system
1
I got a virus sample file named _suspicious_action.rar at http://link_crippled_by_Vlk.com/job-ylmf-action-download-pid-tpc-tid-442501-aid-409128.html, but Avast did not give me alert when I downloaded the sample file. After download the file, I manually scanned it with Avast, and Avast told me there was a virus in it this time. So I know it is not a unknown virus to Avast, but why cannot the real-time scan find it?
I beg your attention.
ps: My computer is WINXP SP2 (Simplified Chinese), Avast Home (4.7.1074) with 2007-12-02 VPS, and the Standard Shield is set to scan all files.
Liudg
Dec. 3
system
2
maybe in the RAR format it could not be recognised but certainly when unpacked you got the warning.
You knew it was a virus sample before you got it ,and you confirmed it when you unpacked it.
Jotti was the place to check it
Scan taken on 03 Dec 2007 07:46:06 (GMT)
A-Squared Found Worm.Win32.Fujack.z
AntiVir Found WORM/Fujack.Z.11
ArcaVir Found nothing
Avast Found Win32:Fujack-F
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Worm.Fujack-9
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Worm.Win32.Fujack.z
Fortinet Found W32/Fujack.Z!worm
Ikarus Found Worm.Win32.Fujack.z
Kaspersky Anti-Virus Found Worm.Win32.Fujack.z
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found Worm.Nimaya.co
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Was your plan to highlight a problem or to spread one?
igor0
4
Yes, Standard Shield doesn’t unpack RARs by default (no matter what extensions you add into its settings).
Web Shield, on the other hand, should unpack all supported archives.
system
5
Thanks for your help. I don’t think it is because Avast does not scan RAR format by fault that the real-time scan did not find the virus, because I tried some other virus samples of RAR format which Avast’s real-time scan found.
Please try these two virus samples at http://bbs.ylmf.com/job-ylmf-actio[BROKEN]n-download-pid-tpc-tid-442501-aid-409129.html and http://bbs.ylmf.com/job-ylmf-action-dow[BROKEN]nload-pid-tpc-tid-442501-aid-409130.html. These two virus samples are also RAR format, but Avast real-time scan can immediately find them when I download them.
Waiting for your help. Thanks.
liudg
Dec. 4
ADMIN: NO LIVE LINKS TO VIRUSES HERE!
DavidR
6
These two virus samples are also RAR format, but Avast real-time scan can immediately find them when I download them.
Waiting for your help.
As Igor said, the Web Shield works differently to the Standard Shield, the web shield will unpack archive files and scan them, so it will find malware in archive files and alert you. This prevents the malware getting on to your system, where the standard shield would normally scan newly created files with some exceptions, like the RAR archives.
Archive (zip, rar, etc.) files are by their nature are inert, you need to extract the files and then you have to run them to be a threat. Long before that happens avast’s Standard Shield should have scanned them (on extraction) and before an executable is run that is scanned.
Did you submit them to VirusTotal? Which was the results?
One of them is clean for Dr.Web.
system
8
Avast found the viruses in these two sample files and stopped me from downloading them, so I did not submit them to virustotal.
So you’ve stay only with avast opinion. With VirusTotal you can have the Windows version of the AVs so avast has more unpackers for windows and that is the version most are using.
There are 27 different scanning engines greater than others on-line scanners.
system
10
Thanks, and I know about virustotal. But I don’t think it is the issue we should discuss here. My question is why avast’s real-time scan can find some rar format viruses while it overlooks other.
Thanks.
liudg
Dec. 6
DavidR
11
I think your question has been answered twice, it depends on what is scanning the file.
