AVG scanning (or not) of Office files

Thanks for the reply. But I'm still confused.

In your test using Microsoft Word and an infected .doc file, did you have
AVG's Office plug-in enabled or disabled?

I agree that the Office plug-in *will* scan Office documents when they're
opened by Office programs. But Resident Shield apparently does *not* scan
Office documents.

If I put EICAR (a harmless, test-only faux-virus) inside a .exe file, AVG's
Resident Shield squawks when I try to open the file, even though EICAR
cannot actually cause any damage.

Of course EICAR in a .doc file can't actually cause any damage either. But
so? Resident Shield should prevent attempts to open infected files having
suffixes that it claims to be scanning. If I disable the Office plug-in,
Resident Shield happily allows eicar.doc to be opened by Word. That sounds
like a bug.

To be utterly clear, here's my test procedure:

1. Enter EICAR test string in a file called foo.exe.
2. Invoke Notepad, and tell it to open foo.exe. AVG's Resident Shield
squawks, and the open attempt fails (Notepad reports "Access is denied").
3. Now enter EICAR test string in a file called foo.doc.
4. Invoke Notepad, and tell it to open foo.doc. No errors, Notepad
successfully opens the file.

Note that w/ the AVG Office Plug-in disabled, in step #4 above you can
substitute Microsoft Word for Notepad -- no error on opening the "infected
file".

Bottom line: Resident Shield does not scan *.doc files (unless it special
cases the EICAR test string, which I doubt!), although it claims that it
does.

P.S. Other extensions that Resident Shield claims to be scanning: .ini,
..jpg, .jpeg. Putting the EICAR test virus in any of these file types *also*
does not ellicit an error from Resident Shield when they're opened. Hey,
howcome EICAR, which is *designed* to allow tests of AV such as these,
ellicits such random behavior from AVG? (In .exe -- no access; in .com --
who cares?)

> | I would prefer to disable the Office plug-in -- it's very slow, and
> should
> | be redundant with Resident Shield's layer of protection. But Resident
> | Shield appears not to give a hoot about Office files. Howcome?
> |
>
> You have to understand the nature of the files and the type of malware the
> anti virus will
> scan.
>
> The EICAR test string inside a MS Office document should not trigger the
> AV software.
> Now if you embed an infected executable inside a MS Office document it
> should such as...
>
> 8/13/2006 7:56 PM Infected DLIPMAN-1\lipman C:\Documents and
> Settings\lipman\Desktop\X5O.doc
> W32/Sdbot.worm.gen.n (Virus) (Removable)
>
> In the above I embedded an EXE infected with the SDBot Worm in the MS Word
> document X5O.doc.
>
> If the the file is infected with a "Macro Virus" it too should be flagged
> by an AV scanner.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
 >> Stay informed about: AVG scanning (or not) of Office files 

From: "Junior" <none.DeleteThis@specified.com>

| Thanks for the reply. But I'm still confused.
|
| In your test using Microsoft Word and an infected .doc file, did you have
| AVG's Office plug-in enabled or disabled?
|
| I agree that the Office plug-in *will* scan Office documents when they're
| opened by Office programs. But Resident Shield apparently does *not* scan
| Office documents.
|
| If I put EICAR (a harmless, test-only faux-virus) inside a .exe file, AVG's
| Resident Shield squawks when I try to open the file, even though EICAR
| cannot actually cause any damage.
|
| Of course EICAR in a .doc file can't actually cause any damage either. But
| so? Resident Shield should prevent attempts to open infected files having
| suffixes that it claims to be scanning. If I disable the Office plug-in,
| Resident Shield happily allows eicar.doc to be opened by Word. That sounds
| like a bug.
|
| To be utterly clear, here's my test procedure:
|
| 1. Enter EICAR test string in a file called foo.exe.
| 2. Invoke Notepad, and tell it to open foo.exe. AVG's Resident Shield
| squawks, and the open attempt fails (Notepad reports "Access is denied").
| 3. Now enter EICAR test string in a file called foo.doc.
| 4. Invoke Notepad, and tell it to open foo.doc. No errors, Notepad
| successfully opens the file.
|
| Note that w/ the AVG Office Plug-in disabled, in step #4 above you can
| substitute Microsoft Word for Notepad -- no error on opening the "infected
| file".
|
| Bottom line: Resident Shield does not scan *.doc files (unless it special
| cases the EICAR test string, which I doubt!), although it claims that it
| does.
|
| P.S. Other extensions that Resident Shield claims to be scanning: .ini,
| .jpg, .jpeg. Putting the EICAR test virus in any of these file types *also*
| does not ellicit an error from Resident Shield when they're opened. Hey,
| howcome EICAR, which is *designed* to allow tests of AV such as these,
| ellicits such random behavior from AVG? (In .exe -- no access; in .com --
| who cares?)
|
|>> I would prefer to disable the Office plug-in -- it's very slow, and
>> should
|>> be redundant with Resident Shield's layer of protection. But Resident
|>> Shield appears not to give a hoot about Office files. Howcome?
|>>

I don't have not will I use AVG.

I simply am trying to clarify that a EICAR test sting in an MS Office Document will NOT
trigger a virus alert.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 >> Stay informed about: AVG scanning (or not) of Office files 

OK, thanks anyway for the info.

After browsing Grisoft's AVG Free Edition forum
(http://forum.grisoft.cz/freeforum/), I now think the confusion may just be
the result of the fact that you can't use EICAR to test/demo all of AVG's
capabilities (which, if true, is a shame, since EICAR is designed for
exactly that purpose, and it's not clear how else to do the tests -- what,
use a *real* virus?)

Unlike Norton AntiVirus, e.g., where EICAR triggers alerts in all cases, no
matter what kind of file you store it in, and no matter whether you're
testing the manual scan capability, or Auto-Protect (the equivalent of AVG's
Resident Shield), with AVG, EICAR will only trigger an alert from Resident
Shield in very limited cases (put it in a .exe or a .com file, period). A
considerable amount of the traffic at the above-mentioned forum is devoted
to exactly this point. Apparently the AVG engineers thought this was a
plus.

Bottom line: I don't know whether Resident Shield scans Office documents
for viruses (including macro viruses). Hence I don't know whether it's safe
to disable the pokey AVG Office plug-in.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:Up5Eg.69718$MW.10296@trnddc04...
> From: "Junior" <none DeleteThis @specified.com>
>
> | Thanks for the reply. But I'm still confused.
> |...snip...
> |>>
>
> I don't have not will I use AVG.
>
> I simply am trying to clarify that a EICAR test sting in an MS Office
> Document will NOT
> trigger a virus alert.
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
 >> Stay informed about: AVG scanning (or not) of Office files 

"Junior" <none RemoveThis @specified.com> wrote in message news:ZlGEg.255043$mF2.221869@bgtnsc04-news.ops.worldnet.att.net...
> OK, thanks anyway for the info.
>
> After browsing Grisoft's AVG Free Edition forum
> (http://forum.grisoft.cz/freeforum/), I now think the confusion may just be
> the result of the fact that you can't use EICAR to test/demo all of AVG's
> capabilities (which, if true, is a shame, since EICAR is designed for
> exactly that purpose, ...

Well, not exactly that purpose. This is different than expecting an AV
to find an EICAR file within an archive.
 >> Stay informed about: AVG scanning (or not) of Office files