Author Topic: Detection slows full system scan  (Read 6408 times)

0 Members and 1 Guest are viewing this topic.

Staffy

  • Guest
Detection slows full system scan
« on: July 29, 2012, 05:17:43 PM »
Hi,

I recently performed a full system scan which detected 4 infections. However, I think these are false positives as these programs have been on my system for years. Normally, a full system scan takes about 1.5 hours to complete. With the detections, it now takes longer to finish. The scan now completes in 2hrs 40mins. Can anyone explain why this should happen? Should I place these programs in the exculsion list or should I report to Avast to look into so that the virus definitions can be corrected?

Thanks.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Detection slows full system scan
« Reply #1 on: July 29, 2012, 05:20:21 PM »
upload the fil(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the url and post it here for us to see

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Detection slows full system scan
« Reply #2 on: July 29, 2012, 06:18:18 PM »
When a detection is mad in the Quick or Full System scans avast elevates the scan sensitivity. That would account for the increased scan duration.

If you dealt with the detections, send to chest or exclusion and run the scan again it should default to normal non-paranoid settings and duration.

If you feel the items are false positives, this should be confirmed as suggested by Pondus at VT.
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn't hurt.

@@@@
- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Staffy

  • Guest
Re: Detection slows full system scan
« Reply #3 on: July 29, 2012, 06:50:39 PM »
Thanks for your replies.

When I went to the directory where the "infected" file was located, Avast brought up a pop up to say that a threat was detected and the file was moved to the Chest. In order to load the file to Virus Total, I had to restore the file back to its original location. I went to Virus Total and browsed for the file and selected it. Again, Avast showed the threat detected pop up and moved the file away before I had the chance to press the submit button. As the file was selected before the Avast popup appeared, I hope that pressing the submit button would still have submitted the file fully?

Anyway, here's the result of the scan https://www.virustotal.com/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1343579135/

Interestingly, Avast didn't report it as a virus so I'm a bit confused  ??? Is the file OK?

Thanks, DavidR,  for explaining why it all went slow and why the Chest doesn't refresh once I've restored the file. I didn't realise it left a copy in the Chest when a file is restored. Also for making me aware where the exclsion lists need to be updated.

I've also sbmitted a False Positive to Avast via the popup.

Thanks.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Detection slows full system scan
« Reply #4 on: July 29, 2012, 07:26:34 PM »
You're welcome.

There are times when VT may not show an avast detection when a users system does. This could be either the VT virus definitions not being fully up to date or the users not being fully up to date (new definitions update either auto/streaming updates correcting the detection).

So ensure that you have the latest virus definitions and scan the copy in the chest.

What was the PrintProcess detection information, malware name (in full including any suffix) and location ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Staffy

  • Guest
Re: Detection slows full system scan
« Reply #5 on: July 29, 2012, 10:11:05 PM »
The PrintProcess.exe is purported to have the Win32:Patched-AJD [Trj] trojan and was on my D: drive (where my apps are installed). I re-scanned the file in Chest and it still reports it as a virus even with the most up to date definitions file.

I actually have this program in 4 folders hence it reported it 4 times. 3 of these folders were backups. I deleted the 3 backup folders (as I don't need them anyway) by using Shift-Delete and Avast moved the one in the active folder to Chest.

I did a full system scan hoping that all will be good now. However, there were still 4 reports of viruses. This time they were found in the System Volume Information\_restore folder. The names of the files are different to PrintProcess and an example is A0032424.exe. The virus name is the same for PrintProcess.exe. Are these the same files that I thought I permanently deleted but Windows have created backups of or are they completely different files?

I'm getting worried now  :(

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Detection slows full system scan
« Reply #6 on: July 29, 2012, 10:43:35 PM »
I would allow avast to deal with those in the system volume information folder/s.
- Infected Restore Points:
There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

File names are changed when files are saved by system restore, it only retains the same file type of the original, .exe in this instance, so these are most likely copies of the same file/s.

####
Since you have now submitted this as a false positive - periodically scan the copy in the avast chest. Once it is no longer detected you can Restore it from the chest (back to the original location), confirm it is back, remove the exclusion and delete the copy in the chest.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Staffy

  • Guest
Re: Detection slows full system scan
« Reply #7 on: July 29, 2012, 11:06:17 PM »
Thanks, DavidR. Good point about infected Restore Points. I'll re-scan the System Volume Information\_restore folder and get Avast to move the infected files into Chest. As the full system scan takes a while to complete, I'll do another scan tomorrow and see what happens. Fingers crossed it'll be OK.

I'm confused why the files would be placed in System Volume Information\_restore folder in the first place if I permanently deleted them  ???

As you suggest, I'll re-scan the files in Chest every so often and hopefully they'll be reported clean. This will put my mind at ease. Lets hope Avast can look into the FP soon!


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Detection slows full system scan
« Reply #8 on: July 29, 2012, 11:36:42 PM »
that file should be safe.  ;)

First seen by VirusTotal
2006-09-18 07:26:15 UTC ( 5 år, 10 måneder ago )



Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Detection slows full system scan
« Reply #9 on: July 30, 2012, 12:13:13 AM »
Thanks, DavidR. Good point about infected Restore Points. I'll re-scan the System Volume Information\_restore folder and get Avast to move the infected files into Chest. As the full system scan takes a while to complete, I'll do another scan tomorrow and see what happens. Fingers crossed it'll be OK.

I'm confused why the files would be placed in System Volume Information\_restore folder in the first place if I permanently deleted them  ???
<snip>

When you deleted them from the other three locations, that is probably when system restore made the restore points in the System Volume Information\ folder, that is what system restore does.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Staffy

  • Guest
Re: Detection slows full system scan
« Reply #10 on: July 30, 2012, 09:29:06 PM »
Thanks, guys.

I did another full system scan today and the good news is that its gone back to 1.5 hours to complete and no threat was detected. What's strange is that I didn't get the "Error: Insufficient system resources exist to complete the requested service (1450)" messages that I normally get on a number of files (these differ everytime I scan) at the end of the scan.

The current virus definitions is still reporting the file as a virus but I guess it won't be for a good few days for Avast to look into. I'll do a few more full scans over the next few days for peace of mind.

Pondus, I couldn't work out what the log was telling me as the name of my file PrintProcess.exe (from Arcsoft) wasn't mentioned either in the Additional Information or Comments tabs.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Detection slows full system scan
« Reply #11 on: July 30, 2012, 10:59:32 PM »
You're welcome.

One thing I would suggest is that you just do a Quick scan as that covers all of the major areas/files at risk of infection. That should be adequate and will cut the scan duration massively. I only do a weekly scheduled Quick scan and very rarely a Full System scan.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Staffy

  • Guest
Re: Detection slows full system scan
« Reply #12 on: July 31, 2012, 11:50:15 PM »
Thanks, DavidR. Never really considered the quick scan as I do a full scan as a weekly task. It makes sense what you say as I do a quick scan with Malwarebytes Anti Malware and not a full scan  :)

I really appreciate the time and effort that you guys provide with your help  :)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Detection slows full system scan
« Reply #13 on: July 31, 2012, 11:53:23 PM »
No problem, glad I could help.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security