Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: cooby on November 13, 2012, 02:41:17 AM

Title: What's causing so many emergency updates?
Post by: cooby on November 13, 2012, 02:41:17 AM
Since November 9, emergency updates are piling up. 36 total of which 24 today. It used to be one every few days. Can someone explain?
Title: Re: What's causing so many emergency updates?
Post by: SugarD-x on November 13, 2012, 03:49:18 AM
Since November 9, emergency updates are piling up. 36 total of which 24 today. It used to be one every few days. Can someone explain?
Your Avast! sounds like it's very outdated. Have you tried running the update processes to make sure you're on the latest version?
Title: Re: What's causing so many emergency updates?
Post by: RejZoR on November 13, 2012, 11:40:46 AM
How do you know its emergency updates? Those are only fired up when something goes wrong globally. To me it seems like you're describing Streaming Updates, those that are received several times a day...
Title: Re: What's causing so many emergency updates?
Post by: true indian on November 13, 2012, 11:43:39 AM
Malware Writers are getting more active and responsive to avast! protection  ;D

thats why more streaming updates..
Title: Re: What's causing so many emergency updates?
Post by: Pondus on November 13, 2012, 12:50:00 PM
Cybersecurity: A Global Economic
Security Crisis


Quote
The mainstream threat has matured and one cybersecurity company stated that in 2011, it was finding up to 150,000 new pieces of malicious code daily. That figure is double what was seen daily in 2010 (75,000 daily), which is also double what was observed in 2009 (approximately 37,500 daily). The troublesome fact about the growth of malware is that both the quantity and the quality have drastically increased. The vast proliferation of malware has facilitated a much broader probing of the Internet, leading some bad actors to realize there is an immense number of interesting targets that might have been ignored five years ago
http://www.growthconsulting.frost.com/web/images.nsf/0/B1A9AEA0488DE48A802579B3005B0190/$File/GIL12_fs.htm

thats why.  ;)


Title: Re: What's causing so many emergency updates?
Post by: DavidR on November 13, 2012, 03:00:43 PM
Since November 9, emergency updates are piling up. 36 total of which 24 today. It used to be one every few days. Can someone explain?

They aren't emergency updates, they are streaming updates, check the avast defs sub-folder and you will see the streaming folder.

The Emergency Update Check is a scheduled task and it happens twice a day. It would also be initiated if you did a manual update.

The streaming update folder is removed when the next regular auto update happens as that also contains the previous streaming updates. So they shouldn't keep accumulating (piling up as you say).
Title: Re: What's causing so many emergency updates?
Post by: mchain on November 13, 2012, 05:05:38 PM
hi cooby,

To give you an idea of what Avast! is doing when you surf the net, here is a website reporting in real-time malicious attacks on computers worldwide:  http://map.honeynet.org (http://map.honeynet.org)

This mapsite uses honeypots to catch the bad guys in the act of infecting a system.  A part of the streaming updates information Avast! provides is based on what these honeypots see and collect.  As this is real-time information, streaming updates are now necessary to provide the protection you need to stay safe.  Two to three core updates a day are not sufficient to protect you anymore.

Title: Re: What's causing so many emergency updates?
Post by: user_1000 on November 13, 2012, 07:58:30 PM
How do you know its emergency updates? Those are only fired up when something goes wrong globally. To me it seems like you're describing Streaming Updates, those that are received several times a day...

By the way, you can see that there has been a some emergency updates applied once in a while.

C:\ProgramData\AVAST Software\Avast\AvastEmUpdate.ini

AvastEmUpdate.ini:
Code: [Select]
[Config]
LastAppliedPatchId=104
Title: Re: What's causing so many emergency updates?
Post by: DavidR on November 13, 2012, 10:02:02 PM
Personally I don't believe that there have been 104 emergency updates, they are designed to overcome a problem whereby you can't actually use the regular update process. The emergency update has been said to be a very rare/unusual occurrence and one no doubt we would see topics about in the forums.

So I don't know if this is just an ID assigned to checking rather than an emergency update as such. I believe that if there were an emergency update the user is likely to know it has happened (as they are likely to have been having update/serious problems recently). There is also a likelihood that after the emergency update you may be asked to reboot.
Title: Re: What's causing so many emergency updates?
Post by: Dch48 on November 13, 2012, 10:13:34 PM
I am not aware of having received any Emergency updates since they implemented the feature.
Title: Re: What's causing so many emergency updates?
Post by: cooby on November 13, 2012, 10:31:31 PM
Since November 9, emergency updates are piling up. 36 total of which 24 today. It used to be one every few days. Can someone explain?

They aren't emergency updates, they are streaming updates, check the avast defs sub-folder and you will see the streaming folder.

The Emergency Update Check is a scheduled task and it happens twice a day. It would also be initiated if you did a manual update.

The streaming update folder is removed when the next regular auto update happens as that also contains the previous streaming updates. So they shouldn't keep accumulating (piling up as you say).

@DavidR, RejZoR,
Aha, indeed, defs subfolder says streaming, a ton of them yesterday 30+. Today 1 or 2 files in -stream directory.
Why did I say emergency updates? see attached firewall log, it never lies, clearly the application indicates emergency update.

Title: Re: What's causing so many emergency updates?
Post by: mchain on November 13, 2012, 11:14:13 PM
Sunbelt Firewall is not one I have ever used, so did not know about the terminology.  Learn something new everyday.
Title: Re: What's causing so many emergency updates?
Post by: DavidR on November 13, 2012, 11:49:55 PM
@    cooby
I see lots of outbound connections for AvastEmUpdate.exe in your image, but no inbound connection, an impossibility to update anything if there is nothing coming back in.

I haven't got a clue why you have so many connections for the AvastEmUpdate.exe, I only see one entry for today in my firewall.
Title: Re: What's causing so many emergency updates?
Post by: RejZoR on November 14, 2012, 12:02:29 AM
These two things are completely unrelated. You get streaming updates by the standard auto updater. The Emergency Updater is just checking periodically as a stand alone app for updates that are issued under emergency priority. You can also see that from the FW logs. Only outbound connections and no inbound transfers. Meaning you're not getting the streaming updates in those folders from the Emergency Updater component.

What does this mean?

Regular updates are controlled by the avast! app itself. The Emergency Updater is a completely stand alone app which can resurrect avast! in case if some really nasty bug sneaks into a new program update release and you can't use avast! anymore to update it. That's where Emergency Updater kicks in. avast! team issues an emergency program update on a separate servers which are checked by the Emergency Updater component. This updater will find there is a new update and will try to update avast! forcibly.

It's very unlikely for such scenario but not impossible. That's why they introduced this feature not that long ago.
Title: Re: What's causing so many emergency updates?
Post by: Charyb on November 14, 2012, 02:33:53 AM
The streaming update files are associated with VLC media player. I have no idea if this could be a cause of this or not but wouldn't avast see this as a problem?
Title: Re: What's causing so many emergency updates?
Post by: DavidR on November 14, 2012, 03:09:45 AM
Check the VLC file associations as clearly .bin files are associated with it. Why that is required I don't know.

Why would avast see it as a problem, if avast uses the pkg...........00000001.bin file it is still able to action it as it knows what to do with it, it certainly isn't going to call VLC to run it.
Title: Re: What's causing so many emergency updates?
Post by: cooby on November 14, 2012, 03:13:33 AM
@SugarD-x, in Reply#1
I'm one version behind, see my sig, not many. Will update soon. I doubt this is the cause of all this strangeness.

@Charyb, (post above this one)
I know. Many config files are associated with not what they're supposed to be :(
I didn't design windows. No, really, it usually works just fine for firewall config (MS Outlook association), some other config files in in XML format (windows sees is as associated with XML editor, which it's not), and various others.
So most unlikely avast would have an issue with .BIN file here. If avast does, then indeed we have a problem.

@DavidR and RejZoR,
- Normal Avast updates normally come come in. Avastsvc.exe launches avast.setup, communication is over TCP, outbound to one of several avast servers. Directly to avast IPs, no proxy. All allowed, not logged.
- Emergency updates are by TCP through the avast proxy port. Don't ask why. I have no clue. I don't care. Having read, long ago, what it's about, when my Firewall alerted, I made a rule to permit and log since emergency updates are infrequent, except what's in this thread.
- Inbound connections are not needed, unless I run a server of some sort. If they were for Avast, I'd ditch avast. Once you establish outbound to avast server (direct or through the proxy port), replies (updates) come in. True for outlook mail, gmail, web pages, really any internet stuff. Avast NEVER asked for any incoming connection to my box. It doesn't want it. It doesn't need it.

- Bit more review of what I have:
When my firewall watches behavior it reports it in the text file in addition to the behavior log. The log rolls over, so all I have is since Oct27. It's easier to extract the events from the text file, so here it goes:

This is how it used to be, 14 emergency jobs in 10 days more or less - see attached FW-systemlog1

Then the flood began with something downloaded to the \temp directory, sure looks weird, I hope it's not some trojan I'm happily allowing.
The .exe files aren't there any more, so I can't even upload to virustotal.
Since it came in, I have that flood I reported. Perhaps Avast changed the meaning of emergency updates and uses the application for streaming as well?
Several, not all, are followed by the normal update event like this
[13/Nov/2012 13:15:28] DriverEventHandlersImpl.cpp: "System" action = 'permitted', operation = 'creating_proc', proc = 'c:\Program Files\AVAST Software\Avast\AvastSvc.exe', subj = 'c:\Program Files\AVAST Software\Avast\Setup\avast.setup'
see attached FW-systemlog2

Title: Re: What's causing so many emergency updates?
Post by: RejZoR on November 14, 2012, 08:32:42 AM
Well, i'd use some tool to monitor what Emergency Update component is writing to the disk (and to what files) and how many bytes it is transfering inbound. Only way to really find out if it's actually downloading anything or not...
Title: Re: What's causing so many emergency updates?
Post by: user_1000 on November 14, 2012, 09:26:25 AM
Personally I don't believe that there have been 104 emergency updates, they are designed to overcome a problem whereby you can't actually use the regular update process. The emergency update has been said to be a very rare/unusual occurrence and one no doubt we would see topics about in the forums.
<snip>

There has been a 4 emergency updates, not 104! ;) As far as I know default value was 100, so there has been 4 emergency updates.
Title: Re: What's causing so many emergency updates?
Post by: Tetsuo on November 14, 2012, 11:05:51 AM
There has been a 4 emergency updates, not 104! ;) As far as I know default value was 100, so there has been 4 emergency updates.

Yesterday Avast downloaded an executable (a signed file with a long name of numbers and letters) in my windows/temp directory.
That file was automatically removed soon after, without any further actions. I know this, because of my HIPS.
I believe the file was downloaded by the Emergency Updater and  probably for some other OS (W8?)  it may have installed some emergency update: http://forum.avast.com/index.php?topic=107886.msg860588#msg860588 - but maybe I'm totally wrong...

This is the third time I (my HIPS) saw Avast downloading an executable like that. Ah, my OS is Win XP and I'm running the latest Avast Free, by the way.
Title: Re: What's causing so many emergency updates?
Post by: user_1000 on November 14, 2012, 08:28:46 PM
Yesterday Avast downloaded an executable (a signed file with a long name of numbers and letters) in my windows/temp directory.
That file was automatically removed soon after, without any further actions. I know this, because of my HIPS.
I believe the file was downloaded by the Emergency Updater and  probably for some other OS (W8?)  it may have installed some emergency update: http://forum.avast.com/index.php?topic=107886.msg860588#msg860588 - but maybe I'm totally wrong...

This is the third time I (my HIPS) saw Avast downloading an executable like that. Ah, my OS is Win XP and I'm running the latest Avast Free, by the way.

Yes. I can also see that Avast Emergency Updater applied something on November 13, 2012. And that how many times Emergency Updater has been applied something depends on a few things (clean install, etc).

But as far as I know there has been about 3-4 emergency updates.
Title: Re: What's causing so many emergency updates?
Post by: cooby on November 14, 2012, 10:42:10 PM
There has been a 4 emergency updates, not 104! ;) As far as I know default value was 100, so there has been 4 emergency updates.

Yesterday Avast downloaded an executable (a signed file with a long name of numbers and letters) in my windows/temp directory.
That file was automatically removed soon after, without any further actions. I know this, because of my HIPS.
I believe the file was downloaded by the Emergency Updater and  probably for some other OS (W8?)  it may have installed some emergency update: http://forum.avast.com/index.php?topic=107886.msg860588#msg860588 - but maybe I'm totally wrong...

This is the third time I (my HIPS) saw Avast downloading an executable like that. Ah, my OS is Win XP and I'm running the latest Avast Free, by the way.
@Tetsuo,
Did your file look anything like the tail end of the first and last lines in the FW-systemlog2.txt I posted earlier?
That log is from the Behavior log of my firewall.
Unlike you, I'm one version behind. Also on XP.

Update:
Today, so far, 36 files have been streamed in. Files are visible in the data-stream directory, and firewall log says that it was by the emergency application again.
But it's been quiet since then, over 6 hours since I turned it on.


Title: Re: What's causing so many emergency updates?
Post by: cooby on November 14, 2012, 10:50:50 PM
Well, i'd use some tool to monitor what Emergency Update component is writing to the disk (and to what files) and how many bytes it is transfering inbound. Only way to really find out if it's actually downloading anything or not...
Actually, one of the Avast logs clearly shows connections to avast servers, count of downloaded files. And I think proof is in the 36 streamed new files for today downloaded. In addition to the usual .map and .dat and others. Don't you think?

C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\AvastEmUpdate.ini , dated yesterday, also speaks of 104.
Title: Re: What's causing so many emergency updates?
Post by: Dch48 on November 15, 2012, 12:00:29 AM
My .ini file , which is located at C:\ProgramData\AVAST Software\Avast, says this;

LastAppliedPatchId=104

That's just a patch ID number and not the number of patches.  Therefore, I'm only seeing one.

I can't get to C:\Documents and Settings. Access is denied and I always run as an Admin.
Title: Re: What's causing so many emergency updates?
Post by: DavidR on November 15, 2012, 12:28:13 AM
<snip>
I can't get to C:\Documents and Settings. Access is denied and I always run as an Admin.

Even as admin this is a hidden folder, you need to change your windows explorer, Tools, Folder Options, View and shoe hidden files and folders.
Title: Re: What's causing so many emergency updates?
Post by: Dch48 on November 15, 2012, 05:38:35 AM
<snip>
I can't get to C:\Documents and Settings. Access is denied and I always run as an Admin.

Even as admin this is a hidden folder, you need to change your windows explorer, Tools, Folder Options, View and shoe hidden files and folders.
I did that a long time ago. The folder shows but it has a lock icon on it and I can not view it's contents.

(https://3nwylq.bay.livefilestore.com/y1pBsypf3MbnRTBSDWp3mxQv3XkvBxHZfa5ZTvLsdiF65TZNBMiqdBjO2bHF4clEkIXvkAH5oAZZr0/Locked.JPG?psid=1)

Searching Google for the issue I found that it really isn't an issue at all. In Win 7, the Documents and Settings folder isn't really a folder at all. It's what is called a junction point and is only there to enhance compatibility with software written for earlier versions of Windows. When something tries to store data there, it is redirected to C:\Users and puts the data in the appropriate place within that folder.
Title: Re: What's causing so many emergency updates?
Post by: user_1000 on November 15, 2012, 09:08:13 AM
My .ini file , which is located at C:\ProgramData\AVAST Software\Avast, says this;

LastAppliedPatchId=104

That's just a patch ID number and not the number of patches.  Therefore, I'm only seeing one.
<snip>

Yes, of course it's just a ID number, but I have monitored that AvastEmUpdate.ini file... and I can tell that wasn't a first applied patch. As far as I remember there has been a 3-4 emergency updates.

I'm just saying. I don't care, if you don't believe me. :D
Title: Re: What's causing so many emergency updates?
Post by: DavidR on November 15, 2012, 01:32:59 PM
<snip>
I can't get to C:\Documents and Settings. Access is denied and I always run as an Admin.

Even as admin this is a hidden folder, you need to change your windows explorer, Tools, Folder Options, View and shoe hidden files and folders.
I did that a long time ago. The folder shows but it has a lock icon on it and I can not view it's contents.

