Eicar test

The site linked to below is NOT a malware page; user action is required after opening the web page to activate the virus test.
I have just run the tests from http://www.eicar.org/anti_virus_test_file.htm. There are four different formats, X 2 types of protocol, http and https.
In all the http tests, Avast (Home4.7892) blocked the pages from loading, and announced why with blue and yellow dialogue boxes. Nice, very good.
But running the same tests through https, no. 1 was detected, moved to chest. 2 (a text file) wasn’t detected and displayed on the web page. 3 and 4 (zipped and double zipped) were only detected when commanded to open.
Why the apparent anomoly in detection/blocking? Or have I misinterpreted something?
I have web shield, internet shield, standard shield, mail shield and p2p shield on and set to high.

I am at a machine with Kaspersky 5 for Workstations now, and even by http a txt file is displayed in browser though detected, and with zips it is the same as in your situation.

It’s just for you to feel more safe. :slight_smile:

Hello Targ57 :slight_smile:

The Web Shield scans only the HTTP traffic of the browser, that’s why standard protocol http eicar files are detected. The others four samples of the eicar test, which use the secure HTTPS protocol are not detected during download by the Web Shield, because the Web Shield simply do not scan this traffic. So when you download the four samples on your PC and do a scan with avast!, all of them will be detected :wink:

And the reason that the TXT variant of the eicar file is not detected by Web Shield is that the “text/plain” content type is in its list of scan exception (see WebShield settings → Exceptions page).

Cheers
Vlk

Ok, thanks for the answers.
Vlk, I can’t find, either in “settings” or “on access protection” the setting/exceptions page you mention. Sorry if this is dumb, how do you get to this?

I believe this is what Vlk is talking about, see image, text/css.

Yep, found that OK. I don’t see where “HTTPS” is listed as an exclusion, though. (I have no exclusions listed in the upper window, same as the one pictured.)

Https isn’t a file type, it is a protocol and doesn’t need to be listed because the Web Shield can’t and doesn’t monitor encrypted traffic. You will see in the same Web Shield, Basic tab that the Redirected HTTP port(s) is port 80 there is nothing about https traffic.

And by the way, why isn’t https scanned? It looks like vulnerability… :frowning:

The whole point of HTTPS is that it prevents “man-in-the-middle” attacks. Web Shield (or any other AV filter) works as a man-in-the-middle, hence it can’t operate correctly with HTTPS.

Remember that HTTPS communication is encrypted.

And by the way, why isn't https scanned? It looks like vulnerability..

I am amazed that this question can be asked by anyone.

https or to be exact Secure http is the reason that any business can be conducted on the Internet. It is the way that your bank allows you to connect to your account. It is the way your credit card company allows you to connect your account. It is the way your credit card company allows you to make purchases over the Internet.

Would you want any other function to be able to intercept and record the information in secure http connections of yours?

The day avast (or any other function) can scan https traffic is the start of the end of the Internet.

Mmm. I won’t say that.

If good guys are good, that doesn’t mean that bad guys are that merciful. I am faaaar from blaming avast developers, but I have to say that when the situation is like this, any malware script is free to be executed if the page is viewed through https.

For my research I recently visited the site of New York Times. The resident of Spybot (not reliable, of course, but just for example) blocked two malware downloads (in his opinion). If I were a registered user, I would have had to login (maybe) via https, but the malware downloaded would have been the same…

And just for you, alanrf, to have the info: :slight_smile: the end of the Internet you spoke of have already had its start. Kaspersky 6.0 scans https traffic now. :slight_smile: Why Kaspersky as an example? because I know two antiviruses only where a Web antivirus is used - Kaspersky and avast!..

Well, I’d put it this way: WebShield is a HTTP scanner. Because of that:

  1. it works with any browser, because it doesn’t care who made the request - it scans the HTTP stream
  2. it doesn’t work with HTTPS - because the stream is encrypted

If the scanner didn’t work like a HTTP proxy, but rather as a “browser plugin” (for browsers that support plugins and make it possible for a plugin to receive and block/modify the data before processing them further), then yes, scanning HTTPS might be possible - but the scanner would heavily depend on a particular browser and wouldn’t work in any other (basically like a ScriptBlocker does… though it’s even bigger hack ;)).

By the way, NickGolovo, how did you find out that Kaspersky scans HTTPS traffic?

Actually, I doubt that - see e.g. this post on their support forum (the notice that the answer is pretty much the same as the one posted here above): http://forum.kaspersky.com/index.php?showtopic=8757

Cheers
Vlk

Well KAV6 indeed tries to scan the HTTPS connections but so far it caused lots of problems. So i don’t think it’s in any useful form so far. Probably something like integrated Stunnel and OpenSSL paired with antivirus itself.
Can’t really think off any other thing.

Stunnel (or any other home-grown solution) would work, but ONLY IF the connection browser → AV proxy would be via HTTP, and the connection AV proxy → Web server would be over HTTPS. But that would be hardly useful (IMHO)…

Cheers
Vlk

Also, as Vlk wrote, if there is an attempt of putting virus, trojan on our machines trough HTTPS connection at all, still the resident scanner will catch it if the files are not in the exclusion list such as txt file.

I know that. :slight_smile:

If you understand Russian - then see here:

http://forum.kaspersky.com/index.php?showtopic=22955

If don’t - just see the following:

http://forum.kaspersky.com/uploads/post-136-1160464374.jpg

:slight_smile: