Earlier this evening I downloaded a file. Avast scanned it immediately after the download and found nothing. I also ran Avast manually on the file.
Well… when I ran the program to install it Avast suddenly alerted me that there was a virus… specifically W32.Parite. Since this one likes to go after .exe and .scr files Avast was popping up like crazy, as well as on another system in the house that is networked with this one. I have Goback and a recent backup, so rather then deal with it I shut down both machines, rebooted, and used Goback to restore to 2 hours previously. Afterwards I ran Avast and scanned both systems, also used 2 online scanners. Didnt feel it was necessary, but did it nonetheless.
Both systems are clean… Im not concerned about that. The reason for this message is this. The file IS infected and Avast did not detect it until the file was run. Now… Im wondering if it is because I do not have Avast’s settings setup throroughly enough?
I have the file… I went back and downloaded it again (call me crazy but i did so for a reason) Avast once again scanned it when the download finished and didnt detect the virus. Its a 2 meg file, so Im unable to do a single file scan at a few places I know of online, and Trend, McAfee, etc etc also havent detected it.
If need be I can send this file on to whoever I should send it to so they can see why Avast isnt detecting it before its run (shouldnt it ??? ) Or I can give you the URL so you can grab it yourself. Just dont RUN it lol
OR… tell me what I need to do in settings . I have standard shield set at HIGH and havent changed anything under customize.
I sent alwil a Wise-Installer-package DL’ed from above site whose contents where infected with Parite (about 3 weeks ago…)
→ still not detected, at least not with JOTTI:
just now scanned with Jotti:
File: 77943.exe Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file’s scan results will not be stored in the database)
Packers detected:
None → * ??? *
Avast (and most other AV’s):
No viruses found
…
BitDefender
Win32.Parite.B
Kaspersky Anti-Virus
Win32.Parite.b
→ Maybe it’d be detected with AV-Shield active (something I’m not willing to try), but I guess people just Scan DL’ed software On-Demand, and maybe then switch off AV-Monitors for the actual installation
→ Maybe that’s why Parite continuously pops up in the TOp10
the file was a screensaver but I understand where you are going with this edit: and yes its a wise self extracting installer as well
I couldnt upload it to many of the online scanners to have them check it as the file is over 2 meg in size. I did, however, go to several and have them run a scan … too many to list… and NONE of them detected it.
As an update, and I let igor know in the Pm… it also came with W32/Noala.b and W32/Agobot
Avast does find Parite as the installer is run but doesnt find the others until later when doing a system wide scan. It must be something to do with the packer, as igor said.
ha… had Avasts alarm going off in two rooms in the house at once here and I couldnt click buttons fast enough to keep up with it - darn thing definitely does travel through a network FAST.
Igor… just wondering if you got the file. I had emailed the website and let them know about the file and the problem. Dunno if they will even bother to remove it.
Not expecting a quick response here Not to worry. Mainly I thought it would give you something to look at that might aid in getting Avast to detect bugs in those packages.
whocares - I have a habit of reading things twice, sometimes three times, to be sure I understand the point, etc This one leads me to a question. Does Avast scan a file AS its being downloaded? Im using the FREE Home Edition mind you… is that an option only with the Pro version or not in either? I have Standard Shield set to high and everything checkmarked that I “think” needs to be. Ive been reading thru the documentation and help files and trying to find out “how” it does work to understand it a little more. I was a little concerned when it didnt find the virus in the file when it scanned it after the download finished, yet did find it as it was installing (unpacked) that possibly it was MY settings. Now I see its probably the packaging and Avast cannot see into it at all. But Im still wondering about the possibility of it scanning AS a file is downloaded . Just thinking outloud here and asking cus I dont know
Hi Connie,
yes, of course avast scans the files downloaded
as they come in or
before they’re opened (=On-Access)
==> depending on advanced settings,
but the Shield does NOT scan archives normally !!
this you need to scan manually or ( in AVfree) enable a tweak in deftask.xml or so (see user’s faQ’s)
*
I’m just not sure this is the point here, meaning “archive-Scanning_On-Demand” wouldn’t have helped you in detecting PARITE earlier
→ as you did scan the file separately (=on-Demand) with archive scanning enabled, right ?
I’m no expert on WISE or runtime-packed files, but your or my type of Installer/Parite-file is obviously NOT
unpacked by avast nor
unpacked to Harddisk (like a Self-Extracting ZIP- or RAR-archive…
→ but instead goes directly to memory (which is to me igor’s “runTime-Packer”)
Avast scanned it immediately after the download finished. I also did on Demand with archive scanning enabled. Avast did not detect it. As you can see in my screenshot from Jotti Avast did not detect it there as well. It was only detected as it was “run” which I realize means as it was “unpacking” Avast then detected it.
Im sorry for ‘butting’ in here, its just to i understand, are you saying avast won’t scan archived files such as .exe unless you enable this tweak you speak of?
lee this particular file was a wise self extracting installer. from what igor, and whocares have said im taking it that avast doesnt recognize/support this packer and that is why it was unable to find the virus inside it.
i do see why you asked though, and im gonna look into that one myself.
(edit) as soon as i can manage to FIND the users faq he is speaking of lol
No !
I Mean YES it does and NO, that’s not what I meant !
;D ;D
Afaik it DOESN’T scan ZIP- or RAR (non-executable)archives
it scans RunTime-Compressed EXE-files:
the big BUT is here that it doesn’t ALWAYS recognize or scan the contents properly; mostly it does succeed, though…
(only a very few select AV can unpack/scan the majority of itw packers, and also they don’t know ALL packers)
I don’t know about conventional SFX-ZIP or RARs, but this is unimportant as their contents get extracted to DISK first, and any AV-Shield can catch them there…
The bottom line is:
please ask an expert or alwil team (IF they are wiling to share their trade secrets)
and the morale is:
Don’t click on everything that looks cool & froody …!
;D ;D
I hope that I didn’t give you the impression that I advise this tweak:
→ I DON’T ←
it hardly increases security, but sure is a severe drain on your PC’s ressources, except if you got a very powerful machine or don’t have the need for speed
