What good is Web Shield if a virus gets through after the connection is aborted?

Last night I was doing a websearch and clicked on a link where a virus was detected by Avast Web Shield. I immediately aborted the connection, as instructed, and force quit (CTRL/ALT/DELETE) Internet Explorer (IE7). Before I went to bed, I ran Avast AntiVirus just to be safe and two viruses were found during the scan. What is the point of Web Shield detecting a virus if the virus still gets through after you abort the connection?

Well, are you absolutely sure they are the same infection?
When you abort the connection, files shouldn’t be saved. But are these files about the same infection?
Which are the names and paths of the infected files? Did you move them to Chest?

I did move them to the chest and now I’m just waiting for the scan to be completed so I can see what and where they were. The reason I suspect it’s the same virus that was detected is because I had just done a routine scan yesterday and nothing was found.

I can assure you that when the WebShield detects something, and the connection is aborted, nothing gets through, ie the connection is aborted, what was detected was detected in RAM and nothing is saved. If something went through, it either meant that you somehow prevented the web shield from doing its job, or you got infected from a port not covered by the web shield (80, 8080)…from ftp, or https etc…

The most important information isn’t given so we can’t say if the detections were as a result of the same initial detection, but I suspect not.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

When posting URLs to suspect sites, change the http to hXXp so the link isn’t active (clickable) avoiding accidental exposure.

You can also check the date time stamp in the .log file for the web shield detection and compare that with the file properties (creation date) for the two detections you sent to the chest (you would need to open the chest to do this) of the scan you did.

We can assume that there was some other infection along with the initial one that wasn’t detected by avast!. First was successfully blocked, but not the second one.

Is that something the attackers do to trick Web Shield?

So the scan is completed and the following items were successfully moved to the chest:

C:\Documents and Settings\Sean\Desktop\Current\Computer Stuff\MSISetup.rar\MSI MB Drivers SET UP\Network\Realtek\8139\DMI\WINEXE\INSTALL.EXE

Infection: Win32:Malware-gen

C:\System Volume Information_restore{B59195A7-E30B-49B5-B1B2-628075E667FF}\RP389\A0069233.EXE

Infection: Win32:Malware-gen

so a restore point was detected as containing malware…hmm…sounds like FP to me. You could always upload it to avast FTP for a check, or directly from chest, and also to VirusTotal.

What’s FP? How do I upload it to the Avast FTP?

Also, I checked the date/time on the two infections. The transfer time for the one in the System Volume Information folder dates from the exact time of the initial detection and the other one dates from the time of the first virus detection during the subsequent scan.

FP = false positive …forget avast ftp, try to submit to avast what you got in Chest (right click on the file and submit).

Thanks for all your help!

There is also a THIRD file in the chest but it appears to be the same as the first one:

C:\Documents and Settings\Sean\Desktop\Current\Computer Stuff\MSI MB Drivers SET UP\Network\Realtek\8139\DMI\WINEXE\INSTALL.EXE

Infection: Win32:Malware-gen

The strange thing is that the “last changed” date/time for the two moved files is June 1999!

No that isn’t something malware does as it would also have to be scanned when being downloaded.

This to me looks like a modification to a generic signature, that is the -gen bit of the malware name detected, is now picking up on what was an old file on your system previously undetected. This can be an indication of an FP, which I think it is more likely to be or a genuine previously undetected malware.

It is also possible that the detected restore point is related to the other detection …\MSI MB Drivers SET UP\Network\Realtek\8139\DMI\WINEXE\INSTALL.EXE as if you updated your drivers, etc. then it is possible the old file was saved as a restore point by system restore.

- Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore. 
 
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is. 
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

So should I just delete those three files?

No.

I would certainly delete the file relating to the infected restore point, but the install.exe file should be investigated as a possible false positive.

You could also check the offending/suspect file at: [url=http://www.virustotal.com/][b]VirusTotal - Multi engine on-line virus scanner[/b][/url] and [b]report the findings here[/b] the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the [b]Standard Shield, Customize, Advanced, Add[/b], type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

I did submit the install file for investigation but I couldn’t delete the System Restore file because I couldn’t get access to the System Volume Information folder no matter what I did. I went through the whole Microsoft procedure and where it says to click on the “Security” tag under Sharing and Security there was no “Security” tag so I was stuck. Can’t I just delete the infected restore point by turning off System Restore or is that too much of a guess?

I though that you sent it to the avast chest ?

Disabling system, rebooting and enabling system restore will get rid of it, plus all restore points, not really what you want, a sledge hammer to crack a nut.

avast should be able to remove it from the System Volume Information folder on detection if that is the choice you make. Otherwise you can schedule a boot-time scan - If you have XP, vista or Win2k (all 32bit), you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php. Don’t opt for deletion (you have no options left), always send to the chest and investigate.

Look in the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt file, check this file using notepad and copy and past the info on the detection.
Or use a command line, Windows, Start, Run and type, C:\Program Files\ALWIL Software\Avast4\sched.exe /A:*