i placed an eicar antivirus test file(test code saved as a notepad file) in one of the folder in my pc. i first scan the system with ‘Full system scan’ option of avast,but unfortunately it doesn’t detect the file as a ‘threat’
when i scan the system with ‘Select folder to scan’ option,avast detect it as a ‘threat’
See this extract from the avast help file on the Full System Scan (I have highlighted the relevant parts):
Full System Scan - This performs a more detailed scan of all your computer's hard disks and by default, [b]all files are scanned according to their content[/b], in other words, avast! looks inside every file [b]to determine what type of file it is and whether it should be scanned[/b]. The whole file is tested, not just those parts of the file at the beginning or at the end where infections are normally found.
From this only files that present a risk, e.g. are executable, or targets for infection, etc. (a text file is effectively inert) so for those files considered at risk the complete file is scanned not just a small part of it.
There are less variables you can change in this scan, e.g. it sensitivity, etc. as it is a pre-defined scan. The Select Folder scan offers a few more variables and most notably the Scan, File Types, (Scan all files types is the default) and the Sensitivity can be increased. It is this first setting Scan all file types that will pick up the eicar.txt file.
As I said only files that present a risk are scanned:
From this only files that present a risk, e.g. are executable, or targets for infection, etc. (a text file is effectively inert) so for those files considered at risk the complete file is scanned not just a small part of it.
So to me to scan anything else is a waste of time and processing effort, to you that might not be the case. I go even further I only do a Quick scan once a week and very occasionally a Full scan (normally to use it as an example in the forums) and that scans even less. Essentially it still scans only those files that present a risk, as that is what the other resident (on-access) elements of the antivirus are also looking out for.
You can use the Custom Scan button and set even more variables if you want to get into downright paranoid scan mode.
So there are more options than you can shake a stick at, it is up to you to choose what is best for you.
i have copied the string from eicar-testfile to RAM. Shouldn´t avast5 scan the RAM also, for to notice there is a virus-string ?
Or does avast 5 only notice that virus, if i scan the eicar-testfile (X5O!P%@AP[4\PZ…)directly? ???
Or in other words: How i have to setup my avast for to scan the RAM continously ?
“Scan RAM continuously”? I’m not completely sure how you imagine it might work, but it’s basically impossible (and if it weren’t, it would slow down your machine incredibly).
Hello Igor,
so i understand you well, any virus could not discovered bei avast, if the string is only in RAM memory. But couldnt any virus´infect my system when it runs in RAM-memory? So for my understanding, any virus needs to have access to RAM for to “work”.
If i copy the content of the infected file to RAM (in this special case the content of the eicar-testfile), avast have to notice that and have to alarm.
Thank you for explanation to me, for a better understanding!
I did not say that. Sure, memory can be scanned, by avast! as well - I just don’t know how to scan memory continuously.
If it runs, as you write, you’re already infected. The virus has to get into the memory from somewhere in the first place - and the sources (e.g. files) are scanned by avast!, so scanning memory should not be necessary.
Not really. First, “copying into RAM” doesn’t necessarily mean “execution”. avast! distinguishes between scanning files “on execute” and “on open” (you can configure it in the File System Shield settings). While the first one is certainly very important because it prevents malware from being executed, the second one - simple reading the data into memory, e.g. to view them in Notepad, is just a waste of time (read: “slows down the computer without any significant security improvement”). Second, it doesn’t really matter whether the source of the “copy” (i.e. the file, for example) or the target (the RAM, as you say) is scanned - so it’s the first one, because the later would be technically rather hard to do.
Third, Eicar is not a good test file in this respect - it’s supposed to be a file, and if you read the exact specification on eicar.org, you’ll find out that this signature has to be in the very beginning of the file - otherwise it should not be detected. So, Eicar would not be detected during a memory scan even when other (real) malware would - because its specification says it shouldn’t be.