I had downloaded “Blazing Tools Keylogger Lite” and when I went to install it, Avast detected bsdhooks in the program and asked me what I wanted to do with the file. I chose both the “move to chest” and also “delete file” but Avast errors and states “can only perform in Win32 mode only”
What does that mean?
I was also wondering why Avast did not detect in when I first downloaded it. I have Avast set to scan all created/modified files and heuristics set to high but it did not detect the “bsdhooks” until I went to install the program. I found out later that “bsdhooks” is part of the program but I still want to make sure that Avast is working correctly. I am using Win98se and had downloaded the file with the latest version of Mozilla.
I cancelled the install for fear that the program might actually do more harm than good.
I checked it and the reason is in the settings of packers.
The installer you downloaded is packed by (Win)RAR. In the Home version (in the Professional version as well, unless you change it), Standard Shield doesn’t scan archives - it’s not very useful and can slow down your computer a lot. So, the file is not detected as infected when you download it.
When you start the installer, it extracts the bsdhooks.dll into the TEMP folder - and at that moment, the file is detected as infected (the extracted DLL, not the EXE installer).
I really don’t understand that “win32 mode” error, however… you’re not the first to mention it, but I cannot reproduce it anyhow. What is the exact message?
avast detect the installation of the keylogger (spyware) and warn you about that.
How is set your ‘archive files’ scanning?
Did you scan the file after the download (with ashQuick.exe)?
Heuristics are for email (attach) but not for ‘scanning’ itself, I mean, the attached file could be not scanned at that time depending on your configuration… :-\
I will have to check the exact message when I get home tonight but from memory I believe it says"Can only perform in win32 mode".
I did scan the file afterward using the explorer extension and Avast does alert me but does not let me move or delete and gives the same error. If I run Avast and select local drives or just have it scan the folder that the file is in, Avast works fine and does move the file to the chest and the delete also works fine. I downloaded the file a couple times just to try different scan methods to see if Avast was performing correctly using different settings.
I am not sure what you mean by archive settings. When I perform a complete scan of all local drives, I have Avast set to scan archives but was not sure if you meant archive settings for the on-access scanner. I use the Home version of Avast and I did not notice any other archive settings there. Is there a way to tell it to scan different archives?
Here is the exact message I get if I right click on the file and use the explorer extension to scan the file and then try to move it to the chest or to delete it.
OK, I found out what’s going on… actually, it’s just a wrong message (but it really took me a while).
The reason is that the exe installer is a solid RAR archive. It is not possible to delete a file from solid RARs. So, when you try to do it, avast! displays an error message. Unfortunatelly, the message is very confusing on Windows 98 (on WinXP, the error says: “This function is not supported on this system”, which is slighly better).
I think we need to put in our own error message, instead of using the Windows system one.
It is not possible to delete a file from solid RARs....
Moving means replacing. Coping the original file to another location, than remove from the original location. The second part of this process is the same as deleting, so the same error will show.
In cases like this, a manual delete is in order then, correct?
When it was stated that the error occurs due to the solid RAR file, is this something that can be corrected in the upcoming Avast 4.5 or just not physically possible with any type of AntiVir Software?
To delete a file from a solid RAR archive, the archive (at least the files following the deleted one) have to be repacked (compressed again). It is not possible, because the RAR compression algorithm isn’t freely available. You’d need the true WinRAR to do that.
Anyway, this operation doesn’t have much sense for the mentioned installer; if you delete a file from the archive, the application won’t work, because it probably assumes that the keylogger DLL is there.