I have been getting a lot of emails that are clearly suspicious. VirusTotal invariably reports that the attachments are infected. Most of attachments are not being flagged by avast! I understand that malware morphs quickly but I am concerned when 27 out of 55 VirusTotal scanners report a problem and avast! is not in the list. I have attached a report below.

I am running avast! 12.2.2276 with virus definitions 160805-0 on Windows 10 Home. I would be happy to report the attachments to avast! if that would help reduce the false negatives.

AVG JS/Downloader.Agent.43_V 20160805
Ad-Aware Trojan.JS.Downloader.FDH 20160805
AhnLab-V3 JS/Obfus.S104 20160805
Antiy-AVL Trojan/Generic.ASHS.5A 20160805
Arcabit Trojan.JS.Downloader.FDH 20160805
Avira (no cloud) JS/Dldr.Locky.VS 20160805
BitDefender Trojan.JS.Downloader.FDH 20160805
Cyren JS/Locky.AO2!Eldorado 20160805
DrWeb JS.DownLoader.1913 20160805
ESET-NOD32 JS/TrojanDownloader.Nemucod.AOW 20160805
Emsisoft Trojan.JS.Downloader.FDH (B) 20160805
F-Prot JS/Locky.AO2!Eldorado 20160805
F-Secure Trojan.JS.Downloader.FDH 20160805
Fortinet JS/Nemucod.AOT!tr 20160805
GData Trojan.JS.Downloader.FDH 20160805
Ikarus Win32.SuspectCrc 20160805
K7AntiVirus Trojan ( 004dfe6d1 ) 20160805
K7GW Trojan ( 004dfe6d1 ) 20160805
Kaspersky Trojan-Downloader.JS.Agent.lzr 20160805
eScan Trojan.JS.Downloader.FDH 20160805
Microsoft TrojanDownloader:JS/Swabfex.P 20160805
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm 20160805
Sophos Mal/DrodZp-A 20160805
Tencent Js.Trojan.Raas.Auto 20160805
TrendMicro JS_LOCKY.F016H4 20160805
TrendMicro-HouseCall JS_LOCKY.F016H4 20160805
nProtect Trojan.JS.Downloader.FDH 20160805

Viruses and worms forum section is the correct place to post this

How to report > https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

When posting VT results, post link to scan result and not copy and paste.
VT has lots of additional file info behind the extra tabs and we cant see that info when using copy and paste

If you had added the file MD5 in your copy and paste we could have found the VT scan and avast lab could fetch the file from VT

@Pondus, I followed the instructions at https://www.avast.com/faq.php?article=AVKB258#artTitle, including the file, a link to the VirusTotal report and the hash, for five files. Before sending the files, I had avast! scan each one - no threats found. Now things get interesting - all five outbound emails were flagged by avast! as infected. It was definitely the attachments - I was able to send the emails after deleting the attachments.

I just upgraded to the latest avast! program. Everything seems fine but I now wonder if there is a problem with my avast! installation - why would the mail shield detect a problem that the file scanner does not?

I just had VirusTotal do a rescan - the results are at https://virustotal.com/en/file/b716109f957a5bfdecb65938479ab8abaf07aae666d8bc5e34f6e044c36a547b/analysis/1470438378/. asvast! is still showing as not detecting any problems yet the avast! outbound mail scanner is reporting that the file is infected with JS:LockyDownloader [Trj].

Thanks, Norbert

PS. Is the VirusTotal URL all you really need? If you need the file, I can disable the mail shield.

VirusTotal may not have that update yet, i think they only recive VPS from avast that is released once or twice a day, but your AV recive stream updates recived evry 5-15 minutes

Check again tomorrow

@Pondus, I did the scan on my laptop - right-clicked on the file in Explorer and selected the avast! file scan option - no threat detected. I do not understand why the email shield is catching a problem that the file shield does not.

I am going to do a repair on avast! and see if that changes the symptoms.

Thanks, Norbert

right-clicked on the file in Explorer and selected the avast! file scan option - no threat detected.

Is it a archive / zip file ? is scan inside archives selected in settings?

@Pondus, repairing avast! did not make any difference. It did not request a reboot - I am running a task and will reboot when it is complete.

ZIP was not selected under Packers in either Smart Scan or File Shield. I enabled ZIP - still not detecting a problem.

I extracted the .js file out of the ZIP and now neither avast! scan nor mail shield are reporting problems.

Thanks, Norbert

avast! has other detection systems further down the Mail Shield. Did cloud pick it up when you saved it to desktop? There is also last layer when you actually execute it, though if you suspect it’s a malware, I wouldn’t advise doing that…

would the mail shield detect a problem that the file scanner does not?

Why can a truck pull heavy loads and a race car not ? Why can a race car drive really fast and a truck not ? They are both cars, they are both supposed to bring things/people from A to B. So why the difference ? Because they work different and are developed to do a different task. ;)

With email there is a mail protocol involved while with just a file there is none.

I got six emails today with .docm attachments. Again, they all looked suspicious and VirusTotal claimed between 5 and 10 of their scanners flagged the files as infected. When I did an avast! scan of the six files, four were flagged as being infected with Malware-gen[Trj] and two were clean (I forwarded these two to avast!).

