AVG scanning (or not) of Office files

[Junior]

I recently installed AVG on my computer. Resident Shield has the default
settings, which imply that it's scanning Microsoft Word (*.doc) and Excel
(*.xls) files. However, it seems *not* to scan such files for viruses.

For example, if I put the EICAR test string in a .exe file, AVG squawks when
I try to open the file. But if I put EICAR in a .doc file, nothing happens
when I open it (e.g. with Notepad). AVG knows there's a "virus" in the
file, because if I manually scan the folder, it squawks about the .doc file
being infected.

Howcome Resident Shield doesn't bark when an infected .doc or .xls file is
opened?

Of course, if the AVG Office plug-in is installed and registered, Word
"requests a virus scan" when I open my infected .doc file, and at that point
I get the error, but this is not the same thing as having Resident Shield
scan for viruses when files are opened.

I would prefer to disable the Office plug-in -- it's very slow, and should
be redundant with Resident Shield's layer of protection. But Resident
Shield appears not to give a hoot about Office files. Howcome?

 

[David H. Lipman]

From: "Junior" <[email protected]>

| I recently installed AVG on my computer. Resident Shield has the default
| settings, which imply that it's scanning Microsoft Word (*.doc) and Excel
| (*.xls) files. However, it seems *not* to scan such files for viruses.
|
| For example, if I put the EICAR test string in a .exe file, AVG squawks when
| I try to open the file. But if I put EICAR in a .doc file, nothing happens
| when I open it (e.g. with Notepad). AVG knows there's a "virus" in the
| file, because if I manually scan the folder, it squawks about the .doc file
| being infected.
|
| Howcome Resident Shield doesn't bark when an infected .doc or .xls file is
| opened?
|
| Of course, if the AVG Office plug-in is installed and registered, Word
| "requests a virus scan" when I open my infected .doc file, and at that point
| I get the error, but this is not the same thing as having Resident Shield
| scan for viruses when files are opened.
|
| I would prefer to disable the Office plug-in -- it's very slow, and should
| be redundant with Resident Shield's layer of protection. But Resident
| Shield appears not to give a hoot about Office files. Howcome?
|

You have to understand the nature of the files and the type of malware the anti virus will
scan.

The EICAR test string inside a MS Office document should not trigger the AV software.
Now if you embed an infected executable inside a MS Office document it should such as...

8/13/2006 7:56 PM Infected DLIPMAN-1\lipman C:\Documents and Settings\lipman\Desktop\X5O.doc
W32/Sdbot.worm.gen.n (Virus) (Removable)

In the above I embedded an EXE infected with the SDBot Worm in the MS Word document X5O.doc.

If the the file is infected with a "Macro Virus" it too should be flagged by an AV scanner.

 

[Junior]

Thanks for the reply. But I'm still confused.

In your test using Microsoft Word and an infected .doc file, did you have
AVG's Office plug-in enabled or disabled?

I agree that the Office plug-in *will* scan Office documents when they're
opened by Office programs. But Resident Shield apparently does *not* scan
Office documents.

If I put EICAR (a harmless, test-only faux-virus) inside a .exe file, AVG's
Resident Shield squawks when I try to open the file, even though EICAR
cannot actually cause any damage.

Of course EICAR in a .doc file can't actually cause any damage either. But
so? Resident Shield should prevent attempts to open infected files having
suffixes that it claims to be scanning. If I disable the Office plug-in,
Resident Shield happily allows eicar.doc to be opened by Word. That sounds
like a bug.

To be utterly clear, here's my test procedure:

1. Enter EICAR test string in a file called foo.exe.
2. Invoke Notepad, and tell it to open foo.exe. AVG's Resident Shield
squawks, and the open attempt fails (Notepad reports "Access is denied").
3. Now enter EICAR test string in a file called foo.doc.
4. Invoke Notepad, and tell it to open foo.doc. No errors, Notepad
successfully opens the file.

Note that w/ the AVG Office Plug-in disabled, in step #4 above you can
substitute Microsoft Word for Notepad -- no error on opening the "infected
file".

Bottom line: Resident Shield does not scan *.doc files (unless it special
cases the EICAR test string, which I doubt!), although it claims that it
does.

