disapointing results for Avast! 4

Sick and tired of: “Test your AV software using EICAR test string”, I did some real-life testing of my own and here the resullts:

  FILE         RAV (Online scan)   PANDA (Online scan)   AVAST 4 pro

\EICAR.COM EICAR_Test_File Eicar.Mod EICAR TEST
\EICAR.RAR EICAR_Test_File Eicar.Mod -
\BABA.ZIP Baba.353.A Univ.EH Baba-353
\CASINO.ZIP NGV.gen Ngv.1600.b.drp -
\D-DANCE.ZIP Devil’s_Dance.941.A Devils -
\ENIGMA.ZIP Old_Yankee.1755.A Enigma OId Yankee
\FDT.ZIP Necropolis.1963.A Necropolis.1963 -
\GARANT.ZIP Major.1644.A Major.1644 Major-1644
\HAIKU.ZIP I_Worm:Haiku W32/Haiku Win32:Haiku
\KENNEDY.ZIP Danish_tiny.333.A Kennedy -
\MANTA.ZIP VCS.1077 VCS -
\NATAS.ZIP Natas.4744 Natas.4744 -
\ONEHALF.ZIP One_Half.3544.A One -
\PIXEL.ZIP Pixel.740.A Univ PixeI-740
\TORERO.ZIP Torero.1429 Torero -
\Ambulance.786.zip Ambulance.796.A Ambulance.796.A -
\HYDRA0.ZIP Pixel.Hydra.736.A Univ -
\AntiAVP.959.zip AIDS.COM AntiAVP.959 -
\CIH_14.ZIP Win95/CIH.1003 W95/CIH Win95:CIH 1.x
\AntiAVP.1235.zip AntiAVP.1235 Astra_II -
\Leprosy.370.zip Leprosy.666.A Leprosy -
\NINJA.ZIP Ninja.1616 Ninja.2090 Ninja-1852
\Oops.368.zip Ooops.368 Ooops.368 -
\SIERRA.ZIP Stoned.I.C.dr NYB.E.Drp NYB-A
\Win.Lamer.zip Win/Winlamer.1734 Winsurf.Skim.1454 Win:Lame
\XPEH.4768.zip Yankee_Doodle.XPEH.4928 Micropox -
\I-Worm.Sircam.exe Worm.Sircam.exe W32/Sircam Win32:Sircam-C [Wrm]
\I-Worm.Happy99.exe Win32/Ska.A@m W32/Happy Win32:Ska
\I-Worm.Opasoft.exe Win32/Opaserv.A.worm W32/Opaserv Win32:Opas [Wrm]
\I-Worm.Klez.a.SCR Win32/Klez.E@mm W32/Klez.F Win32:KIez-E [Wrm]
\I-Worm.Numda.d.exe Win32/Nimda.D@mm W32/Nimda Win32:Nimda [Wrm]

So Avast missed 15 out of 31! :cry:

Some comments/questions on it. Did you let Avast scan inside Archives? because it should find the eicar inside the RAR without problems and it finds the oops.368 without problems too.(infection: Ooops-368) So check if you activate Archivscanning.

It finds the natas also and i think the others too. Unpack and scan them again. You will find it out by your own. The samples you use(exept the last few) are d*mn old. I do not think that they are still able to infeced under newer Windows versions anymore!?

Almost all viruses Avast! 4 has found, were within zip files, so I guess that means that I selected archives option. And I did it again, just to be sure. (see attached “options and results.gif”). “Old samples” sounds like a lame excuse.