In terms of the four files that avast! reported as infected, I accessed the emails via webmail through Chrome and saved the attachments to my harddrive. I am puzzled why avast! did not report problems when I downloaded the files - I would have expected alerts from the Web Shield and/or the File System Shield. I loaded the four files into Notepad and again did not get any alerts. I just did a Repair that reported no problems and did not request a reboot. I was still able to download the attachments via Chrome and view with Notepad without any alerts.

I have gone over the configuration of the Web and File System Shields and do not see any obvious issues. Is it possible that these shields are not working on my system? That would explain some of the issues I reported earlier. Or do these Shields not work in the way I expect?

If it helps, the VirusTotal link for one of the infected .docm files is https://virustotal.com/en/file/40acae211e7c2747984beea319e1c44220663d993994dfc752ab86e96e37b883/analysis/1470770421/

Thanks, Norbert

In terms of the four files that avast! reported as infected, I accessed the emails via webmail through Chrome and saved the attachments to my harddrive. I am puzzled why avast! did not report problems when I downloaded the files - I would have expected alerts from the Web Shield and/or the File System Shield.

I see same behavior with other AV with malicious files in zip archives

some are detected on download
some are detected when unzip
some are detected after unzip with right click and scan

Think it is related to file type

Or do these Shields not work in the way I expect?

have you tried EICAR test?

EICAR > http://www.eicar.org/85-0-Download.html
WICAR.org > http://www.wicar.org/

@Pondus, I tried the EICAR page - avast! detect problems in all the http:// downloads but none of the https:// downloads. The webmail site I was accessing to download the attachments uses https://, so that explains why the Web Shield was not picking up a problem. However, https://www.avast.com/faq.php?article=AVKB189 states that avast! 2016 supports scanning of https:// content. I verified that ‘Enable HTTPS scanning’ is checked in Web Shield Settings.

That still leaves File System Shield - I can load the four EICAR files that I downloaded via https:// in Notepad with no avast! alerts. Windows will unzip the two ZIP files, also without avast! alerts. However, scanning all four files with avast! reports errors. I have checked that ZIP archive is enabled in the File System Shield Packers section.

Thanks, Norbert

Try scanning your file(s) with avast via right-click when hovering over the file with your mouse.

@mchain, right-clicking on the downloaded files and selecting the avast! scan option.

@Pondus, I recently upgraded an old Windows 7 machine to Windows 10 Pro, uninstalling avast! prior to the upgrade and then installing avast! Pro. avast! Web Shield DID report problems with the EICAR files downloaded via https. When I disabled Web Shield, I was able to download all the EICAR files - the avast! File System Shield did NOT generate any alerts.

I was able to determine between the two Windows 10 systems. I had not enabled Chrome proxy support on the newly migrated laptop. When I enabled “Use automatic configuration script” pointing to the caching server’s proxy.pac file, avast! Web Shield no longer generated alerts about EICAR files downloaded via https. I will investigate further to see if I can narrow down what stops avast! Web Shield from working.

That still leaves the question of the File System Shield. By default, it is configured to scan when executing, opening and writing. I have no special exclusions defined. By default, ZIP files are not unpacked but that should not prevent the File System Shield from checking the two ‘bare’ EICAR files.

As I test, I opened one of the EICAR ZIP files, did a right-click/Copy on the ZIP file member then pasted the file into another folder. This time avast! File System Shield reported a problem. Either I do not understand how File System Shield is supposed to work or there is something really strange going on. Even with EICAR files, I am reluctant to launch the .com files but I would expect that opening the files with Notepad should invoke the File System Shield.

Thanks, Norbert

When you open a file with notepad, you aren’t really executing the file but merely scanning it.
Allowing notepad to display it’s contents. At least that’s my simple interpretation.

https://forum.avast.com/index.php?topic=151615.msg1101253#msg1101253

After a short chat with avast! Technical Support, I have opened two tickets:

• #455768 Web Shield does not detect malware when downloaded via https (https://support.avast.com/support/tickets/455768)
  [li]#455795 File System Shield appears to allow malware to be saved to my harddrive (https://support.avast.com/support/tickets/455795)

Hello.It should be detected by latest VPS.I tested now detection was defined Other:Malware-gen [Trj].
attached

A quick update on progress. I opened ticket #455768 about the Web Shield missing infected files when downloaded via https. At the time, the problem appeared to be related to enabling proxy support. However, since then I have found a ZIP file where avast! blocked downloads via http but did not complain when the file was downloaded over https. I have done a clean uninstall/reinstall of avast! Pro and enabled ZIP file checking to the File System Shield but this did not resolve the problem - avast! Technical Support has requested additional information that I have provided.

I opened ticket #481222 asked why the File System Shield did not act as a secondary line of defense if the Web Shield missed the infect file - no response yet.

Today I found another ZIP file that Web Shield allowed me to download over http and https. Right-clicking on the file and doing an avast! scan did not report any issues. I could unpack the file and again, an avast! file scan found no threats in the .js payload within the ZIP. I was able to attach the file to a mail document but vast! blocked sending of the file. However, avast! Mail Shield did not prevent me from mailing out the .js file. I have seen this before where avast! subsequently reported threats, suggesting that the virus definitions were subsequently updated for the .js payload. Given the unreliable operation of the Web Shield and File System Shield, it would be helpful if avast! automatically unpacked ZIP files that it knows are infected and flag the payloads as well. I have opened ticket #481222.

avast! Support confirmed that they were able to reproduce the problem where avast! was not scanning files downloaded over https if browser proxy support is enabled (ticket #455768). The problem has been forwarded to avast! Development.