P.S. Other extensions that Resident Shield claims to be scanning: .ini,
..jpg, .jpeg. Putting the EICAR test virus in any of these file types *also*
does not ellicit an error from Resident Shield when they're opened. Hey,
howcome EICAR, which is *designed* to allow tests of AV such as these,
ellicits such random behavior from AVG? (In .exe -- no access; in .com --
who cares?)

 

[David H. Lipman]

From: "Junior" <[email protected]>

| Thanks for the reply. But I'm still confused.
|
| In your test using Microsoft Word and an infected .doc file, did you have
| AVG's Office plug-in enabled or disabled?
|
| I agree that the Office plug-in *will* scan Office documents when they're
| opened by Office programs. But Resident Shield apparently does *not* scan
| Office documents.
|
| If I put EICAR (a harmless, test-only faux-virus) inside a .exe file, AVG's
| Resident Shield squawks when I try to open the file, even though EICAR
| cannot actually cause any damage.
|
| Of course EICAR in a .doc file can't actually cause any damage either. But
| so? Resident Shield should prevent attempts to open infected files having
| suffixes that it claims to be scanning. If I disable the Office plug-in,
| Resident Shield happily allows eicar.doc to be opened by Word. That sounds
| like a bug.
|
| To be utterly clear, here's my test procedure:
|
| 1. Enter EICAR test string in a file called foo.exe.
| 2. Invoke Notepad, and tell it to open foo.exe. AVG's Resident Shield
| squawks, and the open attempt fails (Notepad reports "Access is denied").
| 3. Now enter EICAR test string in a file called foo.doc.
| 4. Invoke Notepad, and tell it to open foo.doc. No errors, Notepad
| successfully opens the file.
|
| Note that w/ the AVG Office Plug-in disabled, in step #4 above you can
| substitute Microsoft Word for Notepad -- no error on opening the "infected
| file".
|
| Bottom line: Resident Shield does not scan *.doc files (unless it special
| cases the EICAR test string, which I doubt!), although it claims that it
| does.
|
| P.S. Other extensions that Resident Shield claims to be scanning: .ini,
| .jpg, .jpeg. Putting the EICAR test virus in any of these file types *also*
| does not ellicit an error from Resident Shield when they're opened. Hey,
| howcome EICAR, which is *designed* to allow tests of AV such as these,
| ellicits such random behavior from AVG? (In .exe -- no access; in .com --
| who cares?)
|
|>> I would prefer to disable the Office plug-in -- it's very slow, and|>> be redundant with Resident Shield's layer of protection. But Resident
|>> Shield appears not to give a hoot about Office files. Howcome?
|>>

I don't have not will I use AVG.

I simply am trying to clarify that a EICAR test sting in an MS Office Document will NOT
trigger a virus alert.

 

[Junior]

OK, thanks anyway for the info.

After browsing Grisoft's AVG Free Edition forum
(http://forum.grisoft.cz/freeforum/), I now think the confusion may just be
the result of the fact that you can't use EICAR to test/demo all of AVG's
capabilities (which, if true, is a shame, since EICAR is designed for
exactly that purpose, and it's not clear how else to do the tests -- what,
use a *real* virus?)

Unlike Norton AntiVirus, e.g., where EICAR triggers alerts in all cases, no
matter what kind of file you store it in, and no matter whether you're
testing the manual scan capability, or Auto-Protect (the equivalent of AVG's
Resident Shield), with AVG, EICAR will only trigger an alert from Resident
Shield in very limited cases (put it in a .exe or a .com file, period). A
considerable amount of the traffic at the above-mentioned forum is devoted
to exactly this point. Apparently the AVG engineers thought this was a
plus.

Bottom line: I don't know whether Resident Shield scans Office documents
for viruses (including macro viruses). Hence I don't know whether it's safe
to disable the pokey AVG Office plug-in.

 

[edgewalker]

OK, thanks anyway for the info.

After browsing Grisoft's AVG Free Edition forum
(http://forum.grisoft.cz/freeforum/), I now think the confusion may just be
the result of the fact that you can't use EICAR to test/demo all of AVG's
capabilities (which, if true, is a shame, since EICAR is designed for
exactly that purpose, ...

Well, not exactly that purpose. This is different than expecting an AV
to find an EICAR file within an archive.