Hi, I wanted to test the file system shield, followed the instructions on https://www.avast.com/en-ca/faq.php?article=AVKB32 and found that it wouldn’t detect the EICAR file, however the web shield detects it fine when downloaded from the EICAR site.
I’ve tested it by downloading from the site, using EICARGen which outputs a .com file and saving the EICAR string myself from Notepad++ as a .exe, .dll and .com
File System Shield is definitely on, scan when writing is on, I even added a custom extension .test to scan and saved the EICAR file as that, still doesn’t work. As an aside I also have my heuristics and HIPs set to high.
If I manually scan the files then the scanner will flag them as EICAR.
What kind of censorship madness is going on here?? My post was deleted. It didn’t break any rules of this forum! So this is how it is? Unwanted messages, which doesn’t break rules, are deleted? So sad. My post referred another similar topic I made 2 years ago, a topic that might give an answer to this topic starter… but my post was deleted. Shame on you.
What kind of censorship madness is going on here?? My post was deleted. It didn't break any rules of this forum! So this is how it is?
There is a forum bug that sometimes make post dissapear, we have all experienced it
Take a copy before you click post so you dont have to rewrite all in case...
No it’s not that bug. I know about that bug and I always, not only on this forum/webpage, copy my text before I submit. My post was submitted and it showed on this page. It was censored.
EDIT: And I got proof. I was able to open the page after I submitted my 1st post from Firefox history and it did show the page without reloading it, attached is a screenshot. Shame on who censored my post! This should be investigated by Avast. Forum goes really bad if there’s dirty moderators around.
EDIT2: I’m taking photographic evidence from now on.
It referred another topic with the same information in the topic title as this topic! How is it not helping the OP? Come on now, you just always want to be against everything I post. Even the topic starter linked to another topic with almost exactly the same topic title. He found it useful. But not my topic? Come on now!
Going like how?? What forum rules did I break with my censored post???
I came here on this topic to help topic starter! I hope he finds my old topic with lots of technical/test information useful.
Also I hope that somebody from Avast takes a note of this censorship which happened. And that’s the end of that issue. You want to continue then continue, I won’t, it’s fighting windmills, in this case Avast apologists/fanboys. Unbelievable.
To the topic starter, I quote here the most relevant part of my 2014 problems with file system shield and EICAR, hopefully these are helpful to you in some way. Note that all below tests were made with only “file system shield” installed.
BOTH above quotes anomalies/problems are still relevant, today, 2016!! Tested!!
It’s most worrying that the “Optimize scanning during file copy option” option STILL creates a loophole in the protection, and it’s ON by default! 2 years ago nobody seemed to care, well, here we are 2 years later and there’s still problems. Which might affect the topic starter problems he’s having.
Eddy, Bob, et al., refrain of posting nonsense here and wait for what the topic starter has to say next?
The only problem I see is that both you and the OP don’t understand how things are working.
The EICAR test file is detected when scanned and that is how it should be.
No! Not this again. It’s you who doesn’t understand, AT ALL! Always this, fighting with forum veterans who doesn’t understand the technical side of things.
Eddy, check the settings of “File System Shield”! What does the first four settings tabs say?
Scan when executing.
Scan when opening.
Scan when writing.
Scan when attaching.
In my above quoted examples these bugs/problems happen:
When “Optimize scanning during file copy option” from “File System Shield” (FSS) options is ON → copying eicar.com file doesn’t alert Avast! FSS “scan when writing” should have caught this, but it didn’t! Check what Igor from Avast said about this back in 2014:
FSS “Scan when writing → scan files with default extensions” actually sometimes means: “scan files with default file contents”. Avast FSS sometimes seemingly detects virus only by known file extension, other times it scans contents & detects virus. It’s an anomaly that isn’t still explained. Further details are in the quoted posts above.
These relevant problems still today might have an effect to topic starter problems.
Correct! Double clicking on it with both a .exe and .com extension doesn’t trigger detection. I mean obviously it doesn’t actually execute as it isn’t a valid PE file so I can kind of understand this…
Eddy that’s a very unhelpful attitude and you definitely don’t seem to understand what we’re saying.
Skakara has been very helpful, seems to understand the issue and know what’s going on. It should be detected when it’s written to disk, not on scan. That’s what the file system shield does, it’s a separate component to the scanning engine. Avast has a mini-filter driver that should monitor all IO to the disk and scan it, it doesn’t seem to be working in this test case.
Even when I turn on “Scan all files” in the file system shield it still isn’t detected.
For me Avast will successfully detect EICAR on a copy operation but not on the initial write to disk. Why is this?
To make things faster (or rather to slow down the system less), some of the scans are postponed, they are not happening immediately.
So if you just write eicar to disk (and don’t do anything else with it), it may not be scanned right away, but rather later. If you touch the file again after writing, it should be scanned synchronously at that moment (if it was actually scheduled to be scanned).