Downloading zip-file: "No virus" Scanning again: "Threat found" Why?

Hi!

I generally feel secure with Avast Free anti-virus, but now I have experienced downloading a zip-file (with Firefox 15 and 16 on Windows 7 Home Premium 64-bit) where the Firefox download-window indicates that the file is being virus-scanned and found clean, and I can unpack the zip-file without any messages. But if I ask Avast to scan the zip-file, it results in Threat Found: PHP:WebShell-A [Trj]. Why isn’t this threat found before - when I download or move or unpack the zip-file?
BTW: On virustotal.com 6 out of 35 scanners declares it a virus.

  • Henrik

can you post the link to virustotal scan

hi heroxx,

6 out of 35 indicates a live malware specimen found. Could you post the final url scan here, as in: https://www.virustotal.com/file/d7182df914ae10d0fefb6d57f780404b145f0419de3d787e6e073d374511aa82/analysis/ as an example result of your scan.

As to why the download part did not see the malware, possibly not set to scan zip files?

Here:
https://www.virustotal.com/file/a27d0a8f79af319d94ae1cbe23a489773f0d69bd98d669e3073bded1ea4f6c0a/analysis/1351102897/

Seems very first sample ever sumbmitted to VirusTotal. Go to web page and click “Additional Information” tab to get more info.

But… I have attached screen shots showing that Firefox is telling me that it is virus scanning the file, and that it has finished doing so. On my stop-watch the virus scanning takes about 8 seconds. (I have a one year old ASUS K53E laptop with Win 7 64-bit)

Can’t you do that yourself? :slight_smile:
It doesn’t tell me much.
This file is not publicly available, that’s why it hasn’t been scanned before by Virustotal.com. The file is part of a private communication between me and a company that worked for me. I DON’T use that firm anymore…!!

that scanner you see is from firefox…its not avast! :wink:

Sh*t…! That’s a bad surprise! Can that be changed?
It makes me wonder if Avast gives me any web surfing security at all?

But should the virus not be found by Avast when I unpack the zip-file?

Thanks!

Yes, procedure is exactly as you said.

You manually scan the .zip file so Avast! can open it and scan. Otherwise, Avast! FileShield will step in when you double-click the file.

This is one of the reasons why all eight shields should never be turned off; you never will know when you may need them for protection.

Same is true when you download an attachment from your email box.

I am a little confused - and worried - here!
You say: “You manually scan the .zip file” and “Avast! FileShield will step in when you double-click the file.”
But my experience is that Avast does NOT see the virus, neither when I download the zip file nor when I unpack the zip-file. That doesn’t seem like a good protection strategy to me!
And this particular file was never intended to be run on my machine. It was supposed to be put on my website’s Linux web-server.

And you say: “Same is true when you download an attachment from your email box.”
Yes. Even when I save an attachment with virus to my hard disk, Avast doesn’t see the virus. I DON’T think that is optimal!

And 2 days ago when Avast gave me a strange warning and an error message, I did a 3-hours boot scan, and there I discovered a virus that I must have received in January via a USB-stick. Also, NOT very trust-inspiring!

So all in all I would very much like Avast to be more proactive!!

It looks like you may have a problem with your avast installation,you can try a a re-installation of avast…if you think you have a issue

what type of file is inside the zip?

And 2 days ago when Avast gave me a strange warning and an error message, I did a 3-hours boot scan, and there I discovered a virus that I must have received in January via a USB-stick. Also, NOT very trust-inspiring!
you may have gotten it before avast had a signature for it... where was it located? if it was in a area where it was dormant....it would have been detected by the file shield as soon as it was run

The zip file contains a ‘half baked’ WordPress blog website.
The infected file is called “thumbs.php” and is situated in a directory called wp-content/plugins.
I am not going to use it, because I have chosen a new contractor that uses Drupal.

It was either in Pictures or in Videos. I don’t remember. In a sub-directory.