OK, I did some more testing and this time I carefully read each pop-up, etc., that Avast generated. I found out I was in error on a few points. Please forgive a long post but I wanted to clear up my errors and provide as much detailed info as I could about why I came to my earlier conclusions and was concerned about whether Avast was behaving as it should. Here is what all I found out:
Malware sample downloaded with Webshield ON:
When I attempt to download the installer file to my desktop Webshield detects it and Avast does pause the download until I take action. However, a placeholder for the malware installer file is put on my desktop at this time. Next I click to abort the connection and the malware program then appears to finish downloading to the desktop, complete with it’s correct icon. This is what made me think earlier that the program was able to download correctly despite Webshield. The entire program is not downloaded though. The file size is smaller than the malware file’s size if downloaded unhindered with Webshield off. Also, if I attempt to run the malware file I am told that the file is corrupted. Avast also does not now alert on the file when “right click” scanned. So, Webshield neutralized the file after all, at least in my experience with this file. Maybe if alanrf is correct some files do manage to download correctly past the webshield. This one didn’t.
Malware sample downloaded with Webshield OFF:
When I download the malware installer file to my desktop and then “right click” scan it, Avast detects the file as Win32:Rootkit-gen [Rtk]. I click “Move to chest”. A second or two later Avast pops up and again states Win32:Rootkit-gen [Rtk] was found. I again click “Move to chest”. A second or two later Avast again pops up but this time states “Win32:Trojan-gen {Other}” was found. I again click “Move to chest”. After a second or so a smaller window pops up and states, with some text cut off that (The system cannot find the file specified Cannot process "C:\Documents and Settings[i]username[/i]\Desktop[i]malware.exe[/i]{sys}\drivers{code:HideStringFunction}…). I click OK and then another pop-up states (The system cannot find the file specified Cannot process "C:\Documents and Settings[i]username[/i]\Desktop[i]malware.exe[/i]\msk.dll"file). I click OK and the Avast scanner completes and states that 3 infected files were found. (Avast catches the file as well if I just attempt to run it as opposed to “right click” scanning it.)
Due to me not taking the time to carefully read everything the first time, all the seperate alerts and then the pop-ups stating that the file could not be found made me think Avast had alerted more than once on the single installer file and then could not find it to move it to the chest because I had already sent it there on the first alert. A look in the Avast log shows however that the three alerts were for three seperate files within the malware’s installer. Why I got the pop-ups aout not being able to find the files though, I still do not understand. Anyway, here is what the log showed for the file descriptions of the three detections:
Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C\Documents and Settings[i]username[/i]\Desktop[i]malware.exe[/i]{win}{code:MyFileName}\msk.exe” file
Sign of “Win32:Rootkit-gen [Rtk]” has been found in "C\Documents and Settings[i]username[/i]\Desktop[i]malware.exe[/i]{sys}\drivers{code:HideStringFunction}…
Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C\Documents and Settings[i]username[/i]\Desktop[i]malware.exe[/i]\msk.dll” file
Sorry for the earlier confusion when I thought Avast Webshield was failing to stop the file from downloading and when I thought it was detecting one file several times. I wasn’t taking the time to read as carefully as I should have earlier and I wasn’t thinking about more than one file in the installer, etc. So, basically Avast is acting as I would expect with the exception of the pop-ups about not finding the file. If nothing else I learned a thing or two from all this. I hope someone else did too.
edited to add two lines I had forgotten in the post earlier and to state here that “malware.exe” in the file path is of course not the real name of the file I was using to test