This does not make sense.

[Guest]

[schwartr]

I went to http://www.eicar.org/anti_virus_test_file.htm to test out the av. When I downloaded the file eicar.com the av alerted me it was a virus. However, when I downloaded eicar.com.zip and eicar2com.zip it downloaded fine. However, when I scanned it with the r-click option it revealed the virus.

What does not make sense is that cis did not catch it when it was downloaded. Doesn't cis scan all downloads. If so, it seems like cis should have caught it especially since cis can detect it as a virus with the right click scan.

So how can cis miss it when it does the download scan, but catch it with a manual scan?

[John Buchanan]

No, I do not think CIS scans as files are downloaded.  Viruses need to be either on the HDD or in memory to be of any threat.  The first file was the virus (test) file and it was immediately flagged.  The other two were repackaged, so it took a manual scan to find them.  I haven't tested this yet, but I believe once the files are unzipped and loaded into memory, the AV or D+ should pick them up.
Could someone else please confirm if I am correct on this?

[schwartr]

I looked into it a bit more and apparently its just cis does not have the ability to detect viruses hidden in zipped files. CIS can detect this virus, but just not in zip form.

Is this something that will be remedied in latter versions? hopefully so.

[schwartr]

No, I do not think CIS scans as files are downloaded.  Viruses need to be either on the HDD or in memory to be of any threat.  The first file was the virus (test) file and it was immediately flagged.  The other two were repackaged, so it took a manual scan to find them.  I haven't tested this yet, but I believe once the files are unzipped and loaded into memory, the AV or D+ should pick them up.
Could someone else please confirm if I am correct on this?

comodo does scan downloads. I just tested it. After I dl a file it says "scan for virus" when I disable the av it does not say that.

[Bad Frogger]

Hi, John you're right.

The scanner is on access reads/writes.

"After I dl a file it says "scan for virus" when I disable the av it does not say that"
Partially correct, your browser is calling up the AV, if found to scan the DL.
The same as if you right click scanned them.
The behavior you see with the eicar.com file proves the scanner scans the files
as written so having the browser do it again is redundant anyway.

The zipped ones are caught on access/read so try to open, explore, or unzip and
viral executable is detected then.
The "viral" files are harmless and can not be executed from the archived state.

So there is nothing to fix, as this is the expected behavior.
There is sound reasoning behind this.

Later 


Major edit: as rambling filter was set to very low.

[Tags:]