I had been a long time user of AVG however after reading some positive reviews of Avast, decided to give it a go.
On the whole I’m very pleased with it however I have one concern.
On the 31st Jan I received an e-mail claiming to be from The Guardian asking for my approval on a photograph they wanted to use. Attached was a zip file which contained an exe called Photo And Article.exe. The Avast provider screen appeared as Outlook loaded so I assumed it was protecting me.
Naturally I was weary of the exe and haven’t run it as I assumed it was a virus. I thought I’d run the file through an online scanner just to check and it did find a virus in it. I then used the Avast shell extension to test and Avast too found a virus in it. So why didn’t it find it in the e-mail?
I decided to forward the e-mail to myself. I temporarily turned off the provider, forwarded the e-mail and resumed the provider again. When the e-mail came in this time, Avast immediately warned me of a virus and offered me the choice of moving it to a safe place etc.
Could it simply be that this particular virus wasn’t in my definitions the first time around? Avast has now detected it as: Photo and Article.exe (Win32:Breplibot-O [Trj]) was deleted from the message.
I haven’t heard of anything like this in the forums, but I could have missed it as I’m not an MS Outlook user.
Possibly it was a recent inclusion you could check using the VPS History page avast! VPS Updates History
You are right to be suspicious of such emails using social engineering to make you curious enough to open the attachment. Outlook uses the same virus signatures so if it is picked up by say standard shield it should be picked up by the Outlook/Exchange plug-in unless it was somehow unable to scan, although I can’t see why that would be.
Yes, that virus definition was recently added as can be seen at the link below. This is why it was detected when you later forwarded the email to yourself.
This is an IRC-controlled backdoor trojan that allows unauthorized access to an affected machine. When executed, it copies itself to %System%\smszac32.exe and modifies the registry to ensure that it is run at each Windows start.
BTW: I remember a case where I received an e-mail which contained an infected file sometime late in 2005. The file extension was pdf.exe. It slipped through the internet mail provider. I scanned the attachment manually with another scanner and it detected the virus immediately. (Both avast and the second scanner had the latest updates.)
These cases show why (the improvement of) reaction time on new threats is so important. (I addressed this issue in one of my previous posts.)