Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: dark_skeleton on September 12, 2013, 12:49:51 PM

Title: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: dark_skeleton on September 12, 2013, 12:49:51 PM
I am really disappointed. I don't care if you messed something up. I've been using your software for years without any problems, until yesterday when I powered off my PC in a good shape.
I powered it on today and noticed no startup apps launched apart from the bluetooth driver an o&o defrag window which said it had to repair itself (first bad sign). I just reset the PC hoping it was a temporary memory problem or something, but the issue persisted after the reboot.
I was looking at system logs and trying to find the issue, when avast popup appeared telling me that a file has just been quarantined because it's a virus! FileRepMalware, that's a virus' name. Wait what? That file couldn't be a virus or malware, because it was O&O Defrag's updater that just repaired itself a few minutes ago...

I am attaching the opened quarantine (and actions' log a few posts below) window that I saw after I restored all the files and SCANNED them manually... It says --no-virus-- now, but earlier EVERY one of those files said FileRepMalware.
I disabled reputation services in options, no more popups about files being infected/FileRepMalwared (and there were a few more added before I disabled it)
And that would be OK if I could just disable it, restore quarantined files and carry on. The thing is, I can't because your stupid app REMOVED all startup entries connected to those startup apps it quarantined!

I am furious and really disappointed in avast right now. One boot, Internet connection, and because of your app, I have to restore every single app by hand. It didn't even ask me or show any notifications if I wanted those files quarantined, it just did it. I am awaiting your response on this subject.

System: Windows 7 Pro x64
Avast version: 8.0.1497
Virus database: 130911-1

If you need any more data, please feel free to ask.

UPDATE: It also seems that your antivirus happily deleted (not just moved to chest) other apps' executables such as Truecrypt's. Thanks avast! Now I have even more apps to reinstall.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to quarantine...
Post by: Pondus on September 12, 2013, 12:59:30 PM
Quote
I am furious and really disappointed in avast right now. One boot, Internet connection, and because of your app, I will have to restore every single app by hand. It didn't even ask me if I wanted those files quarantined, it just did it. I am awaiting your response on this subject.
have you selecte ask under action settings?


some info ....http://forum.avast.com/index.php?topic=124265.0



Title: Re: Avast marked most startup apps as FileRepMalware and moved them to quarantine...
Post by: dark_skeleton on September 12, 2013, 01:11:47 PM
No, I have it on default quarantine move to chest-remove. Why would I change default options if they never failed me before? I haven't changed that action since I never imagined avast would do such tricks to me.

I finally found avast actions' log and I am attaching it to this post. It messed up my PC pretty hard. Every action is from today's firstboot (around 1 hour 7 minutes from posting this post)

The best part is now I really have to reinstall these apps, because removed files were deleted for good

Avast should think before publishing such stupid settings. If file's rep is FileRepMalware, why does it count as a virus? Of course the default action for a VIRUS it to QUARANTINE and DELETE it. But what if your stupid reputation service goes crazy like now? I am sure I'm not the only one affected because that would be too ironic.

The post/topic you linked above is a similar case, but mine is a global one since it affected my whole system. The topic also doesn't provide any solution.

I am actually very relieved my second drive is encrypted and I have to mount it manually. I can't imagine what would happen if it started scanning it...
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to quarantine...
Post by: mchain on September 12, 2013, 01:33:12 PM
hi dark_skeleton,

Really sorry you've gone through this. 

Although it is late on this, reviewing your file shield setting seems to be in order, so as to prevent a repeat of this issue in the future.

Please note the settings in File System Shield below for all three categories:  To get to these settings, do the following:

Avast! Program GUI>Security>Summary>Current Status>double-click File System Shield.

THEN:  >Click Settings upper right>navigate to Actions area and change as appropriate and report back.

I've read your new reply just made now, and agree with you here.  Seems the default is to quarantine first, so...   Ask first would seem to be the safest option, then move to quarantine would be second, so I've taken the trouble to outline where these settings are.

