Yes, you can do that.

But it’s really sad that you can’t see the problem. I’ve written it for you twice already and you either fail to understand or it’s selective ignorance, willfully or not.

Last attempt, read it very carefully: Win8.1.1, newest Avast 2014.9.0.2018, FSS STOPS eicar.com when downloaded with IE, without webshield… with Firefox, Avast FSS is silent.

And then there’s the second problem, possibly related to the 1st one; read what Igor from Avast team wrote earlier:

Igor obviously knows that there really could be a problem in current Avast, AND with specific option which is ON by DEFAULT, for EVERY new installed Avast.

My reply to that post, which confirms that the problem exists, was:

Yes, I can perfectly copy the eicar.com file anywhere I like, Avast does nothing.

If I turn off the “Optimize scanning during file copy option”, Avast stops file copy process. Seems to me that there’s a loophole in the protection with this setting set to “on”. Worrying.

BUT, that option still “off”, downloading the eicar.com file yields NO action from Avast. I find this a bit odd. There, in my download folder is a (fake)virus and Avast did nothing.

So, there’s 2 problems. I’m sorry if that eats away your confidence about Avast. Now, we have heard you. Thanks for your input. Please don’t post same thing here anymore. Thanks.

One would think that fellow Avast users would be interested and perhaps a little worried when somebody tells that there could be 1-2 problems in of the security layers in the very same security product that they use. But obviously no. :

I was once like you, I ran everything I could get my hands on, “just to be safe”. Then, I wisened up (& learned more about security) and stopped wasting my time (and now when I think of it, I wasted SO MUCH TIME) with all the software/settings/etc.

Igor (& everyone else), I found out what happens.

I put “File System Shield Settings → Scan when writing → Scan all files” ON.

Download eicar.com with Firefox. And then an Avast warning comes up (attached image). Check out the extension of that downloaded “object”!!

Firefox downloads ALL files with added “.part” suffix until the whole download is ready. Then Firefox renames the file back & moves it to the users download folder.

So, the problem is: why Avast FSS ignores the renaming of the object from .part to an executable file, AND moving of that object from the download cache/temp folder to the actual “download” folder? (when FSS is set to “scan files with default extensions” in the “Scan when writing” FSS settings (this is the DEFAULT setting))

And the second problem (very likely related to the 1st problem) is: after a file gets into the system through that 1st loophole, the DEFAULT ON setting of “Optimize scanning during file copy option” in FSS advanced settings allows the file to be copied further ANYWHERE in the system.

Is the “.part” file put to a transient or persistent cache? Or something similar happens?

I just put OFF transient & persistent caching in FSS. I’ll have to wait for a definition DB update to check if those have any relation to these problems. I’ll be back tomorrow.

I figured couple of things. After many many tests & brain exploding thinking. Haha.

There is an erroneously named and/or illogically acting Avast setting. The FSS “Scan when writing → scan files with default extensions” actually sometimes means: “scan files with default file contents” (maintained by avast). It’s not always file extensions what Avast is looking for when a file is created or modified.

Here’s some examples (on Win8.1.1 x64 & Avast 2014.9.0.2018):

• Eicar.com file downloaded with IE → downloads to temp folder with “.com” extension = Avast detects the file.
• Eicar.com file downloaded with Firefox → downloads to temp folder with “.com.part” extension = Avast does NOT detect the file → completed file is renamed with .com extension and moved to final download folder = Avast does NOT detect the file.

This is perfectly normal & in accordance with “scan files with default extensions” setting because:

• In IE case, the file is created with “.com” extension right from the start.
• With Firefox, the file creation is done with an extension that is not “detected” by Avast. The subsequent Firefox file rename & move (or move & rename) to final location is NOT a file creation or modification process. That’s why Avast FSS doesn’t detect it.

More, preparing: eicar_com.zip downloaded with any browser (IE, Firefox) → Avast does NOT detect the file → file is created & moved to final download folder. Perfectly normal again.

• Open zip-file & extract eicar.com → Avast detects the file.
• Open zip-file, rename eicar.com to eicar.com.part inside the zip-file & extract eicar.com.part → Avast does NOT detect the file.

This is once again perfectly normal & in accordance with “scan files with default extensions” setting.

