I’m testing out Avast 4.63 for the first time. I’ve been using AVG which I fine great but thought I would try another for fun. I have found that if you remove all the lame skins that the memory use is much lower than AVG which is nice. But I’ve run across what seems to be a serious problem. I know the scanning is working as I downloaded the eicar virus to several different places and whenever I open the folder containing the virus it detects it. However I decided to download it to my linux box which I have shared through SAMBA. After I downloaded the Virus. I then went to Explorer and opened \tambu\tambu and the folder came up with the virus but it never scanned it. I even enabled those annoying popups that show every file being scanned and nothing gets scanned from a windows share. But wait it gets weirder… If I rename the file to eicar2.com instead of eicar.com AVAST actually scans the file but doesn’t detect anything!!! I’m like baffled. If I copy the file from my linux share to my windows share Avast detects the virus. and if I force scan the file on the linux share it detects the virus. The really scary thing… I can execute the file without Avast detecting the Virus. Could someone please tell me what the heck is going on? I’ve looked over all the options several times and I can’t find any reason for this. I hate to be a killjoy but this is a killer point for me if Avast doesn’t scan networks I will have to go back to AVG.
I currently have P2P Shield, Network Shield, Internet Mail, Standard Shield all running. They are all set to Normal. I tried High but this didn’t detect them either.
I also have all the latest updates. Please let me know if I have missed something obvious but I’ve also put the eicar.com file on my brothers windows machine and go to it via windows sharing and again Avast doesn’t detect the virus. (I had to disable his norton antivirus since it kept detect it )
Yeah, this is because the avast service runs under the “LocalSystem” account which has full access to all local resources but no access to the network. This can be easily changed. Go to Control Panel → Administrative Tools → Services, open the properties of the “avast antivirus” service, and on the Log On tab, enter an account that has
local administrative rights
at least read-only access to the network resources
This will definitely solve the problem.
BTW if you look at the avast log files, you’ll see that an error was log for each attempt to access a network file, with error code 5 (Access Denied).
I did what you suggested and changed the services to my Account that I login as Tambu and then restarted the services but it still doesn’t detect the network virus. Also I went under my log viewer for Avast and where you said it should be showing Errors its blank/empty. I even went and changed the logging to Debug and nothing shows up anywhere but on Warnings (for when I manually scanned the virus file) Notice and Info which contained nothing important. My Tambu user is the Computer Administrator and is the account I login to the linux shares with.
Also I went over to my brothers machine and I opened up the linux share (he runs NAV2004) It didn’t scan the file when I opened the directory but when I tried to run the eicar.com file it instantly found the virus and erased it. Whereas Avast let me run the infected file. I check under Task Manager and NAV is running as Local Service.
From what your telling me. It looks like my Avast is just flat out not scanning the files since nothing shows up in the log.
I am gonna try uninstalling and reinstalling AVAST but I don’t see how this would help.
Thanks for your input I would appreciate any further thoughts.
Uninstalling/reinstalling won’t help, since avast isn’t broken.
Are you sure you made the correct changes as Vlk suggested?
You need to set the login permission in sevices to a account that has administrator rights on the Windows systems, not to the account you use to login to your Linux box.
Strange really. I’ve just retested here on our network and it worked just fine (both on-exec and on-copy)…
What about Windows shares - does avast see viruses on those?
Ok I refollowed the directions and used Administrator as the “Log On As” type for all the Avast programs. I then went and executed the eicar.com file off my linux share and it executed without detecting a virus. I should also note that I activated the popup virus scanns on the Standard Shield and it shows Avast as scanning the file and ignoring the virus in it. I appreciate your responses and would ask for more instructions.
As to the second question Yes I can execute the virus off a windows share as well as a linux share.
To show you that I’m not a raving loon I’ve included several screenshots. The first screenshot will show: the Computer Management\Services screen with all AVAST set to Administrator, also the Task Manager with all AVAST running as Administrator, It shows the AVAST Popups showing that z:\test\eicar.com is SCANNED and ignored. I even managed to catch the dos screen with the EICAR virus executing and printing out its warning. Hopefully this may help you guys figure out the problem.
I hope these help you guys figure out the problem or tell me what I’m doing wrong. I do a lot of network sharing and if I can’t get Avast to scan files properly I can’t possibly use it.