[EDIT:]   Setting to ask would not be a setting for the average user, which is why the default is likely set to quarantine first.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to quarantine...
Post by: dark_skeleton on September 12, 2013, 01:45:42 PM
Thanks for answering, it's actually pretty unsafe that defaults for Virus are chest-remove and for pup/suspicious are ask-remove. It's a pretty invasive setting, but I guess it's ok for normal users (assuming all your services are working properly). I never cared much because I rarely had any viruses and actually didn't mind them being quarantined quickly.

What I'm asking is please verify if your reputation service is working properly. I am afraid to turn it back on because of what just happened and I'm actually thinking I might never turn it on again.

Because of it I will have to slowly restore my PC to it's previous state (I have the Windows system restore feature disabled since I'm running on an SSD)
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to quarantine...
Post by: True Indian on September 12, 2013, 01:48:14 PM
FilerepMalware is a cloud avast backend technology.It works in run time and not while on demand scanning.

Send the file quarantined by avast to virus@avast.com with subject false positive.

FilerepMalware is the similarity search engine.Interesting that its detecting those files as similar to some family of malware  :o
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to quarantine...
Post by: mchain on September 12, 2013, 02:07:58 PM
True.  While the system is booting up, the files run would be scanned by File System Shield, so is possible changing settings in File System Shield from automatically quarantining in this case to ask, in this case, would allow some control over an erroneous vps in place or file rep issue that somehow manifested itself here.  That is all we are after here.  These changes in settings are not for the average user, as most would not know how to answer and choose the right choice in action. 

To summarise, normal actions are as follows:  Quarantine, then delete.  Deletion is to be avoided if at all possible, as once that is done, the file is gone forever.  Repair only works on normal files that are infected with a virus. 

Repair cannot work on trojans or worms as the entire file is an infectious agent, so there is nothing to repair.  A virus infection is the result of a normal file having a part of its' code overwritten or changed to suit the intended actions of the virus code, so removing the virus code will, in most cases, clean the infected file.  A windows system file can be controlled/renamed by a trojan, and deleting a needed system file will wreck havoc on a system to the point where it may not boot again.  So, deleting is the very last resort, and is best reserved to remove known trojans or worms.  An infected system file can always be replaced by a known clean copy.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to quarantine...
Post by: dark_skeleton on September 12, 2013, 03:45:44 PM
Well, I have finally restored my PC to the previous state (mostly). I don't really care about background tasks like Java updates or Adobe stuff so I haven't reinstalled them. The rest required me to repair using installers, reinstall over existing installations or uninstall and reinstall apps. Some required me to manually re-add startup entries, especially "scheduled tasks" and some to enter their settings, disable autostart, accept, re-enable autostart, accept. I also had to download over 1GB of installers. On the bright side, thanks to logging I knew exactly which apps were damaged. 3 hours of work that could've been avoided...

FilerepMalware is a cloud avast backend technology.It works in run time and not while on demand scanning.

Send the file quarantined by avast to virus@avast.com with subject false positive.

FilerepMalware is the similarity search engine.Interesting that its detecting those files as similar to some family of malware  :o
Especially that those files have absolutely nothing in common. Really, do you want me to send all these files to that address?
Files got removed without my approval, as you said, in run time. That wasn't on-demand scanning.

There has been a VPS update today not long ago, so I hope I won't have such surprises anymore, ever. I have changed settings to Ask and re-enabled reputation services for now. I also have to do the same on my second PC.

Thank your for your time and explanations, it seems like software is alive and making its own decisions, huh
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: abruptum on September 12, 2013, 04:11:18 PM
Because of this horror story, I've changed Action's settings in File System Shield.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to quarantine...
Post by: mchain on September 13, 2013, 02:58:20 AM
Well, I have finally restored my PC to the previous state (mostly). I don't really care about background tasks like Java updates or Adobe stuff so I haven't reinstalled them. The rest required me to repair using installers, reinstall over existing installations or uninstall and reinstall apps. Some required me to manually re-add startup entries, especially "scheduled tasks" and some to enter their settings, disable autostart, accept, re-enable autostart, accept. I also had to download over 1GB of installers. On the bright side, thanks to logging I knew exactly which apps were damaged. 3 hours of work that could've been avoided...