<snip image>

Searching Google for the issue I found that it really isn't an issue at all. In Win 7, the Documents and Settings folder isn't really a folder at all. It's what is called a junction point and is only there to enhance compatibility with software written for earlier versions of Windows. When something tries to store data there, it is redirected to C:\Users and puts the data in the appropriate place within that folder.

OK, I can't get in there either, not that I had tried before on my win7 netbook.

Confusion reigned for a bit as I though you were talking about XP.
Title: Re: What's causing so many emergency updates?
Post by: Tetsuo on November 15, 2012, 01:56:13 PM
@Tetsuo,
Did your file look anything like the tail end of the first and last lines in the FW-systemlog2.txt I posted earlier?

Yes it did (that was a digitally signed executable):

[09/Nov/2012 12:55:26] DriverEventHandlersImpl.cpp: "System" action = 'permitted', operation = 'creating_proc', proc = 'c:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe', subj = 'c:\WINDOWS\Temp\05a302db-aa6a-4543-8834-b5b4cfbada6a.exe'

(...)

[13/Nov/2012 13:15:10] DriverEventHandlersImpl.cpp: "System" action = 'permitted', operation = 'creating_proc', proc = 'c:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe', subj = 'c:\WINDOWS\Temp\6abefe7c-bb9f-4d4a-9035-6c3e7df3718d.exe'


[from Cooby's log]
Title: Re: What's causing so many emergency updates?
Post by: cooby on November 15, 2012, 09:30:22 PM
@Tetsuo,
Thanks for your reply.
The sudden frequency of those emergency updates is baffling, as is that .exe in \temp folder - scary to say the least. I wish someone who writes Avast could tell us if Avast really issued those .exe files.

I'm beginning to think that the streaming updates and emergency updates are being used together (twice today in about 7 hours), since for the most part, yesterday and today all I see are the streaming updates, and as someone here mentioned, they do vanish when a regular update takes place. No new .exe in \temp folder since Nov.13.
Title: Re: What's causing so many emergency updates?
Post by: Tetsuo on November 16, 2012, 11:12:42 AM
@ cooby - You're welcome.

Perhaps the '.exe' file is an installer specifically invoked to address some issue on target OS's. When not needed, it is immediately removed and the 'AvastEmUpdate.ini' file is not even created - e.g., I don't have that file on my Win XP system...
Anyway, I'm just speculating! :D

As for the frequency, someone mentioned that the Emergency Updater checks for updates twice a day (not sure if also at each system boot). So I guess everything is in the normal way.
Title: Re: What's causing so many emergency updates?
Post by: cooby on November 17, 2012, 09:53:32 PM
I'll join you in speculating :)  since this thread looks abandoned, which is ok:
1. After learning of the existence of the AvastEmUpdate.ini file in this thread, I caught it, but just once.
2. On my box, it ran. One of the firewall logs showed that the process was created. Twice, once for each of those files in \temp. And another log, not posted, showed travels to several avast servers.
3. My understanding has been all along that two emergency updates might occur in a day. Hence this thread, when I saw more. By now I think I know it was streaming updates, relly.
Title: Re: What's causing so many emergency updates?
Post by: Tetsuo on November 30, 2012, 08:06:49 PM
Just FYI, good guy Online Armor caught the .exe this afternoon and let it go:

6fcffb37-5949-40e7-a8d6-b6b9f28816ea.exe
C:\WINDOWS\Temp\6fcffb37-5949-40e7-a8d6-b6b9f28816ea.exe
Hash(MD5): A16F36F49A7B9BBF1A1FD715362E39EA

; )
Title: Re: What's causing so many emergency updates?
Post by: cooby on November 30, 2012, 09:38:39 PM
Ditto here, just different file. First time since Nov.16, so things look back to normal, i.e. infrequent
[30/Nov/2012 11:53:18] DriverEventHandlersImpl.cpp: "System" action = 'permitted', operation = 'creating_proc', proc = 'c:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe', subj = 'c:\WINDOWS\Temp\b6fb27ca-c86c-430b-96ea-d9de9722ae99.exe'
[30/Nov/2012 11:53:18] DriverEventHandlersImpl.cpp: EVENT_EXECUTE for c:\WINDOWS\Temp\b6fb27ca-c86c-430b-96ea-d9de9722ae99.exe
Streaming updates followed. 24 .bin files followed by now.