Hi,
I am aware avast IM shield scans files sent over Yahoo IM (though I am to see this in real life).
My question is whether IM traffic is scanned by avast. Since Yahoo messenger uses different ports 5050 etc., do all these ports get routed through 12080 and get scanned? For example if I send the contents of eicar test file as a message, will it be detected as a virus?
Thanks.
Since Yahoo Messenger is one of the supported IM programs it shouldn’t matter what the ports are and the 12080 proxy is for the Web Shield provider.
You can check the On-Access Protection Control, Detailed view, Instant Messaging and see what the Last scanned: and Scanned count: fields are these should be constantly changing/updating.
I can’t be of more help as I don’t use IM applications.
I am fairly certain (but the avast team would have to confirm or refute) that the activity of the Instant Messaging is confined to monitoring the file activities of the executable modules of the various Instant Messaging programs.
I do not believe that avast intercepts the network activity of the IM clients at all (except in the case where they are using http transactions and have been selected for http access scanning by avast).
I suppose that you could induce the program to send a virus string as a message. However it would be just that a message and not executable as such and so unlikely to pose a threat. However if the message containing the virus string were to be filed by the IM client (as part of log for example) then I hope that the IM provider would detect it at that time.
Yes. No activity shows up on IM Shield interface when using yahoo messenger. Surprisingly even file transfers don’t create any activity (but msn messenger creates some scan logs).
I tried copying the eicar test string to a yahoo IM message and it is not detected. So essentially no scan for yahoo messenger whatsoever, from the IM shield.
My only concern is that some viruses might feign as yahoo messenger and get highway access. :
As messages they cannot do any harm … code has to be executed. Messages are not executed … a bit like having a virus as a .txt file … what can it do?
An executable can be file-transferred on IM, and it may be a virus (hopefully will get detected by standard shield).
Second, a rogue program may act to be yahoo messenger and do whatever it wants!!
No, the rogue program cannot do whatever it wants …it can only do what the IM client permits you to do. Don’t get paranoid here.
It can send messages, it can transfer files, it can send images via webcam, it can make telephone calls. Remember that every file transfer will be scanned by the IM provider (I tested this just last night with Yahoo and the Windows Live Messenger clients). None of the others will allow it to execute code on your machine or the machine of the person at the other end on the IM connection.
The whole point of the IM shield is to catch files that are created on your system that could contain viruses. In the testing I have done with the IM shield any file saved by the IM client with a virus has been detected.
As you say, even if the file is somehow written with a virus then there is the backup of the standard shield to catch it should anyone or anything try to execute that file on your system.
Thanks alanrf! Sounds good.
However, my yahoo file transfers are not scanned, while msn files are. Not sure why - I saw someone else say so in this board as well.
What are the file transfers that you have done, are there any executable file in there ?
You could try those file transfers and monitor the Standard Shield detailed view (same as what you did with the IM provider) and see if they are in fact scanned on creation (as Alan mentioned), e.g. when they arrive complete on your HDD.
Remember only executables will be scanned by the standard shield on creation unless you change your settings.
I was a bit surprised that you think that your Yahoo files are not scanned.
I just re-tested with Yahoo IM (latest version) and I sent an infected file from one system to another. Immediately avast on the receiving system gave a warning of the virus in the received file.