Now my blocker settings are for all operations. But that’s a bit annoying sinces you get messages for every operation (program DO open/write/rename/delete files all the time).
But with the prevoius standard settings (no blocking) avast! still should stop access to files when a virus is detected, right?
I’ll run with block warning on every access now to be a bit more sure (then we will get lots of warnings on writes 
Get rid of ZoneAlarm! Especially if you’re using the free version. It allows selected IPs that pay ZoneAlarm for the privilege. They may be trusted by ZoneAlarm but that is moot. That would make ZoneAlarm free edition a platform for their own trusted spyware.
Have no bad experiences with Zone Alarm. Frequently scan for SpyWare with AdAware, but most ads and stuff never reaches my browser as I use WebWasher to filter it out.
I’m not sure on that one, Lars. My theory is that Avast was unable to give another warning because a file was already in memory and since it was set to allow the operation if Avast couldn’t warn then it got executed upon opening. Just a theory though.
I’m just warning that the free version of ZoneAlarm has preconfigured settings that are beyond your control. That organizations pay ZoneAlarm to preconfigure access past the firewall settings. It will not show up as spyware on any scans. For example, XYZ Advertising Inc., gets to see your IE history without your knowledge because they have paid ZoneAlarm to program access past the firewall. This is just an arbitrary example.
See my following posts/links.
Food for thought:
http://www.itsolvers4u.com/security/Firewalls/ZoneAlarmSpyWare.htm
Many people first notice something is up when they install a firewall, such as ZoneAlarm, which only lets programs with explicit permission access the net.
http://news.bbc.co.uk/2/hi/in_depth/sci_tech/2000/dot_life/2487651.stm
And just to give ZoneAlarm a fair shake but you should read the entire page especially the part about Media Metrix and TrueVector technology.
As the legal profession would say… . ‘already asked and answered’. I’ve agreed that if ‘delete’ didn’t work then it is a issue for the Alwil guys to address. I’ve also given my opinion on what you ‘previously’ asked which was “A virus program that catches a virus SHOULD prevent further access to that file.”, which I disagree on. These were two different responses to two seperate sentences that you wrote, which I replied to as such (seperately).
I still disagree with you (depending upon exactly what you mean by ‘something similar’) in as much as a file caught by ‘false alarm’ (NOT one that you have chosen to delete, but this hasn’t happened), should still be accessable from quarantine or the ‘chest’.
OK, so this is Avast ‘Home’ or ‘Pro’ on a single machine?. To refer back to your earlier comments about an executable being activated on a web site (and I am open and happy to be corrected on this), the Pro version has the ‘Script Blocker’, which is not in the Home version. So until an .exe file is run from your local machine, it can only remain a ‘script’ and the Pro version should, I assume, deal with it. Note: I’m not referring to an .exe file that has been downloaded/sent with e-mail etc., or that Avast should have deleted at your bequest.
It is indeed easy to make a mistake and press “the wrong button” when alerted for a possibel virus. Everybody gets scared from a mesage like that.
It’s also possibel that AVAST did detected it, but ley it run anyway…also, i doubt that. This must be ivestigated by the vendors of Avast.
These 2 reasons for the possibel worm infection Lars-erik got ,gives more strenght again to the thingy i always say : layered defence !
It’s correct that Avast shoudn’t let virusses & worms run (especially well known worms) but i don’t believe this ever happended in the past.
If you had had the freeware Abtrusion protector nothing would have happendend (if you by mistake pressed the wrong button):
or :
http://maxcomputing.narod.ru/ssme.html
or some commercial Anti-trojan with memory/process scan (resident guard).
Waldo
Nice links! Thanks Waldo. We are also joined to layered defences!
A few notes to the original question:
I’ll check the corresponding code when I get back to work, but I believe avast! would never allow an infected program to execute. Of course, it may fail detecting a (new) virus, but if it detects the virus, it will deny access to it. There’s no “Continue” button that would allow it.
I can check if this “Agent” client (where can it be downloaded from, btw?) doesn’t use some special method to execute its attachments, but I really doubt it (I think all the possible methods are covered now; and even if they weren’t, avast! wouldn’t detect the virus - and it did).
To me, it seems more likely that the Swen worm was active before (it could have been started before avast) - and the warning was given by avast! at the moment it was trying to spread (execute another instance of itself, maybe?)
That wouldn’t explain how Swen could have got to the computer in the first place, of course… ???
Lars,
This might help clarify things a bit. The worm activates when a victim launches the infected file (double clicking on the file attachment) or when a victim machine’s email application is vulnerable to the IFrame.FileDownload vulnerability (also exploited by the Internet worms Klez and Tanatos). Once run, Swen installs itself in the system and begins its propogation routine. You can download the patch released in March 2001 for the IFrame vulnerability: Microsoft Security Bulletin MS01-20.
