Virus got into system past avast! :-/

We got the common mail supposed to be from MS containing the Swen32 worm. When someone clicked the Pack65.exe file in the mail program (Agent) it gets written to Windows/Temp (by the mail program) and avast! dectected it at once (as it should). BUT I couldn’t delete it from the avast! dialog warning as it was in use by Windows, and a full scan showed that it was in memory and that several windows files has been infected/renamed allready (of course avast! repaired this OK).

BUT the question is WHY did the virus get into memory and WHY did avast! allow the virus file to be started.

I have scan both for writing and opening EXE files on, and the warning was shown, but apparently the virus started in the backuground anyway (while avast! displayed the message). Doesn’t avast! stop all action in the background? And shouldn’t I’ve gotten a second virus warning (the file was first saved from the mail-program to Windows/Temp, and then it was runned from Windows/Temp after that)?

Suddenly I’m a bit unsure about avast!. McAfee NEVER let a virus into the system, even if I ran it from the mail program.

Any explanation? Any settings that are wrong?

If this can happend inside a mail-program, the same thing will happend if someone click a .EXE file on a web-page (it also first gets saved in folder, and then executet from there)

I have no idea! I’ve received that same virus via email on at least three different occasions without any adverse effects. And I used the delete option offered by the Avast warning screen and ran a full scan afterwards.

I’m assuming you’re using Avast on an internal network system and not just an ISP?

I agree Culpeper, Avast has taken care of this virus for me on a couple of occassions… … no problem ;D :wink:

W.

I’ll add that I don’t use the mai-scanner. So virus was decteted on double-click on a attachement in a message. When that file was written to the temp-directory before beeing started - but again - it got started anyway - even with scan on both “write file” and “open file” on “exe” type.

I mail I can fix this by using the mail-scanner too, but when using web-mail or clicking on files on web-pages they get written to “Temporary Internet Files” and then started. And if the detect of a virus during saving of file will not stop it from running anyway (that takes an “open” as well) then the protection is not that good (doesn’t help to detect a virus if the file can still be saved and started in the background - all access to the file should be halted at once)

Lars:

I agree and will refer to the programmers to address your problem when they return to the forum. That is a very common infected file and shouldn’t have been executed. Was there any other factors involved that may have circumvented Avast via human error or perhaps a setting within Avast?

Have double checked. Basic settings are set to scan all executables on open, and advanced is set to scan all standard types on create/modify.

BTW: I’d like a new check-box in advances. Under “Scan files on open” I’d like the “Default extension set” here as well (so that all common file types can be scanned on open too, it’s not obvoius what files are scanned on open today)

Culpeper,

What about the ‘Advanced’ setting tab (in resident task settings). Aren’t temp *.tmp files in the excusion list?

W.

Okay, I see. You will need to address this directly with the Avast Team members on this one because it is obviously a serious problem and they need to communicate with you directly.

*.tmp files are in exclusion, but it was saved as a .exe file, and avast! DID detect it when it was saved (and/or opened), but the problem is that it still was executed (it got into memory, and managed to change som system files). And I did NOT click any other buttons than “Delete” and “Move to chest” - and then I got a “avast! unable to … file” (because it was in use I guess). So the code inside did get executed.

Under the Advanced setting tab for the Standard Shield I do not have .tmp as an exclusion. However, .tmp files is not included in the Blocker tab default extension set and the setting for allow operation is on if Avast cannot ask what to do.

Lars:

What operating system are you using?

I use Win98se (english language version)

On my system, you have to be very daft or determined to run an exe file from the temp folder. Windows tells me it’s a security risk and unsafe!.

Yes, I don’t do that either (the mail program warns about it). But not everyone reads warnings. And if you select to run the attachement it is first saved to a files (and is caught by the anti-virus allready then) and THEN it’s run (and should be caught be the anti-virus again since it’s an exe-file). But when I heard the virus-alert (only once) the virus was allready in the memory and avast! couldn’t delete the file (because it was in use). Tried to delete it from Explorer as well and got a “file is in use by windows”. Strange anyway.

Whilst I can see what this is all about, my opinion is it’s impossible for any piece of software to prevent humans doing what they do best… … ignore warnings!.

Personally, I think it very ambiguos to say that it ‘got past Avast’. Seems the warnings were there and Avast DID catch it.

Just mho from what I understand from the post.

  1. The warning about opening attacements was from the mail program (and was ignored, but that could happend, maybe someone though it was a real file, maybe it was a document, maybe someone was using Outlook Express :slight_smile:

  2. The virus warning from avast! WAS correctly understood. “Delete” was selected, but did not work (error message). And that’s what I’m complaining about. A virus program that catches a virus SHOULD prevent further access to that file. And if it does - how did it the virus get to be activated and change system settings and several files?

I like avast! (else I wouldn’t use it). But if it lets viruses run in the background while displaying the warning then it’s not the program for me anway (and that would be real sad).

Now this is a different slant on the original post(s). If this is all your complaining about then so be it. As Culpeper say’s, no doubt the Alwil team will have a reply.

This I don’t accept. What if it was a ‘false alarm’, would you then be happy not being able to get into a valid file?.. . I don’t think so 8) .

I also ask, as did Culpeper, is this on a network or the Server edition of Avast.

BUT I repeat… mho 8)

Yeah, I’m a little confused. I get the impression that Lars is a network administrator. That someone else on the network actually got the Avast warning?

I’m very prejudice and I’ll assume that Avast wouldn’t let something as common as the Swen virus run in the background. But I have been wrong in my assumptions before and will let the experts investigate alongside Lars what happened here.

To the second quote. If you CHOOSE to continue access the file of course you should be able to. But when you choose “Delete” (or another choice to remove the virus) then there should be no way for that virus to get active.

Now, we don’t exacly now what happened. But say that when we pressed “Delete” and avast! gave the error message about not being able to delete the file, that the control then was passed back to the system making further execution of the infected file possible - that would be bad.

The only way an detected file should be able to be executed should be when the users answers the virus alert message with “Continue access anyway” (or something similar), right?

BTW: Just to clearify, this IS one my home PC (but there are not only me living here, I’m a developer/tech, I know what not to open, I could have lived without an anti-virus - I think anyway :slight_smile:

My system is a Win98se, avast! resident scanner, Zone Alarm, and I’m connected to the world through a cable-modem.

Yes, I agree. What is your settings in the Blocker tab for the standard shield provider? I’m curious about the setting for if Avast is unable to warn should the operation be continued or not.

Okay, I see. You’re on a single machine with an ISP.