Processing of infected archives - limited options?

I’m running avast! 6.0.1367 (I had upgraded to v7, but had boot problems, so I’m back to v6) under Windows XP Pro.

Because I uninstalled and re-installed, I’m carefully checking my settings, and one thing I’m not clear on is what would happen to suspected infected archives. In the “Scan Now | Settings | Actions”, the options listed are as follows:

OPTIONS
If necessary, perform the selected action at the next system restart

Processing of infected archives:

  • Try to remove only the packed file from the archive; if it fails, do nothing
  • Try to remove only the packed file; if it fails, remove the whole containing archive
  • Always remove the whole archive

First of all, does the “If necessary, perform the selected action at the next system restart” apply to the archive choices below it, or to the “Actions” options above?

Secondly, if I want avast! to never delete a file from an archive (or the entire archive) without my explicit approval, do I simply need to tell it “do nothing” when prompted? What happens if I uncheck the box next to the “If necessary…” option? Will that keep Avast from deleting files without my approval?

Sorry if my question is convoluted, but this screen seems a bit unclear as to which option applies to which section (and when it is applied). Basically, I just want to make sure that avast! never deletes any file without my explicit approval.

After uninstalling v7 (because of the boot problems), I switched over to Microsoft Security Essentials, just to try it out, and discovered that while currently they give the user the ability to force a “do nothing” to a suspected file (though it’s not necessarily the default), supposed plans for future versions (based on reading their forums) are going to eliminate the option to do nothing, and at best will send files to quarantine (forcing the user to then add an exclusion and then move the file out of quarantine). I have no desire to give any program such control over my files, so I’m back to running avast! v6, and want to make sure I still have things set to prevent automatic deletion (or quarantine for that matter) of any file.

I think that this will answer all of your questions. Please see attached. It came from the help file.

Charyb, Thanks but I read the help file before I posted the OP, and it simply restates what is on the avast! screen. To me it is still unclear if avast! will automatically delete suspected files within an archive (and if so, how can I prevent it).

The actions setting is the action that will be taken first. If you choose ask or no action you will have the option to make the decision yourself.

You can test this by downloading eicar_com.zip from eicar.org.

With ask or no action you make the decision of how you want the virus in the archive to be handled. If you choose to do nothing, the options do not apply. If you choose to move it to the chest then the options do apply.

Avast doesn’t automatically delete anything, you have to have given instructions (in the various settings) for delete action, as by default the action in most shields and scans is send to chest.

These are my understanding of how this is meant to work:
In this case the default action is “Try to remove only the packed file from the archive; if it fails, do nothing.” One of those three options has to be enabled, you can’t uncheck all three, so the best and safest is the default ‘first’ option.

By remove I believe this relates to your other actions selected at the end of the scan, e.g. in the Results window, you can select an action to take for All or Individual detections. If you elected to move them to the chest then that is the action taken not deletion (I think that may be why the wording is Remove rather than Delete).

So assuming you chose the 2nd option to remove the whole archive if the packed file can’t be extracted/removed from the archive, if that action failed then it would try to move the whole archive to the chest (or action you had selected).

The “ If necessary, perform the selected action at the next system restart” option would be used if the file was either in use or protected in some way, then the action selected in the scan results would be carried out on the next boot.

Thanks!

BTW, you mention “ask or no action”, yet I only see “no action” in the sections I mentioned above. Is the “ask” option available elsewhere, or was this the term used in another version of the program (not really a critical issue, but I was wondering if I was missing something)?

P.S. I tried downloading eicar_com.zip but it’s being blocked ATM. This may be because MSE is still installed (I haven’t rebooted since re-installing avast! v6), so I’ll have to try it later. But I did test a known false-positive archive I have and I see that the ‘do nothing’ option is still available.

Thanks again.

DavidR, This differs from what is stated in the help file:

(emphasis added by me on both quotes)

Is the help file out-of-date, or are you mistaken, or has this changed with v7 (which I’m guessing you are probably using)?

Muad’Dib, David refers to on demand scannings (actions taken at the end by default). On access (resident) is send file to Chest (by default).

Gotcha, thanks!

I had all these set up with my original v4, 5 & 6. If I hadn’t updated to v7 and then had to uninstall everything, I probably would have had the settings already how I wanted them. Well, it doesn’t hurt to relearn a few things!