FilerepMalware is a cloud avast backend technology.It works in run time and not while on demand scanning.

Send the file quarantined by avast to virus@avast.com with subject false positive.

FilerepMalware is the similarity search engine.Interesting that its detecting those files as similar to some family of malware  :o
Especially that those files have absolutely nothing in common. Really, do you want me to send all these files to that address?
Files got removed without my approval, as you said, in run time. That wasn't on-demand scanning.

There has been a VPS update today not long ago, so I hope I won't have such surprises anymore, ever. I have changed settings to Ask and re-enabled reputation services for now. I also have to do the same on my second PC.

Thank your for your time and explanations, it seems like software is alive and making its own decisions, huh
Glad to help.  As for the files lacking commonality, they are all common driver/system files, albeit from different programs. 

Sorry this happened to you.  You might want to consider installing a disk imaging programs for situations such as this to be able to recover in minutes instead of hours.  A restored image will revert all settings, and include the last known good vps version taken at the time of the image, back to a running system exactly the way it was at the time that snapshot was taken.  You then can skip the known bad vps, if indeed that was the cause and move on.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: dark_skeleton on September 14, 2013, 11:16:02 AM
I''ve had enough of this. I have just booted my PC today and this again.
I had everything set on Ask as suggested, but it only asked one question and there wasn't even an option to take no action. It still quarantined all my files... WTF?!
I did a full scan yesterday, Avast found nothing, just a few wannabe-PUPs which weren't PUPs (I manually enabled searching for PUPs).
Of course, all chested files' startup entries have been removed, too.

From what I've noticed, it only happens on first boot of the day (?)

I DEMAND EXPLANATION and uninstalled your antivirus. This went too far.

EDIT: removed caps and cursing because I felt bad about it and I know it's not your fault... I'm still enraged though
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: czardas on September 14, 2013, 01:46:18 PM
This is indeed a horror story. I also disagree that average users should be considered that stupid that they can't answer the question 'Do you want Avast to automatically block this potential threat?' YES, NO or DON'T KNOW
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: Erebus on September 14, 2013, 04:31:55 PM
Removed due to incorrect location for feedback. Sincere apologies.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: ram1220 on September 14, 2013, 11:44:14 PM
 I went into my Avast settings yesterday and changed all of them to Ask First. The first time Avast deletes anything on my system without asking me it is gone. No looking back. I do know what I am doing. Avast needs to change the default back to Ask.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: czardas on September 15, 2013, 01:18:51 AM
Well I just added these rules and I still can not download my own program from my own website. I have no choice other than to disable Avast. The program seems to be broken. This is a potentially dangerous action I'm about to take. Running an unprotected machine is not only dangerous for the person who uses it. I always had a fondness for Avast but I can no longer recommend it as I have often done in the past. I still would like Avast to be great again, like it used to be. The program is now too complicated for advanced users to use.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: Erebus on September 15, 2013, 09:19:48 AM
I still would like Avast to be great again, like it used to be.

I agree.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: True Indian on September 15, 2013, 09:27:02 AM
Dark_skeleton surely must be infected with something and that is why its triggering avast detections still.

But guess what,when protection improvements like evo-gen,filerepmalware are not made there will be many people and even some among here saying "hey avast sucks its protection sucks the program is sh*t"

and when avast tries to make things better and problems come by people start complaining.All is made by human,mistakes will be there,dont expect everything to be 100%.There has been no reports about this filerepmalware alarm from anybody else and that means there is something wrong with the OP's machine.

Instead of simply complaining,try and help to make things better.Report undetected viruses and false positives to virus@avast.com and besides how cheap people can be when they are getting such great protection improvements for free?  ::)

And then again trolls and mad people will come here ragging about avast and say that they will never recommend it again without explaining their problems or try to make a effort to get it resolved they keep talking in a negative tone.

