I see strange difference in behavior of Resident Standart Shield working and Scanning from Avast GUI in case of “RavMonE.exe” part of “Win32:Rjump [Wrm]”. I selected the highest settings for Standart Shield. And see that it scans “RavMonE.exe” when I copy or simply open it. But see nothing problematic with this file. Also It see no problems with starting this file. ::((
Still when I start GUI scan of directory with this file it reported as containing “Win32:Rjump [Wrm]”.
I tried with the same result with Home, Pro and Server variants of Avast Software. I use the latest application and database from 26-sep-2006.
After so strange difference in behavior of Resident and GUI scanning I am in BIG doubt about buying park of Standart suit of licenses of this product.
The resident protection scans the files in a little different way (namely, it doesn’t have the “Scan full files” option enabled, and there’s no way to do that). So, you can say that the file is actually not detected (and the fact that the GUI scanner does detect it is just a coincidence).
So, can you please send the RavMon.exe file (packed into a password protected ZIP or RAR) to virus@avast.com, please?
I see that "resident protection scans the files in a little different way "
The problem is that Avast team can say that Avast support that worm. Still I have no real protection due to luck of functionality in resident part. It is kind of missleading. I see no notion in documentation about this difference. I was sure if I use resident protection on servers and workstations enabled and latest data base – I have protection from virus spreading at least. And have no need to run manual scan. And so on …
I have data base that contains info for this virus and resident protection that scans file with this virus and see nothing. Kind of madness. It is ARCHITECTURAL BUG from my point of view as answer to your statement (“resident protection doesn’t have the “Scan full files” option enabled, and there’s no way to do that”). And I think many users and sysadmins see it in the same way.
I have data base that contains info for this virus and resident protection that scans file with this virus and see nothing. Kind of madness. It is ARCHITECTURAL BUG from my point of view as answer to your statement
Not really. As Igor pointed out, we consider all files not detected by the on-access scanner as UNDETECTED, i.e. unknown to avast. In other words, the on-access scanner is what counts when saying detected/undetected.
O! Yes! I am sure! Still it is needed to explain in documentation in BIG letters that detecting of some virus by GUI Scaner does not means that customer is protected by resident also. Or notion in GUI Dialog must state that you need to do full scan on all nearby computers to be not dependent on this particular virus is detectable only by GUI.
Just an update: My last avast scan about a week ago still can’t detect then RavMone virus. I have noticed that avast has a hard time detecting viruses spreading thru removable USB drives.
AVAST also can’t detect the VBS/Solow-A worm (which is also spread thru removable USB drives).
There’s a number of RavMon variants - this might be another one…
Can you please send your sample to virus@avast.com, and possibly note (in the message) that the resident protection has problems detecting the sample?
Thanks.
I have already deleted my copy of the RavMone virus. I have sent a copy of VBS/Solow.A virus though. I have zipped it with the password ‘virus’. Will I get a confirmation from the virus@avast.com email (I haven’t received any yet.)
As far as I know, you will not receive a confirmation. More than 4000 emails a day are received at virus @ avast.com to be analyzed and prioritized. The file can be scanned in the chest (if you did not delete it) to see if the detection has been added.