I’ve found that when a virus file’s name is in Unicode, Avast (4.7) can’t process it. “can’t process” means Avast can’t repair/delete it. Here’s how to reproduce the test:
This works:
Create a new text file. Change its name to abc.exe. Paste Eicar string inside it. And hop! Avast will find it. It can’t repair this file but can delete it.
This doesn’t work:
Create a new text file. Change its name to include Unicode characters. For example, if your system is Western European version, you could call the file “alpha beta gamma”.exe using Greek letters (αβγ.exe). Paste Eicar string inside it. Avast can find it, but can’t delete it!
First, I don’t think it would be such a big security hole; the main thing is that the resident protection (Standard Shield, namely) wouldn’t let an infected file be started - and that’s the most important thing in my opinion, because the malware cannot get active.
Besides, the processing of the Unicode filenames has been improved in the recent versions, so I think deleting should work in this case. Try to update to the most recent version.
This seems like a user problem.
NOT a avast problem.
avast detects the eicar test string and handles it perfectly with all providers.
Please spend a little time to learn how avast (and other av’s) are working.
It seems that your lack of knowledge is causing confusion.
This doesn't work:
Create a new text file. Change its name to include Unicode characters. For example, if your system is Western European version, you could call the file "alpha beta gamma".exe using Greek letters (αβγ.exe). Paste Eicar string inside it. Avast can find it, but can't delete it!
I tried exactly that. Guess what? I couldn't even save the created file (unless I told avast to take no action) because avast alerted me about a infection.
What! A user problem? My lack of knowledge? Do you know anything about Unicode? If no, it's you who'd better shut up!!!
I clearly said it SEEMS like a user problem. I never said it is. Responding in that way to someone who is willing and trying to help is not appropiate i.m.o. Especially since you don't have any clue about what that person knows, what
his experience is etc. So please keep it nice.
Anyway,
I’ve tried/did as you said in your initial post myself on my systems.
avast is picking the “infection” (eicar string) up an handles it like it should on my systems.
And that narrows it down to a couple of things imho.
the avast version
settings in avast you made/have
other things you have installed (other security or related apps?)
system settings (not likely)
Please shutdown 1 avast provider at a time and try it again.
This will tell us if it caused by one of the providers or not.
If it is indeed one of the providers, it will narrow down the causes a lot!
Also tell us what else you have running at the time you try it. (software, services etc)
This may also help to find the culprit and/or cause.
It’s always “amazing” to see how people under-estimate, or even scorn upon, the potential threat concerning Unicode filename.
First of all, for those who don’t know, some new virii/Trojan horses/malwares are able to generate its clones by making random files. So, it wouldn’t take it long for those bad guys to understand the flaw in some anti-virus software as not being able to delete Unicode-named files and exploit it. They just need to generate a filename containing ONE single Unicode character and all those anti-virus softwares will all be rendered useless. Which character? Anyone which can’t be found in any ANSI codepage! For example, all those mathematical symbols like “triple integrals”. This one, I’m 1000% sure, can’t be found in any codepage. So the flaw is very big.
Or maybe you could kneel down and beg those guys by saying “Oh, my Avast can’t delete Unicode-named virus. So please be kind and don’t exploit this flaw”!!!
This very very recent one that everyone could find in the website:
4.7 Home Edition, Build Aug2006 (4.7.869)
VPS : 24/08/2006, file version: 0634-2
OK, I try to calm down and let talk.
First, you’re totally wrong. Your file is already saved. If it’s not saved, Avast can’t detect it. So your argument doesn’t make sense. If you don’t believe me, run ANOTHER notepad and open the eicar file. You should be able to see that the Eicar string is already there. Thus, it IS SAVED. QED
Second, have you told Avast to delete it? Could it delete or could it not??? This, you didn’t answer and I feel that you’re trying to avoid it. You know what, I’ve the feeling that you’re that kind of zealous evangelist/fanatic who doesn’t want to accept facts. I feel sad for you.
I won’t do this, as I feel it’s a waste of my time. I’ve told you what’s wrong, but you’re too stubborn to listen. Anyway, as you like. The day when some virus exploiting this Unicode flaw in Avast exist and pin it to the knees, I’ll burst in laughter!!
I guess you didn’t get my point. If avast! wouldn’t let you activate the file (which it wouldn’t, even if it couldn’t delete the file), the whole “exploit” would be placing a useless file on your disk. If it can’t be started, it might waste a little of your disk, that’s all.
How exactly are you scanning the file? I mean, are you talking about the resident protection to pop up the virus alert, or are you scanning the file using an on-demand scanner (Simple User Interface, Explorer Extension, …)
What is the exact error message you get on delete (including the window title)?
horinius, there’s a bit of misunderstanding here… Igor didn’t want to say that the problem you reported is uninteresting, just that
even if the problem existed, there’s no way for the respective virus to activate (hence the severity of the problem is considerably lower than it would be if this was not the case)
we’re not able to reproduce the problem with the latest version of avast (4.7.871). As a matter of fact, there has been a number of Unicode-related enhancements in the last couple of avast builds - so maybe you’re just not using the latest version (which has the problem already fixed)?
Hi Igor, to your questions, I’m using Avast 4.7.871 and after reading this thread I did some tests and found out that this bug is only in the on access resident. When doing on demand scan, all is fine, the warning dialog shows the correct name of the file and it is successfully deleted. But when detected with on access scanner, the warning dialog shows only questin marks instead of the name and when I press Delete, an error dialog pops up:
Avast!: System cannot find the file specified. Cannot process “D:???.exe” file. (Translated from Czech: Avast!: Systém nemůže nalézt uvedený soubor. Nelze zpracovat “D:???.exe” soubor.)
[offtopic]
Why isn’t login information shared between Czech and English forum?
[/offtopic]
So, the system locale (specifically, Control Panel / Regional and Language Options / Advanced / Language for non-Unicode programs) is set to Czech, right? And, it’s Czech Windows as well, OK?
What was the real (Unicode) name of the .exe file you checked?
Was it the detection “on write” (i.e. the virus dialog appeared as soon as you saved the file), or rather “on execution” (i.e. were you trying to start the executable)?
What’s your sensitivity of the Standard Shield provider? Any custom changes to its settings?
Thanks!
Regarding the forum… well, I don’t know much about the forum background, but I guess nobody thought that many people would like to be on both of them, so it’s just two standalone forums.
The dialog appeared as soon as I saved the file, but the file existed before, I mean, I first created a blank ألف.exe file, opened it in notepad, entered the eicar string and saved.
Standard Shield is set to Normal, no custom changes, except for some entries in exclusion list
[edit]
Ok, some more testing. Disabled Standard Shield → saved the file → enabled Standard Shield → run the program - Avast shows the warning dialog with some garbled name (C:\03DA~1.EXE - DOS name?) and IS able to delete the file.