But here things get interesting, preparing: Spycar_tests.zip file downloaded from http://www.testmypcsecurity.com/securitytests/spycar_suite.html → Avast does NOT detect the file. Normal… but:

• Open zip-file & extract e.g IE-KillAdvancedTab.exe file → Avast detects the file.
• Open zip-file, rename IE-KillAdvancedTab.exe to IE-KillAdvancedTab.exe.part inside the zip-file & extract IE-KillAdvancedTab.exe.part → Avast detects the file.

Whoops, what just did happen?! The first detection is normal, BUT the 2nd detection of “.part” file is NOT normal. It’s not in accordance with “scan files with default extensions” setting. Did Avast scan the file based on it’s contents?? Ignoring the “unfamiliar” extension of the file?? Why did Avast decide to do this with this file BUT NOT with eicar.com.part file??

Now, the last example (WinXP 32bit running Avast 8.0.1497):

• Download the eicar.com file with Firefox → Avast detects the file AFTER it was renamed & moved to final download folder.

Check the attached image. Why this doesn’t happen in Win8.1.1 x64 with Avast 2014.9.0.2018?? Was something changed?

What baffles me the most is that sometimes files are scanned based on contents even it should not happen according to settings.

And finally, still open, is there a problem on some cases with “Optimize scanning during file copy option” setting ON?

It would be very nice if somebody from Avast could posts their thoughts about these things. Thanks.

Hello?! Is anybody out there?

There’s your answer. Point is moot on a 64-bit os as it can’t run a 16-bit file; it has no 16-bit subsystem on which to run it on. No support for that. Suggest redo the avast! install (clean install) and see if your issue goes away.

Aargh! You again! You’re wrong again. You obviously do NOT understand the technical side of this issue/topic and you just spew more and more false information. Please, no more. Your blind faith and fanboyism is so obvious here that it’s rather sad… and nerve wrecking to me. Could you please refrain from posting here? Please?

IF you had read AND understood my latest post which describes the problems, you would not have posted that message you just did.

http://www.screencast-o-matic.com/screenshots/u/Lh/1404738393338-43507.png

Running Windows 8.1 64 bit and avast! Free v.2014.9.0.2021

Hi Bob, what does that have to do with this topic? I’m not talking about the “web shield”. The problems are with the “file system shield” (and using only that shield).

I’ve to say that I’m dumbfounded that nobody seems to care… nor understand. There’s obviously an anomaly how the File System Shield works with the “Scan when writing → scan files with default extensions” default setting. Nobody cares. I’m very close of leaving Avast for good (have been using since, I can’t remember exactly, version 4.x?) because of this lack of Avast support (+other Avast problems).

The file never made it to the file shield. It was blocked before it ever got to my computer.
Proactive is certainly a lot better than after the fact.

Bob, your posts are off-topic. Sorry. This topic is NOT about protection in general. I repeat:

You, and nobody else, is not interested that one of the protection layers does something odd which is against what the shield is set out to do?! In an AV-product!! I’m losing my faith here… about Avast, about other users here in forum.

Edit: I have somehow missed reading several pages of this thread, having read only to the bottom of the first page, so the information I posted before here was kind of off topic. I apologize.

If you are able to get a file on disk that’s known malware, even though Avast is supposed to be able to detect it, then you are right for posting it as an issue here.

That said, there is the capability to schedule thorough scans for a reason…

-Noel

I just can’t believe the protectionism and fanboyism here. Your post is too off-topic. Jesus christ, this is frustrating. In general this forum seems to run in a certain way: Avast doesn’t answer, and loyal fans drives the OP insane.

ALL, READ THIS POST CAREFULLY: an anomaly how the File System Shield works with the “Scan when writing → scan files with default extensions” default setting

Though I think that it’s a moot point since nobody either does not read it, or doesn’t understand it at all. This is really uncanny. Usually people (end users & product team) are interested about possible faults in the product. I’m reporting bugs/etc. with lots of programs/services and this is easily the most “not caring” community that I’ve EVER seen during these ~15 years that I’ve been doing this (for the benefit of me, and others).

EDIT: Ok, Noel, thanks for notifying.

I have amended my post, not having seen that there were multiple pages to this thread.

-Noel

You post has been reported to the Mods that’s as much as I can do to get your concern noticed.

Ok… I guess? I’m not sure whether you’re being really helpful (if you are, thanks!)… or doing something else… since the reporting is to “inform the moderators and administrators of an abusive or wrongly posted message” and I don’t think that would help the issue here getting noticed.

That depends on who and how the topic is reported.
In this case, it’s to draw attention to the topic and hopefully get some input from the folks you’re trying to reach.

Ok, MILLION thanks for the clarification & the help!