Scanning file when created?

Is there a way to have Avast scan a file when it is created?

Here’s the scenario: I am running Windows XP With Avast 4.7.1026 (beta, though I don’t think this is a beta-related question). On Windows, I run VMware, and in VMware, I run Linux (Ubuntu Feisty, though I don’t think that matters either). As a test, I downloaded a known nasty (trojan) while inside Linux. Then I dragged the nasty from the Linux window to my Windows Desktop (one of the beauties of VMware :slight_smile: Avast did not scan the file automatically when it was written to my desktop. I right clicked it, selected “Scan” with Avast, and Avast found the trojan instantly. But I had to initiate the scan manually.

What I wanted to happen (and what happens with McAfee, I must say), is that the file is scanned when it’s created, so the instant it hits my Windows desktop, the alerts pop up telling me of the infected file. Maybe I just haven’t found the setting in Avast to make it do this (and I searched the forum, but didn’t find it here either), so any pointers are appreciated.

Thanks!

By default avast should scan created/modified files (usually executable ones) in a windows environment depending on file type.

I don’t know how it would react when in a virtual environment and dragged to the windows environment.

You don’t say what the file name was because if it is in a zip/archive file, it may not be scanned as zip files are inert it would however be scanned on extraction ?

You don’t say what your Standard Shield settings are, Normal sensitivity, Scan all files, or Default set, etc. see image ?

David -

Thanks for the quick reply. Let me fill in the details I left out the first time.

The test file was an exe. Its icon was the same as a self-unpacking executable made with winrar (looks to me like a little stack of multicolored books).

My Avast settings are “High” across the board, and (under “Resident task settings” for the “Standard Shield”) the Scanner (Advanced) tab shows it’s set up to Scan created/modified files, All files.

Regards,

Jon

I would think that it would be best to try the test again with a regular exe file as I don’t know if avast would recognise it as an archive file as it doesn’t simply scan by file type but I believe actually looks at what the file is from code inside. However if as you say you have it on High and scan all files I would have though it would scan the file.

If after testing with a regular exe file it doesn’t scan (monitor the standard shield detailed view Last Scanned: value) there would appear to be an issue with this crossing from a virtual linux environment to windows. Unfortunately I have zero experience with VMware, I hope one of the Alwil team picks up on this.

Very interesting. I did as you recommended and monitored “Last Scanned” in Standard Shield (Sensitivity set on “High”), and copied a benign file from virtual Linux to Windows. It showed up as having been scanned. So I tried copying the known trojan again, and it too showed as having been scanned. No alerts.

Then I performed a manual scan, got the alert, clicked on Delete, selected “Delete file(s) permanently”, and when I manually scanned the remaining file, no infection (so Avast is clearly able to uncompress the file’s contents and delete the trojan from inside - looking inside with winrar, I see that one file in the archive is in fact deleted by Avast).

I uninstalled the beta version of Avast (uninstalling then using aswclear to clean up the registry, just in case) and went back to 4.7.1001. Exact same results.

A few more experiments in 4.7.1001: Interestingly, I see the same thing happen when I copy or move the file within Windows (so it’s not just a VMware issue). if I copy (drag and drop) the file from my desktop to another folder, it shows as having been scanned in the “Last Scanned” field. If I right-click drag-and-drop the file and select “Move”, it shows as having been scanned. If I right-click cut and paste it from one place to another, it shows as having been scanned. But I get no alerts until I manually scan it.

I am starting to suspect a bug - if Avast says a file’s been scanned, I’d expect it o be actually scanned. And if I set Avast to scan created/modified files, I’d expect a file to be scanned whenever it’s created, copied or moved. I’m curious to hear what our friends at Alwil suggest.

The ashQuick.exe is the most thorough of the scanners as it scans, using all unpackers so that may be why it isn’t catching it on the standard shield scan even on High.

I believe there was something in the forums previously about something similar (not the VMware but some rar compressed files) and I think it was much as you said not detected on normal on-access scan but picked up on the context menu scan.

The problem arises where yes every file could be scanned to the depth that ashQuick goes but I believe there would be performance hit.

I still believe in the fact that this achieve file would be detected when it was unpacked, yes it might well be an issue about not being able to unpack a self-extracting rar in the on-access scanner but I do believe it would be trapped when you try to extract the files. You could try and build a self extracting rar containing some benign files and say one of the eicar test files.

You could also try sending the file to virus(AT)avast.com and outline the problem and a link to this topic, subject Trojan - Undetected by On-Access scanner but detected by ashQuick.exe.

Add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

You could also try sending the file to virus(AT)avast.com and outline the problem and a link to this topic, subject Trojan - Undetected by On-Access scanner but detected by ashQuick.exe.

I don’t think that’s necessary.
I’d say avast is working as expected.

It simply does not unpack RAR files on-access by default. This behavior can be changed only in avast Professional Edition (via the Enhanced User Interface) - there’s no GUI controls for this in the Home Edition.

Anyway, I don’t think turning it on would be a good idea: imagine a 100MB RAR file with thousands of files in it. Avast would be decompressing all these files every time you touch the RAR file - a really slow operation that would make the system generally unresponsive for at least a minute or two.

And David is right saying that anything inside the RAR file will be eventually detected during unpacking.

Cheers
Vlk

Vlk -

I understand your reasoning. My work laptop (company provided) runs McAfee enterprise, which scans every file (including compressed archives like this one) even when just opening a folder/directory in Windows. The performance hit when opening large directories is pretty obvious - the price I guess they’re willing to pay for perhaps picking up a suspect file a little sooner.

Thanks for a terrific product (BTW, your Linux scanner works great in Ubuntu :slight_smile: and for answering questions like mine on the forum.

Regards,

JonM

Really, McAfee unpacks RARs in the on-access scanner? That surprises me, I have to say.
Maybe they only do it for sfx archives (and not for .RAR files) (?)

Cheers
Vlk

Vlk -

I did an experiment. Using WinRAR (and no active antivirus), I extracted the files in the infected executable, and repacked them into a basic .rar file. I also put the files themselves into their own little folder.

So now I have an infected self-extracting executable, a similarly infected rar archive, and a folder containing the files from those other two archives. These two files (and one folder) I put into a “temp” folder on a USB flash drive. The USB flash drive I plug into a PC running McAfee enterprise. (In McAfee’s settings, I have it set to scan all files - which I think just means all file extensions/types - and to scan within archives.)

I double-click on the temp folder to open it, and McAfee immediately scans the archive executable (finding it infected, and being unable to clean it, deletes the whole executable). As you predicted, it does not automatically scan the rar file. Then I single-click on the rar file (just highlighting it), and McAfee scans it, declares it infected, and, being unable to clean it, deletes it. Then I double-click on the folder containing the individual files, and McAfee automatically scans the individual exe’s in the folder, finding two of them infected and deleting those two.

So it appears that McAfee (enterprise) does automatically scan certain files when you simply open the directory they’re in, but (unlike what I thought earlier, and exactly as you predicted) it doesn’t automatically scan all files (e.g., it automatically scans exe’s but not rar’s).

As we said earlier, I guess the difference between McAfee and Avast in these tests is that Avast figures the files pose no risk until opened/executed, and it’ll catch them then, while McAfee thinks it’s better to go ahead a spend a few cycles up front checking the most obvious risks (like executables). Both approaches have merit, both have possible drawbacks, so it’s a judgment call, personal preference.

Interesting stuff. (Now, just in case, it’s time to put back a known-clean OS partition - thank goodness for Ghost :slight_smile: