Scan Results: Select the required action for each result and click "Apply".

[MostlyHarmless]

Scan Results: Select the required action for each result and click "Apply"

... and this is where my problem starts. The Scan Results' page doesn't give me the option to select any of the alleged threats. I am unable to highlight any of the found items: No matter where I click, the "Apply" button stays greyed out.

So, either I'm doing something _extremely_ stoopid, or there's a problem with my install. If I'm doing something stupid, then I'll thank the person who points out the error of my ways, I'll blush and shuffle off into the shadows. However, if there's a bug in the program, then I'd like a fix before I'm forced to deal with the next virus threat.
In this case I'm pretty sure the cmdagent.exe threats are merely false-positives (see my post in Avast5 Free Edition detect comodo and window defender process as virus/threat?)
 
I've reinstalled Avast! four times now, thinking my issue might have been caused by a bad install, but I get the same results with each new Custom Scan I run.

XP Pro(sp3)/Avast! free v5.0.396/Comodo Firewall (D+) v3.14/SpySweeper v6.1.0.145

[DavidR]

The first two are memory location, so comodo is loading unencrypted virus signatures into memory (bad form) and avast is detecting that. So are you using the CIS with the AV element installed, if d=so use add remove programs to uninstall the AV element.

The same is presumably happening with windows defender and I suspect that you have checked a setting with is unchecked by default, the ignore virus targeting option in the Sensitivity section.

As for the others there really is no action to be taken as they aren't indications of infected files.
- Decompression Bomb, a file that is highly compressed, which could be very large when decompressed. This used to be a tactic long ago to swamp the system, also see http://forum.avast.com/index.php?topic=15389.msg131213#msg131213.
 
The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

[MostlyHarmless]

The first two are memory location, so comodo is loading unencrypted virus signatures into memory (bad form) and avast is detecting that. So are you using the CIS with the AV element installed, if d=so use add remove programs to uninstall the AV element.

Comodo is firewall only.
I've had to tell several of my friends that they're asking for trouble if they install more than one AV program 

The same is presumably happening with windows defender and I suspect that you have checked a setting with is unchecked by default, the ignore virus targeting option in the Sensitivity section.

I don't actually have Windows Defender installed. That just happened to be part of the title in the other thread I posted on. My issue there was the possibility of the cmdagent.exe threat been a false-positive.

As it happens, I do only get the cmdagent.exe alerts if I check the 'Ignore virus targeting' box. But surely if I disabling this feature, I'm removing a layer of inspection during my custom scans?

As for the others there really is no action to be taken as they aren't indications of infected files.
- Decompression Bomb, a file that is highly compressed, which could be very large when decompressed. This used to be a tactic long ago to swamp the system, also see http://forum.avast.com/index.php?topic=15389.msg131213#msg131213.

The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

I always get this flagged. I should probably just bin the saved installer that keeps getting the warning that the 'File is a decompression bomb'. 


However, this still doesn't answer why I am unable to highlight any of these items in the Scan Results page. I cannot mark any of the lines, and the "Apply" button remains greyed out.
If they were real threats, then I wouldn't be able to Repair, Move to Chest, Delete, or Do Nothing with them.

XP Pro(sp3)/Avast! free v5.0.396/Comodo Firewall (D+) v3.14/SpySweeper v6.1.0.145

[DavidR]

1. I wouldn't consider it a false positive as if there are unencrypted virus signatures being loaded into memory by cmdagent.exe then on certain scans these are going to be detected, note that cmdageant.exe isn't actually being detected, that is just the process responsible for loading them.

Why this would be deemed necessary if the AV element is uninstalled, it would seem that even when uninstalled signatures are still loaded, I don't know if this is related to defence+. I simply don't know as I have never used comodo products and don't intend to start right now.

2. OK no windows defender one less issue to be concerned with. You aren't lessening your level of protection if anything by checking what I would call an 'Ignore' option that would be lessening your protection. However. it is strange that by checking 'Ignore' you get more detections but there are as I said unencrypted virus signatures.

Me I bow to Alwil's greater understanding of this program and the default settings they set to protect my system without causing undue performance issues.

3. There is nothing wrong with the decompression bomb files, why would you want to get rid of them that doesn't make good sense, just ignore the listing. Personally I would go a step further and stop scanning all packers (by checking that option). Archive (zip, rar, etc.) files are by their nature are inert, you need to extract the files and then you have to run them to be a threat. Long before that happens avast's File System Shield should have scanned them and before an executable is run that is scanned.

4. There is no action to take and taking any action could be damaging (on certain entries) or stop things working and my guess here is that avast are trying to prevent a decision by a user that could damage their system.

[MostlyHarmless]

1: If neither of the flagged cmdageant.exe processes are false-positives (or their associated Win32:Agent-KXV [Drp] and Win32:Delf-DNW [Trj] threats), why can't I select either occurrence in the Scan Results window to perform one of the action options? After all, the scan sees them as high severity threats. I cannot highlight an item, and the "Apply" button remains greyed out.

2: From my understanding, virus targeting means the scan is only looking for viruses in a file with an extension it usually associates with it. E.G. the program will not look for viruses that normally affect files with a ".exe" extension, in files with a ".com" extension.
Turning the targeting off makes for longer scans, but they are more thorough scans, as each file is checked against each virus definition. I know it's turned off as a default, but why have it there if it doesn't offer a more complete scan?

3: The Decompression Bomb is a third-party component-installer package for the Blender animation program. I only save python-2.6.2.msi in case I have difficulty finding this particular version in the future.

4: Even if there is no action to take, surely if I click on a listed item in Scan Results, I should be offered one of the four Apply this action for all options, even if it's the Do Nothing option?

My problem is, I simply do not trust Windows software and its innumerable vulnerabilities. That's why I click every option when it comes to scanning for threats.

[DavidR]

1. as I said it isn't the cmdagent.exe being detected, but that is what loaded what was detected in memory.

2. to me virus targeting means just that, no matter where they might be or why does avast scan memory at all. It still baffles me is the use of the word Ignore before virus targeting, it isn't logical that by ignoring it you get more detection. There is no clear definition (that I have seen) of exactly what the term means and what it does or doesn't do.

3. then even more reason not to get rid of it just because if is a big file when decompressed.

4. I'm an avast user like you so I have no power over the options available, but this is historic in that option not available were greyed out (in 4.8, such as the boot-time scan in unsupported OSes); this being greyed out caused as many questions as to why they couldn't select it either.

[olddog]

.....There is no clear definition (that I have seen) of exactly what the term means and what it does or doesn't do.

David - from the Avast 5 Help file.

"Ignore virus targeting - if this box is checked, all files will be tested against all of the current virus definitions. If it is not checked, files will be tested only against those viruses that target the particular type of file, for example, the program will not look for viruses that normally affect files with a ".exe" extension, in files with a ".com" extension."

The default non ticked setting results in a faster scan which is arguably quite adequate for most requirements. Ticking the box will force a more detailed scan for those who are prepared to spend the extra time.

[DavidR]

OK, thanks for that I hadn't seen that bit.

[MostlyHarmless]

Thanks olddog, I was just about to cut-and-paste that passage from the Sensitivity section of the Avast! 5 help file, then I scrolled down and found that you'd beaten me to it.  

I've got to agree with DavidR that the wording is confusing: Ignore virus targeting (not checked, as the default setting). It certainly made me pause and go "eh?!" Why not just have it read Virus targeting, and have it 'on' as the default?
Nevertheless, when, and only when, virus targeting is ignored, does it flag up two cmdagent.exe processes as severe threats (Threat: Win32:Agent-KXV [Drp] and Threat: Win32:Delf-DNW [Trj]). See the attached 'Avast! Scan Results (crop)' picture in my original post.
When my custom scan finishes, I receive the Threat Detected notification, and when I go to View Results I am unable to apply any actions on the alleged threat/s because I cannot highlight the appropriate item...I'm sorry to keep repeating myself, but the scan result makes it pretty clear (to me) that there is a problem which needs addressing, but then doesn't allow me to do anything.
My question is: Is it simply not a threat and that's why it doesn't give me the action options, is there a bug, is it another bad install on my part, or am I just missing something _really_ obvious re the action selection?

[olddog]

MostlyHarmless,

My suggestion is to first determine whether your inability to be able to process items from the Show Results dialogue is a problem with your particular Avast installation.

If you go to http://en.wikipedia.org/wiki/EICAR_test_file you will find the Eicar test string. Cut and past it into Notebook and save it as Eicar.txt.

Now put this into a new folder "TEST" somewhere on your drive that is convenient. Since the file system shield excludes .txt files you should be able to handle it in this form without Avast grabbing it.

Now as a quick test, scan the TEST folder from the scan accessed from Explorer Context (right click menu). Because this scan is an "all files" scan, it should tag the test file as a threat (suedo only) and bring up the Show Results button. Click on that and you should see the file in the listing.

Look at the "Results" column - if it is blank, then no action has been taken. You should be able to select an action from the pull down list for that particular file, and then click on Apply. You should then see a green circle with a tick in it and the word Action successful in the result column.

If the green circle with the tick and the Action successful is in the result column when this listing first opens then your scan is probably set to automatically apply a specific action when it encounters a suspect file and has already taken that action - in that event no further manual action is available from this dialogue - it just display what has already been done.

Let's know what happens.

[MostlyHarmless]

Excellent! I'd seen the EICAR test mentioned in other threads whilst searching for information on my problem. I wish I'd stopped and read what it was all about earlier.

So I guess that means my Avast!5 install is sound. Though I'm still more than a little puzzled as to why my two *PROCESS\...\cmdagent.exe\...\... results, although marked as high severity threats, don't give me the options the EICAR pseudo virus did?

Thanks for your help, olddog

[MostlyHarmless]

1. as I said it isn't the cmdagent.exe being detected, but that is what loaded what was detected in memory

ah, so the cmdagent.exe is probably ok, but the *PROCESS it's executing is dubious - Now I see. So that'll be why Avast! doesn't see the actual cmdagent.exe as the threat... a fog is clearing in my mind.

Thanks for your help, DavidR

[MostlyHarmless]

I've just got this back from Avast! support. Thought I'd share.

"In general, any security application can load some signatures (fragments of malicious code used to detect the real threats) into memory - they are located in data segments (instead of executable code). With "Ignore virus targeting" option enabled avast! can detect these harmless fragments.
These two items in scan results are not the files but the virus is detected in memory allocated to cmdagent.exe process - because of this no action is available."

A big 'thank you' to everyone who has assisted in my query.

[DavidR]

You're welcome, thanks for the feedback.

[MostlyHarmless]

UPDATE: Having upgrading to CFP v4.0, I no longer receive the cmdageant.exe 'threat' warnings during my Avast! v5.0 custom scans.


XP Pro(sp3)/Avast! free v5.0.507/Comodo Firewall (D+) v4.0.141842.828/SpySweeper v6.1.0.145