Question about webshield

Viruses and worms
1

Hello guys!

About webshield:

In the web filter, if I create the following string: “*.scr”, should it block the download of all files with exetension “.scr”?

I tried it, with no success, the files could be downloaded without any problem…

Thanks for your time,

Elminster

2

Well I have .pif in my URL Blocking so the syntax is correct (.scr) without the quotes. So I would have thought it would work, but it would also depend on how it is downloaded, http or ftp, https, and if it was in a zip/rar archive, etc.

However, reading another thread about blocking chm files one of the Alwil team said blocking is done on what the file is rather than simply what its extension is. So how are you testing the the URL blocking of .scr files ?

3

WebShield will ‘scan’ the files and it’s not the best application to ‘block’ the donwload.
Why don’t you try a Download Manager that redirects all files to a scanner?

4

Hello!

I dont like the idea to redirect the file to a scanner, because the scanner may fail the detection (sorry to say, but if its a trojan banker and the scanner is avast it will problaby happen). Trojan bankers are the main problem here in Brazil, and they always follow the same logic, same group of server, etc.

So for exemple:

the link above is not working anymore, but I removed the active link anyway…

h ttp://correioelegante.sytes.net:8090/msgmaker.exe

Its a trojan banker…

If in my webshield blocker, I write something like “*.exe” (without quotes), I thought it could prevent the download of all exe files in my machine… Wich never happened… Even with the *.exe, all exe files could be downloaded without any problem… Nor even if I put like that “correioelegante.sytes” (without quotes) it will not prevent te download… [:(]

Is it normal to happen?

Thanks for your time,

Elminster

5

No, your WebShield seems messed and it’s not working if the exe file is sent by HTML protocol…

6

I will try to install avast again later and test again…

Here what happens:

If I block “google”, it works fine when I type “http://www.google.com”… It gets blocked by Avast… No problem at all

But if I block “*.exe” as I said, when I click the link to download the malware, a new web page opens search for the link and when it finds it, it close and opens the form of the download… Asking me to Execute, save as, cancel, etc… The normal download form of IE. As it would happen with a normal download…

[:(]

7
But if I block "*.exe" as I said, when I click the link to download the malware, a new web page opens search for the link and when it finds it, it close and opens the form of the download... Asking me to Execute, save as, cancel, etc... The normal download form of IE. As it would happen with a normal download...

That would appear to be an indirect link, e.g. it isn’t pointing directly at an exe file but a download page, etc. with an instruction to start a download for the said exe file. Your browser is obviously going to intercept that so it doesn’t automatically run the exe file, so it asks what it should do.

During this time the exe hasn’t started to download and I wouldn’t have expected avast to alert/scan the exe file at that time. If you elect to save to disk it should be scanned either by web shield or standard shield depending on your settings (scan all newly created/modified files). So I’m somewhat surprised that neither of them scanned it when it was downloaded.

As Tech mentions something would appear to be messed up, so perhaps a reinstall of avast ad check again.