The worm blocks many anti-virus programs and firewalls. Its algorithm and parts of the code text are almost identical to that of another Internet worm called I-Worm.Gibe, although the programming language used is different.
From your posts, the swen was activated and starting propagating almost immediately, even as Avast sounded the alarm. The “delete” worked, however, if you study the characteristics of Swen, then you will realize that it spreads quickly, mutates, and can disable some AVs, or “hide” themselves from the AV by changing the format coding.
I also noticed that you said you do not use the Avast mail scanner?
Is this correct? Why don’t you use it? It is one of the best protection features of Avast.
techie
I use Agent as my mail-client. It doesn’t do any preview or in any other way open attached files until they are saved to disk. So when someone chose to open the attachement it was saved to WINDOWS\TEMP, and that triggered avast! (as it should). After an attachement is saved then the mail-program will try to execute it. But we should have gotten this far, should we. As avast! was triggered when the file was saved. And even if it got saved it should trigger avast! when it was opened again too (I scan on both “write” and “open”). So to start it had to get passed TWO times (if the file was not allowed to be saved AND open even after avast! showed the warning).
The “Delete” option DID NOT work. It just gave an error message (because by then the file had been executed and was locked). But how could it be exectuded WHILE avast! was showing the virus warning and no one cliked anything.
Mail-scanner might be nice, but it will only stop mail coming through a configured pop3/smtp client. My girlfriend use web-mail. And then this would have happend anyway if se clicked an executable attachment (it would first be saved in “temporary internet files” and then run from there. And if the same had occured then it would not have been stopped.
I’m not trying to be unfriendly towards avast! I’d just like to figure out how the virus could start when the file was BOTH saved to disk AND THEN opened from disk (to be executed). avast! shoud have stopped both those operations, right?
Only explanations I have is that the saving and opening for executions continued in the background while avast! was waiting for us to choos an action in the virus warning box. An that scares me - every file i/o should be stopped then.
Lars,
So when someone chose to open the attachement it was saved to WINDOWS\TEMP, and that triggered avast! (as it should).And also the Swen32 virus!
Yes, I can yield to your view. However, just keep in mind that the Swen32 is a nasty little thing that CAN activiate even when not opened by the user. This is fact! All it needs is to be downloaded and saved. Avast did detect it, however, when you deleted the virus (and it is only conjecture on my part) the Swen had already started to spread and mutate. Avast stopped the original exe coded virus but some of the little buggers got out. You said Avast alerted you when the virus was saved. That is correct. It would not alert you again because Avast will not let you execute an infected file. You stated that you got the “locked file” message.
I know you want to go round and round with this, but I have had Avast for some time now and it has stopped viri on many occasions without any compute damage or corruption. Sometimes a file will not “delete” for different reasons: passworded, active, locked, in the Restore directory and others. But until you can figure out HOW to delete the virus, Avast will not let it do damage.
Also, you are also correct about webmail. Unfortunatley, Avast cannot scan an email client not configure by POP3 and SMTP.
I wish I could offer a better explanation, but maybe there really isn’t any!
Thank you for your input,
techie
I think the “Created/modified files scan” works a little different than you expect. As I already explained somewhere, the scan is performed after the file is written (can’t be reasonably done better) and it’s probably non-blocking (not completely sure about this one - Vlk may have some more info). I.e. the virus warning is rather informative-only in this case.
The other ones (scanning on open/execute) do deny the access to the file, however, so the file should never be executed, if infected.
As I said… I’ll check it later, but I believe the original scanario went a little different than it appeared.
techie: Having unfixed Outlook is bad (though it wasn’t the case here), but I think the executed attachment should be caught anyway, and not allowed to be started.
Yes, I can yield to your view. However, just keep in mind that the Swen32 is a nasty little thing that CAN activiate even when not opened by the user. This is fact!
How? The code is NOT executed when a file is saved. And we are not talking Outlook Express here either. When I save an attachement from Forte Agent, the code is written from the mail database (where it cannot be executed) and written to a file (that is not executet yet). Where should the virus code have been executed (I’m, a bit curious, this is really interesting). Do you mean it executed while coming through the POP3 port allready, and if yes - how, and how do you protect against that (even a mail scanner would be to late to catch that, but this seems a bit far fetched).
I have received virus by mail before, and saved them (to test, only save - not save & execure) without any trouble (stopped by McAfee). And this includes several worms as well. So I’m not convinced. If I have had the mail still I would have tried to save it once more (only “save”, no “open”) to see - well, they keep coming from time to time so
I would very much like to contribute to making avast! even better by finding out what really happend here so if there is anything I could test or do to revael more detail - say so.
Anyway, avast! did a godd job cleaning up the virus though.
Is there anything like the freeware Abtrusion Protector that is for Win98 also. The Abtrusion website states it is for Win NT, XP and 2000.
Second the motion…!!
(Although in the board there are numerous postings as to the default list, which you could just copy and paste in the “scan on open” fields) 