Summary: 15 misses, 1 false positive. ( Too bad, I was looking for something to replace resource hungry NAV 200x :'()

Have searched for these old ones and if you will unpack them Avast will find them too. I do not know, but avast has some problems to identify some old PK-Zip Headers. But i do not know why it do not find the Eicar inside of the Rar Archive.
Avast finds the following with follow names:
[RAV]
i:\temp\3544.EXE | Infected: One_Half.3544.A
i:\temp\370.COM | Infected: Leprosy.370
i:\temp\4744A.COM | Infected: Natas.4744
i:\temp\4744A.EXE | Infected: Natas.4744
i:\temp\4928.COM | Infected: Yankee_Doodle.XPEH.4928
i:\temp\ANTI1235.COM | Infected: AntiAVP.1235
i:\temp\HYDRA0.COM | Infected: Pixel.Hydra.736.A
i:\temp\MANTA.COM | Infected: VCS.1077
i:\temp\ONEH3544.EXE | Infected: One_Half.3544.A
i:\temp\ONEHALF.BIN | Infected: OneHalf
i:\temp\OOPS.COM | Infected: Ooops.368
i:\temp\TORERO.COM | Infected: Torero.1427
i:\temp\UNKNOWN.COM | Infected: VCS.1077

[AVAST]
I:\temp\3544.EXE [L] One half-3544/3577 (0)
I:\temp\370.COM [L] Leprosy-37X (0)
I:\temp\4744A.COM [L] Natas-4744 (0)
I:\temp\4744A.EXE [L] Natas-4744 (0)
I:\temp\4928.COM [L] Yankee Doodle (0)
I:\temp\ANTI1235.COM [L] AntiAVP-1235 (0)
I:\temp\HYDRA0.COM [L] Pixel-Hydra-736-B (0)
I:\temp\MANTA.COM [L] VCS 1.0 (0)
I:\temp\ONEH3544.EXE [L] One half-3544/3577 (0)
I:\temp\OOPS.COM [L] Ooops-368 (0)
I:\temp\TORERO.COM [L] Torero-1427 (0)
I:\temp\UNKNOWN.COM [L] VCS 1.0 (0)

It appears that you have to set scan level to thorough. Once I did that I got:

\EICAR.COM Infection: EICAR Test-NOT virus!!
\EICAR.RAR\EICAR.COM Infection: EICAR Test-NOT virus!!
\CPAV.EXE Infection: Emmie-3097
\BABA.ZIP\BABA.EXE Infection: Baba-353
\D-DANCE.ZIP\D-DANCE.COM Infection: DeviI’s Dance-941
\ENIGMA.ZIP\ENIGMA.EXE Infection: OId Yankee
\FDT.ZIP\FDT.COM Infection: Necropolis-1963
\GARANT.ZIP\GARANT.EXE Infection: Major-1644
\HAIKU.ZIP\Haiku.exe Infection: Win32:Haiku
\KENNEDY.ZIP\KENNEDY.COM Infection: Danish Tiny-Kennedy-333
\MANTA.ZIP\MANTA.COM Infection: VCS 1.0
\NATAS.ZIP\NATAS.COM Infection: Natas-4744
\ONEHALF.ZIP\ONEHALF.COM Infection: One half-3544/3577
\PIXEL.ZIP\PIXEL.EXE Infection: PixeI-740
\TORERO.ZIP\TORERO.COM Infection: Torero-1429
\Ambulance.786.zip\ambulanc.com Infection: Ambulance-795
\HYDRA0.ZIP\HYDRA0.COM Infection: PixeI-Hydra-736-B
\AntiAVP.959.zip\AVP-AIDS.COM Infection: AntiAVP-959
\CIH 14.ZIP\CIH 14.EXE Infection: Win95:CIH 1.x
\AntiAVP.1235.zip\ANTICARO.COM Infection: AntiAVP-1235
\Leprosy.370.zip\LEPROSY.COM Infection: Leprosy
\NINJA.ZIP\NINJA.EXE Infection: Ninja-1852
\Oops.368.zip\oops.com Infection: Ooops-368
\SIERRA.ZIP\FIoppy.exe Infection: NYB-A
\Win.Lamer.zip\WINLAME2.EXE Infection: Win:Lame
\XPEH.4768.zip\XPEN4928.COM Infection: Yankee Doodle
\I-Worm.Sircam.exe\I-Worm.Sircam.exe Infection: Win32:Sircam-B
\I-Worm.Sircam.exe Infection: Win32:Sircam-C [Wrm]
\I-Worm.Happy99.exe Infection: Win32:Ska
\I-Worm.Opasoft.exe Infection: Win32:Opas [Wrm]
\I-Worm.KIez.a.SCR Infection: Win32:KIez-E [Wrm]
\I-Worm.Numda.d.exe Infection: Win32:Nimda [Wrm]

Conclusion: 30 found (Win32:Sircam-B & Win32:Sircam-C [Wrm] within same file!), 1 missed (CASINO.COM->(PKLite) - NGV.gen ), 1 false. ???

