Author Topic: Only sending "No-System" Files to the chest  (Read 4432 times)

0 Members and 1 Guest are viewing this topic.

allisson

  • Guest
Only sending "No-System" Files to the chest
« on: December 13, 2010, 11:22:33 AM »
Hi,

Im relatively new to Avast. I am completely satisfied though one of the first things I noticed (moved to Avast from Avira) was the missing "Ignore" option. I have read about the reasons why avast choose to not add the option but I am still not convinced. Especially with False Positive scenarios that involve Windows system files. I remember reading about a Avast False Positive a few years back (the user.dll as far as I remember).

Now, in this thread https://forum.avast.com/index.php?topic=55644.0 I accidentally stumbled upon I read Tech's strategy:

Quote
I have fear of Chest... system things... can't boot/logon... I just send "no-system" files to Chest, otherwise, I investigate.
I think this is extremely clever and for me that would be somewhat of a replacement for the ignore function.

My question is: how do I implement such a behavior in avast? How do I exclude system files being send anywhere?


Thanks and cheers
ally

SafeSurf

  • Guest
Re: Only sending "No-System" Files to the chest
« Reply #1 on: December 13, 2010, 11:47:22 AM »
Hi allisson and welcome to the forum.

Ignore means "No Action" in Avast language. 

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3695
  • If at first you don’t succeed; call it version 1.0
Re: Only sending "No-System" Files to the chest
« Reply #2 on: December 13, 2010, 11:58:37 AM »
In the "expert settings" under each of the file system shields,(expert settings>actions) you could specify "ask" rather than "send to chest" for certain detections, making it unlikely that a required system file is sent there (unless you send it there!).

I recommend you do not alter the default "abort connection" for the web shield. This shield is generally accurate in detection, and Avast users are often among the first to know a particular site might be infected. Aborting the connection is the best way to avoid a hazardous download.

Welcome to the forum.

Windows 10,Windows Firewall,Firefox w/Adblock.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Only sending "No-System" Files to the chest
« Reply #3 on: December 13, 2010, 12:32:30 PM »
Which is a system file?
A file that is on system folders (Windows, etc.)?
How to separate a legit file from an infected one? Signatures?
It's not easy (or safe) to implement general policies for that. That's why David always set "ask" to actions to be automatically taken, to have control.
The best things in life are free.

allisson

  • Guest
Re: Only sending "No-System" Files to the chest
« Reply #4 on: December 13, 2010, 03:43:34 PM »
Hi,

thanks a lot for the speedy reply.

Ok, lets go back. Perhaps you are so kind to hypothetically walk me through the procedure because I really want to understand it.

- The Files Shield/Real Time Shield
Lets suppose the files shield, which is always running in the background, detects a file, e.g. a Windows system file, as being infected.

My settings are "Ask".

Do I get a popup telling me that Avast has found something? What are the options here? What happens to the file in question?
« Last Edit: December 13, 2010, 03:46:00 PM by allisson »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Only sending "No-System" Files to the chest
« Reply #5 on: December 13, 2010, 04:30:54 PM »
Anything that you consider a false positive, shouldn't just be ignored (avira speak) or excluded from scans (avast), that is shooting the messenger rather than treating the problem.

Confirm by examination (virustotal) that it is indeed an FP, if so send the sample for analysis and correction of the detection signature plus inclusion in a signature update, see #### below. This helps all avast users.

There is a drop down list in the Ask dialogue window that you can select the option, Move to chest, Delete, No Action (just means don't take any other action the file remains in location but avast won't let you run it), etc. These actions may differ from one Shield as those like the Web Shield which are intercepting detections outside of your system would just give an Abort connection, this just drops your connection for that item (not your internet connection) and flushes it out of its cache where the scan takes place.

####
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

allisson

  • Guest
Re: Only sending "No-System" Files to the chest
« Reply #6 on: December 13, 2010, 06:58:15 PM »
Thanks for the detailed reply.

So the procedure would be: File System Shield detects sth., I get a popup because my setting is "Ask", I can choose "No Action".

In order to check the file, I can either create an exception for the location where the file normally is because the place of the file hasnt altered (this most likely for system files) or create that extra folder. Then, I can upload the file to virustotal.

So the difference btw. an "Ignore" function (that e.g. Avira has) and the "No Action" function of Avast is that whereas the first allows the file to be executed without creating an exception the second requires the definition of an exception.

Is that right?

And for the false positive scenario: In case a system file that is necessary for Windows boot is involved: If I choose "No Action" when Asked and do not create an exception: will Windows start correctly or will Avast still prevent that?

Thanks again!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Only sending "No-System" Files to the chest
« Reply #7 on: December 13, 2010, 08:27:11 PM »
Essentially that is correct, avast has for many years said it won't give a single click option to ignore and exclude a file from scans as it is simply too dangerous if clicked accidentally.

That is why they taken the two step option, you can take no action primarily and then create the exclusion to allow it to run, that way it takes a deliberate act to run a file which avast considers infected.

If you take No Action, and you try to run the file it won't run, if you reboot then avast would alert again on the file when it attempts to run.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

allisson

  • Guest
Re: Only sending "No-System" Files to the chest
« Reply #8 on: December 13, 2010, 08:39:20 PM »
Thank you!


If you take No Action, and you try to run the file it won't run, if you reboot then avast would alert again on the file when it attempts to run.


So if the file is part of the OS, i.e. Windows, (being an .exe or .dll, I think the case some years ago was a false positive with the user.32dll) and it is detected by Avast and the user chooses "No Action" without doing anything else, and then shuts down the system, Windows will or will not be able to start?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Only sending "No-System" Files to the chest
« Reply #9 on: December 13, 2010, 08:50:08 PM »
There are other protections in place to prevent essential system files, even though infected win32:patched for example (winlogon.exe, etc.) where the removal of an essential system file could have disastrous affects, but although avast detected it, it didn't take any action and the user was still able to boot.

Virus Database update are also tested against a clean-set before the update is released, this does help prevent FPs on system files, not to mention system files that are digitally signed are also protected in the same way. There was an incident about a year ago where this practice failed and one got through as the virus update wasn't first run against the clean-set.

In over six and a half years of using avast, I have never had an FP on a system file, lucky I guess ;D

The biggest problem is when the user chooses delete as their first option.

I'm an avast user and don't work for Avast, so I'm not privy to all of the checks and balances to prevent FPs in system files, but I would suggest that there isn't a huge history of this. Not to mention we learn from history and move forwards rather than constantly look back..
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

allisson

  • Guest
Re: Only sending "No-System" Files to the chest
« Reply #10 on: December 14, 2010, 12:12:53 PM »
Thank you and I am fully aware that you answer to your best knowledge as a user. Thank you again for that!

I absolutely salute Avast because to my knowlege it has far less false positives than any other AV software.

But still my question remains as to how Avast deals with a system file being detected as malicious regardless of it being a FP or not:

If a system file that is essential for the OS to work/boot etc. is detected by Avast and the user chooses "No Action" then shuts down and restarts the computer, will it start normally?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Only sending "No-System" Files to the chest
« Reply #11 on: December 14, 2010, 02:51:16 PM »
I can only refer to my comment about the win32:patched infection that is directly associated with system files (winlogon.exe and explorer.exe, etc.) being infected and too dangerous to simply remove.

Even in their infected state the system still runs and requires other measures to a) find and kill the underlying malware responsible for the infection and b) replace the files with known good ones.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security