes from (See image 1).
If however I choose delete rather than no action at the end of it I get access denied (See image 2) so I donāt know if that is an overall denial or not.
If I copy it out of my excluded folder avast alert immediately so it isnāt even being called to be executed and the creation of a new file is being intercepted and if you opted for deletion, etc. it wouldnāt exist to be executed.
So I donāt know if you have stumbled on a strange occurrence in the way avast intercepts .com files or if this is because the com file only has the eicar string inside it.
But for that test only you should choose the āNo action buttonā as we are trying to see if Avast detects it when the program is launched. Because in reality a file could be created on your computer and not yet known as a virus by Avast, however at the time when the file is ran(which is sometimes right after it is copied) the file might be detected by Avast. At least thatās how I understand it(I may be wrong after all I am Human ;D)
Al968
DavidR
10
I did both, first chose no action because I wanted the file to remain on the c:\ drive to run a second test to choose delete.
It is entirely possible to download a file that isnāt on the VPS (undetected), which in the future is added to the VPS, then if executed it should be detected then you choose an action.
It would be a slightly false test to choose no action to simulate an unknown virus. avast has already detected the eicar string in the file when it was executed and then comes the choose an action, you can choose no action before running the eicar.com file.
Even when you choose no action upon detection avast should stop the execution of an infected file, the no action relates to leave the file there, donāt delete it, move to chest, etc. Why do you thing we need to add FPs to the exclusions in order to be able to run an .exe file detected as infected, even if you choose no action the file wonāt run.
I donāt know if this differs with com files, but the use of the eicar.com cause its own problems (the eicar string doesnāt represent a valid command) in that it isnāt a valid com file, e.g. it doesnāt have any actions that we can test, even if that were a print to screen command.
So I donāt see an easy to test this for certain with eicar.com.
alanrf
11
Kudos to al968 for being a contributor to this forum willing to think, to question and to test avast.
Isnāt that what makes a great contributor? We can have any numbers of avast fans waving the flag ā¦ saying it is the best thing since sliced bread.
What I like most about this forum is that we have supporters who want to see this product improve and who are willing to make the effort to see that it happens. If, once in a while, we may slip up in our enthusiasm to make it happen then they can join the likes of me and others who sometimes āput our foot in our mouthsā and may wish we had not made that post. It is honest, it is human, it is what makes this the best forum I know.
igor0
14
What makes you think that the eicar.com program is (after detection) still launched? It certainly shouldnāt be.
I hope I can join this teamā¦
Al968, itās difficult to talk with a numbered name ;D, if you click ctrl+alt+del is there a processes named eicar.com running?
I donāt think that it will appear in the task manager as eicar is not resident or long-running process.
I think it will be better to start ācommandā or ācmdā window and run the eicar.com executable from there. Then you can see if eicar.com program printed out its āEICAR-STANDARD-ANTIVIRUS-TEST-FILEā test string or not.
system
17
I must say that no I donāt see the eicar string 
;D
Then I am glad that I was wrong
Al968