Comments?

How about setting the Thorough scan, instead of Standard? Does it change anything? It is indeed very strange that Eicar has not been found within a RAR archive - RAR archives definitelly are supported.

Since you labeled the column as “Avast 4 Pro” - what are the results when you create your own task in the Enhanced User Interface and set the appropriate Packer options?

Probably a stupid question, but just for sure: weren’t you running another resident antivirus protection in background?

Seems you were faster with posting the answer before I even sent the quesion :slight_smile:

As for the Sircam-B & Sircam-C thing: Sircam-C is probably a packed version of Sircam-B (btw, the Sircam-B name is really without the [Wrm] tag?). When Sircam has been added to the virus database, avast! did not feature UPX/AsPack unpacking (or whatever Sircam-B is packed with) - so, the signature for the packed version has been added. Now, when it’s able to unpack the packed executable, it finds even the “inner” file, which is Sircam-B.
I think it’s not a problem… the signatures for the packed versions make it possible to identify the virus even with an older version of avast, or with archive-scanning turned off.

Unpack the PKLITE and Avast reports nuke-1680. But i thought Avast is able to unpack PK-lite by itself?

Igor

Did you read the very first line in my previous post? ::slight_smile:

Igor

Thank you for clarification.

Yes, I did, but only afterwards - since you posted it while I was writing the followup :slight_smile:

Igor

(btw, the Sircam-B name is really without the [Wrm] tag?)

Yes it is. From Avast! 4 log:

\I-Worm.Sircam.exe\I-Worm.Sircam.exe [L] Win32:Sircam-B (0)
\I-Worm.Sircam.exe [L] Win32:Sircam-C [Wrm] (0)

:wink:

As you have discovered, setting Avast to scan inside archives and setting it to Thorough (sensitivity at high) allows Avast to detect 99% of all viruses.

NOW, if you also make sure that the Heuristic feature is selected for the respective On line Access Protection modules, and you have a nice secure setup.

ANY anti-virus software will overlook some viruses is its’ search engine sensitvity is lowered.

This “lowering” should only be used when a substantial number of “false positives” are registered, but only low enough to stop them.

Thank you for taking the time to share your test results with us.

:smiley:

I’m still not clear if the user was using the Pro or Free versions? I thought the Free version didn’t support RAR files.

The Home version does support RAR archives (and always has).

For a comparison table please refer to http://www.avast.com/i_idt_1018.html .

Vlk

techie101

NOW, if you also make sure that the Heuristic feature is selected for the respective On line Access Protection modules, and you have a nice secure setup.
I see heuristics only in Internet mail provider ( I don't use Outlook and I turned off p2p provider). Was that what you mean?
Thank you for taking the time to share your test results with us.

No problem. ;D

On the subject of false detection in cpav.exe again…

(from the Kaspersky Anti-Virus Personal / Personal Pro 4.5 USER GUIDE) ...The extracting tool...can also deal with some versions of immunizers, programs protecting executable files from viruses by attaching checking code blocks ([b]CPAV[/b] and F-XLOCK) and enciphering programs (CryptCOM) to them.

I guess this (virus-like behaviour of CPAV.EXE) sheds some light on why Avast! 4 detects non-existent virus in CPAV.EXE It also shows that something can be done about it! :wink:

Final analysis

Please, Vlk, can you confirm that Pro and Home versions use the same VPS (I mean, can detect the same virus)? I think they do but I am a little bit confused now… ::slight_smile:
Btw, what is the behavior with CAB files?

http://www.avast.com/i_idt_1018.html