Some comments/questions on it. Did you let Avast scan inside Archives? because it should find the eicar inside the RAR without problems and it finds the oops.368 without problems too.(infection: Ooops-368) So check if you activate Archivscanning.
It finds the natas also and i think the others too. Unpack and scan them again. You will find it out by your own. The samples you use(exept the last few) are d*mn old. I do not think that they are still able to infeced under newer Windows versions anymore!?
Almost all viruses Avast! 4 has found, were within zip files, so I guess that means that I selected archives option. And I did it again, just to be sure. (see attached “options and results.gif”). “Old samples” sounds like a lame excuse.
Summary: 15 misses, 1 false positive. ( Too bad, I was looking for something to replace resource hungry NAV 200x :'()
Have searched for these old ones and if you will unpack them Avast will find them too. I do not know, but avast has some problems to identify some old PK-Zip Headers. But i do not know why it do not find the Eicar inside of the Rar Archive.
Avast finds the following with follow names:
[RAV]
i:\temp\3544.EXE | Infected: One_Half.3544.A
i:\temp\370.COM | Infected: Leprosy.370
i:\temp\4744A.COM | Infected: Natas.4744
i:\temp\4744A.EXE | Infected: Natas.4744
i:\temp\4928.COM | Infected: Yankee_Doodle.XPEH.4928
i:\temp\ANTI1235.COM | Infected: AntiAVP.1235
i:\temp\HYDRA0.COM | Infected: Pixel.Hydra.736.A
i:\temp\MANTA.COM | Infected: VCS.1077
i:\temp\ONEH3544.EXE | Infected: One_Half.3544.A
i:\temp\ONEHALF.BIN | Infected: OneHalf
i:\temp\OOPS.COM | Infected: Ooops.368
i:\temp\TORERO.COM | Infected: Torero.1427
i:\temp\UNKNOWN.COM | Infected: VCS.1077
How about setting the Thorough scan, instead of Standard? Does it change anything? It is indeed very strange that Eicar has not been found within a RAR archive - RAR archives definitelly are supported.
Since you labeled the column as “Avast 4 Pro” - what are the results when you create your own task in the Enhanced User Interface and set the appropriate Packer options?
Probably a stupid question, but just for sure: weren’t you running another resident antivirus protection in background?
Seems you were faster with posting the answer before I even sent the quesion
As for the Sircam-B & Sircam-C thing: Sircam-C is probably a packed version of Sircam-B (btw, the Sircam-B name is really without the [Wrm] tag?). When Sircam has been added to the virus database, avast! did not feature UPX/AsPack unpacking (or whatever Sircam-B is packed with) - so, the signature for the packed version has been added. Now, when it’s able to unpack the packed executable, it finds even the “inner” file, which is Sircam-B.
I think it’s not a problem… the signatures for the packed versions make it possible to identify the virus even with an older version of avast, or with archive-scanning turned off.
As you have discovered, setting Avast to scan inside archives and setting it to Thorough (sensitivity at high) allows Avast to detect 99% of all viruses.
NOW, if you also make sure that the Heuristic feature is selected for the respective On line Access Protection modules, and you have a nice secure setup.
ANY anti-virus software will overlook some viruses is its’ search engine sensitvity is lowered.
This “lowering” should only be used when a substantial number of “false positives” are registered, but only low enough to stop them.
Thank you for taking the time to share your test results with us.
NOW, if you also make sure that the Heuristic feature is selected for the respective On line Access Protection modules, and you have a nice secure setup.
I see heuristics only in Internet mail provider ( I don't use Outlook and I turned off p2p provider). Was that what you mean?
Thank you for taking the time to share your test results with us.
On the subject of false detection in cpav.exe again…
(from the Kaspersky Anti-Virus Personal / Personal Pro 4.5 USER GUIDE) ...The extracting tool...can also deal with some versions of immunizers, programs protecting executable files from viruses by attaching checking code blocks ([b]CPAV[/b] and F-XLOCK) and enciphering programs (CryptCOM) to them.
I guess this (virus-like behaviour of CPAV.EXE) sheds some light on why Avast! 4 detects non-existent virus in CPAV.EXE It also shows that something can be done about it!
Please, Vlk, can you confirm that Pro and Home versions use the same VPS (I mean, can detect the same virus)? I think they do but I am a little bit confused now… :
Btw, what is the behavior with CAB files?