Also if AVAST must be running as Administrator to scan network files, why doesn’t norton? My brother’s computer has Nav2004 and although it doesn’t scan the files when I enter the directory it does prevent the eicar.com file from executing and tells me its a virus. Please don’t take this as a flame thing I personally hate norton but I’m just trying to understand. To me network scanning is a requirement and it seems odd that you would not make Avast run as administrator to begin with if its required.
Hi Tambu, first thanks for the screenshots, they were very helpful.
One thing I noticed is that you changed the service log on info to the account “.\Administrator” but you’re actually logged on as user “Tambu”. Are you sure the user Administrator has access to the network shares? (Tambu presumably does as you have the network share open in one of the Explorer windows :)).
So, provided Tambu has local admin rights, I’d suggest changing the log on account for the service to .\Tambu instead of .\Administrator. Please note that you have to change only the “avast Antivirus” service, the rest will be fine with LocalSystem. Let’s see if it makes any difference.
Also if AVAST must be running as Administrator to scan network files, why doesn't norton? My brother's computer has Nav2004 and although it doesn't scan the files when I enter the directory it does prevent the eicar.com file from executing and tells me its a virus. Please don't take this as a flame thing I personally hate norton but I'm just trying to understand. To me network scanning is a requirement and it seems odd that you would not make Avast run as administrator to begin with if its required.
Good question. The reason is not very hard to deduce, actually. Norton (starting with version 2003 I believe) moved its on-access scanning engine to kernel mode (runs inside the kernel-mode file system filter driver). Thus, it can access the file in context of the process that made the original request (which is quite good). However, that’s probably the only advantage of this approach (maybe together with a slight performance gain). There is a number of cons, though. For example:
kernel-mode code is quite fragile, in the sense that every bug usually causes a blue screen
there’s no chance of using 3rd party libraries e.g. for unpacking (forget complicated unpackers like RAR, 7ZIP or AsProtect)
I have already done the log on user as ./Tambu when you originally said to use a user that has rights. I changed it to Administrator per Eddy’s request since he didn’t believe Tambu had sufficient rights. Tambu is a Computer Administrator User and has access to all the files. Also Administrator would also have access since these are open shares. So I believe I’ve done everything suggested. Is there another option I can try?
Ok I added COM to the list of extensions scanned on open. (I also did .COM as its not clear if your supposed to include the .) With either way Avast still opens the eicar.com file without finding the virus.
Here is the requested warning.log, Please note that where it says it found the virus was either when I manually scanned the file or when I tried to copy the file to my desktop.
2/21/2005 4:54:08 PM 1109026448 Tambu 3692 Sign of “EICAR Test-NOT virus!!” has been found in “Z:\eicar.txt” file.
2/21/2005 4:56:41 PM 1109026601 Tambu 3072 Sign of “EICAR Test-NOT virus!!” has been found in “C:\Documents and Settings\Tambu\Desktop\eicar.txt” file.
2/21/2005 4:56:56 PM 1109026616 SYSTEM 1752 Sign of “EICAR Test-NOT virus!!” has been found in “C:\Documents and Settings\Tambu\Desktop\eicar.com” file.
2/21/2005 5:04:42 PM 1109027082 SYSTEM 1752 Sign of “EICAR Test-NOT virus!!” has been found in “C:\DOCUME~1\TAMBU\DESKTOP\EICAR.COM” file.
2/21/2005 5:04:50 PM 1109027090 SYSTEM 1752 Sign of “EICAR Test-NOT virus!!” has been found in “C:\DOCUME~1\TAMBU\DESKTOP\EICAR.COM” file.
2/21/2005 5:04:57 PM 1109027097 SYSTEM 1752 Sign of “EICAR Test-NOT virus!!” has been found in “C:\DOCUME~1\TAMBU\DESKTOP\EICAR.COM” file.
2/21/2005 5:04:59 PM 1109027099 SYSTEM 1752 Sign of “EICAR Test-NOT virus!!” has been found in “C:\DOCUME~1\TAMBU\DESKTOP\EICAR.COM” file.
2/21/2005 5:07:31 PM 1109027251 SYSTEM 1752 Sign of “EICAR Test-NOT virus!!” has been found in “C:\RECYCLER\S-1-5-21-1957994488-1532298954-725345543-1003\Dc46.com” file.