If people cant understand that things will keep going up and down we all have to put up and try to resolve individual problems which may or may not be strictly caused by avast.

I am leaving my words here in a effort to make people realize that nothing is 100% and everything is human made.Avast developers also do hard work and they also need rest.NONE OF US ARE GOD.

If this topic continues in a negative tone and none of the people over here want to get things resolved and dont want cooperate in improving things and resolving issues.I would suggest a topic lockout.

Without you people's help,cooperation nothing is possible.Please understand the reality.DO NOT expect big changes to happen without any interaction.

So again,dont cooperate,dont take efforts and rant about avast and their company will not take you anywhere.Instead dont use AV software and then get frustrated with viruses.People dont want to make different topics in this forum to get help,they dont want to make things better and help avast team,they want to rant about avast.Bash it like no one's business.

Sorry if this sounds rude but polite tone doesnt seem to be working with you guys.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: Erebus on September 15, 2013, 10:06:57 AM
Sorry if this sounds rude but polite tone doesnt seem to be working with you guys.

No need to apologise mate. That was a great post, and that's the great thing about free speech. We can all share our thoughts and suggestions - within reason and in a civil manner of course! :)

I guess this is not the right place for constructive feedback. Sincere apologies, True Indian.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: czardas on September 15, 2013, 11:42:27 AM
I don't understand why Avast is misbehaving right now. I'm going to start relying more on hashing files myself to check their integrity. At least that way I can be pretty certain if an infection has occured in one of my own projects. Avast doesn't seem to do this for excuded files, so they simply cannot be organized into folders without getting deleted. This is a bit of a mystery to me. Using heuristics is fine, but deleting people's work and installing 3rd party software without a warning is nothing less than viral activity. There's no getting away from the fact.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: True Indian on September 15, 2013, 11:57:20 AM
czardes,if you have done with your non-helpful rants,take the pain of sending the flagged files to virus@avast.com for analysis so the virus lab can fix the false positives.  :)

What 3rd party software?? mcshield!? well,you know what that is a cleansing tool something that normal AV's cant do.If you cant follow simple suggestions its your problem not ours and besides at some point you will get tired and stop your rants instead of following advice given to you.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: True Indian on September 15, 2013, 12:05:39 PM
Erebus,so you call avast technologies unwanted bells?  ;D  ::)

Please try and understand that they are there to help and how much ever they are tested,when they are released to the public they will cause issues to some of them because it prone too happen with a 185+ million user base community.

Whatever avast has provided so far has always been useful with the end user view.If you dont like it,go back to v6 and enjoy the low protection and dont complain.

Avast had kept the last beta for atmost 1 to 2 months.Isnt that long enough!?  :o I still dont see why people keep denying the facts and dont read the reality and why most here dont want to make a effort rather than just complaining.

Tell me something how about going back the crappy days of v5 where avast was very basic but detection rates sucked.Then I bet you will not complain about avast again but about its protection  ::)

So again you are wrong.Evo-gen,filerepmalware are the backend technologies which help avast to be a better AV and software updater is to keep vulnerabilities away.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: czardas on September 15, 2013, 01:00:38 PM
czardes,if you have done with your non-helpful rants,take the pain of sending the flagged files to virus@avast.com for analysis so the virus lab can fix the false positives.  :)

What 3rd party software?? mcshield!? well,you know what that is a cleansing tool something that normal AV's cant do.If you cant follow simple suggestions its your problem not ours and besides at some point you will get tired and stop your rants instead of following advice given to you.

No I was not talking about McShield which is probably a good program. Also I don't consider expressing my concerns for users to be ranting. I feel personally under attack because the files being flagged are my own creations. I do not wish to be labelled a creator of viruses by an AV company and have their software totally prevent people from accessing my programs because of heuristic shortcomings (whether my code has bugs or not).
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: True Indian on September 15, 2013, 01:10:45 PM
I have said this plenty of times.

send the files to virus@avast.com and in a day or two the false positives will be removed.  :)
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: czardas on September 15, 2013, 01:41:22 PM
I tested your theory and it seems you are true to your word. Another program of mine which was flagged previously no longer gets flagged. The problem is that this program never made it to release stage. It was an early version that has been abandonned. Submitting FP reports for every alpha version of all my projects will only clog up Avast detection rules with useless junk information (or am I missing something here?).
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: dark_skeleton on September 15, 2013, 04:23:43 PM
Mmm this thread has gone outside the box. I don't mind discussions, there are some interesting statements here. Especially this one
Dark_skeleton surely must be infected with something and that is why its triggering avast detections still.

Oh, yeah, totally. Sure it is. I mean, you couldn't have missed my post, could you?
I did a full scan yesterday, Avast found nothing, just a few wannabe-PUPs which weren't PUPs (I manually enabled searching for PUPs).
From what I've noticed, it only happens on first boot of the day (?)

It happened on first boot on the day. Meaning:

Screenshots have been attached to respective posts
So yeah, I totally have a virus. It's a tricky one though, it only activates during boot and lives only in my startup programs for a short while, disappearing when you put it inside the chest.
FYI I've been running avast ever since I bought this PC (a little over a year ago).
AND the second time it didn't mark the same apps as previously as FileRepMalware. It chested less files.

EDIT: Oh and of course I have sent those files as false positive. I filled in the details on every file in the Avast report window for those 18 files.

About additional features like software updater... It's cool for non-technical people like my girlfriend, who don't really know how to update stuff. I have personally uninstalled those features (Software Updater, SVPN, browser cleanup). I don't like more and more apps running in background. Especially since most of those apps already have integrated updaters installed and running in background...
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: Secondmineboy on September 15, 2013, 04:27:17 PM
You can send Avast an e-mail due to this:

E-Mail: virus@avast.com
Subject: False positives

You may add a link to this topic in case they reply here.

Give as much information as you can(Which programs, version,etc.) if possible you can send the files to them.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: Secondmineboy on September 15, 2013, 04:29:09 PM
If you feel you have a virus do what is shown here and post a topic in the viruses and worms section: http://www.avast.com/contact-form.php

Attach the logs there, a malware remover will look over this. :)
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: True Indian on September 15, 2013, 04:42:58 PM
Thanks Dark_skeleton and czardas for cooperating.

To add you can send all the falsely flagged files to virus@avast.com with the link to this topic.They fix it via streaming updates or VPS updates.No nothing will be clogged,the detection will just be removed,there will be no touch to the whitelist.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: dark_skeleton on September 15, 2013, 05:40:37 PM
If you feel you have a virus do what is shown here and post a topic in the viruses and worms section: http://www.avast.com/contact-form.php

Attach the logs there, a malware remover will look over this. :)
No, I don't feel I have a virus. As a matter of fact, I'm pretty sure I don't.
To add you can send all the falsely flagged files to virus@avast.com with the link to this topic.They fix it via streaming updates or VPS updates.No nothing will be clogged,the detection will just be removed,there will be no touch to the whitelist.
So... Does uploading them through the avast chest work or do I have to do it separately?
You can send Avast an e-mail due to this:

E-Mail: virus@avast.com
Subject: False positives

You may add a link to this topic in case they reply here.

Give as much information as you can(Which programs, version,etc.) if possible you can send the files to them.
I think you're just bumping your post count with these posts. I'm pretty sure True Indian already posted these guidelines earlier.
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: True Indian on September 15, 2013, 05:44:21 PM
Upload via chest or by email doesnt matter...just dont forget to post any additional info and link to this topic.

Glad you guys are cooperating now!  :)
Title: Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
Post by: dark_skeleton on September 16, 2013, 09:36:47 PM
Uh... I haven't sent them with a link to this topic, but only with a short explanation. Oh well...
I will reinstall my programs tonight and try to install Avast again, just not the newest version. We'll see how it goes :)

EDIT: I thought I downloaded a previous version, but it actually installed the newest one. I've set default action options to Ask, then do nothing, so I hope it will finally work.