Hello,
first I’ll describe the scenario:
I’m using Windows 7 with SP1 and avast! Free 6.0.1091. The virus database is 110526-0.
All protection modules are activated exept the mail modul. I use “scan whole file” (don’t know how you call this in engish. I’ve got the german version).
The file is a self-extracting rar file (.exe) and contains an other rar archive. The second one is password crypted and contains a (VisualBasic written) “Hello World”,
with the Eicar Test Virus in the ADS. If I download the VB file directly, avast! will detect it.
The first archive contains also a .bat file, which encrypts the second one. At this point my avast! fails.
The datasystem monitoring module doesn’t detect the written Eicar virus. I can execute the “Hello World” programme and nothing happens.
First if I do a manual scan, using avast!, I’ll get the virus message.
You can take a look at the archive (they share this archive for tests) https://www.evil-shit.de/rar/
Username: Selbsttester
Password: 123456
And now my question: Why does avast! find this test virus just with a manual scan?
But avast! should scan the whole file. Thats for me the ADS either.
And avast! doens’t give me a message at the unpacking. At this time the self-extracting archive writes the Eicar virus.
For the first one, I would disagree. From the filesystem’s point of view, the streams are rather separated. You execute the file - and it has nothing to do with the ADS. You execute the ADS - and it has nothing to do with the file (or more precisely, with the main stream of the file).
As for the second one… sounds you are right, I’ll ask someone to check it.
OK, correction - in your case, it doesn’t get detected because of the extension (eicar.txt). If you enable scanning of all files “when writing”, and remove the default *.txt exclusion from the File System Shield, it gets detected on extraction.
However, I tried with my own file which has an EXE in ADS… and there seems to be a problem on XP.
Do you actually have to remove the *.txt extension from scan exclusions or can you just uncheck the scan on “Execute” box for *.txt files? It seems to me that what you will then have is a universal scan on “Execution” with a list of exclusions. So by unchecking the “Execute” box for *.txt files the execution of a *.txt file would longer be considered an “Exclusion” and would therefore be scanned by Avast.
You don’t have to remove the line, you can just uncheck the “Write” mark (we’re talking about extraction here) - but it won’t do alone. There’s an internal list of extensions that are scanned (if not excluded) - and .txt is certainly not amongst them. So you’d have to add a custom extension on the second or third page of the settings).
the function wasn’t enabled, you were right.
But my avast! doesn’t react, even if I use the funktion “check all files at writing”.
Do you mean, there is a problem at your XP machine?
Yes, I don’t get any detection on an XP machine - but I do on Win 7 (which uses different drivers than XP).
Did you uncheck the *.txt exclusion from File System Shield settings as well?