2/22/2005 7:14:25 AM 1109078065 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp (E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp) returning error, 0000A48F.
2/22/2005 7:15:14 AM 1109078114 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp (E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp) returning error, 0000A48F.
2/22/2005 7:15:54 AM 1109078154 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp (E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp) returning error, 0000A48F.
2/22/2005 7:17:28 AM 1109078248 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp (E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp) returning error, 0000A48F.
2/22/2005 7:18:20 AM 1109078300 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp (E:\P2P\Downloads\Temp\WIN95.ISO.55MFM2RI6P5HAIFJMZZLF7N3S5ARZAARFE32XBI.dctmp) returning error, 0000A48F.
2/22/2005 7:30:24 AM 1109079024 SYSTEM 1752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\Fade Image.fla.A27SX7QDYZCC4ZWDTXOCD7FNRP7KUGEY64QLHYY.dctmp (E:\P2P\Downloads\Temp\Fade Image.fla.A27SX7QDYZCC4ZWDTXOCD7FNRP7KUGEY64QLHYY.dctmp) returning error, 0000A477.
2/22/2005 7:07:43 PM 1109120863 Administrator 3216 Sign of “EICAR Test-NOT virus!!” has been found in “C:\Documents and Settings\Tambu\Desktop\eicar.com” file.
2/22/2005 7:12:17 PM 1109121137 SYSTEM 3752 Sign of “EICAR Test-NOT virus!!” has been found in “C:\RECYCLER\S-1-5-21-1957994488-1532298954-725345543-1003\Dc56.com” file.
2/22/2005 7:44:56 PM 1109123096 SYSTEM 3752 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\P2P\Downloads\Temp\Booting_CD_Windows_95,98,ME,2000,XP.ISO.QVRKOF4CARMXXW5HYUHE7KBYLMZCZOL6NNIWPZQ.dctmp (E:\P2P\Downloads\Temp\Booting_CD_Windows_95,98,ME,2000,XP.ISO.QVRKOF4CARMXXW5HYUHE7KBYLMZCZOL6NNIWPZQ.dctmp) returning error, 0000A48F.
Ok I decided to test to see if Avast would work any different on a different computer. I loaded the latest version as of 2/24/05 onto my laptop. I tested to see if it would find the eicar.com virus in my linux or windows share.
When opening the directory with eicar.com inside = Not Detected (though NAV or AVG doesn’t either)
When opening the actual eicar.com file = AVAST fails to detect the virus and opens the file.
When copying the file from a Linux Share to another directory on the Linux Share = Avast doesn’t find the virus.
When copying the file from Linux Share to Windows Share = AVAST finds the VIRUS
I would still love to use this program I like many of the features it has over other free based scanners but I must get it to scan network files.
OK, let’s do an experiment.
Please follow these steps:
kill all running avast components - namely: ashDisp.exe, ashServ.exe, ashMaiSv.exe and ashWebSv.exe (and also Outlook.exe if you’re using Outlook - because of the avast plugin).
Download http://www2.asw.cz/misc/aavm4h.zip and extract its contents to the avast folder. It should be possible to overwrite the existing version of Aavm4h.dll thanks to step 1.
Restart avast. I.e from Control Panel → Adminsitrative Tools → Services start the “avast! Antivirus” service, and also run ashDisp.exe by directly executing it from the avast folder.
Here is the log output as requested… not sure what the .dll is for but I don’t think it… or the logger is very stable it locked up my machine the first time I tried your suggestions. I ran the eicar.com file several times (without detection) and then I copied the file to my desktop (which did detect it.)
Thanks for the post but I’d probably need you to do the test once more :-
The thing is - I don’t see the files I need here (namely, \tambu… files) which may be caused by the fact that they were placed in the “virus-free” cache before…
Did you do steps 4 and 5 in this order? That is, didn’t you simulate the problem before starting DebugView?
How odd. I did do the steps in order for some reason I didn’t get it in the log. Perhaps I didn’t scroll down enough when I copied the text. I’ve redone the test. I executed the eicar.com file several times without it being detected and then I attempted to copy it to my desktop which it was detected.
)
