Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: rlclifford on December 30, 2013, 07:53:57 PM
-
I have Winpatrol running on my System and Being Alerted of a Avast Emergency Updates Type Runonce at startup 3 so far in the last few days here's the last one
d72679b3-ccec-4fde-9658-159e46796333.exe In setup/emupdate folder
Is Avast doing this? Or is it being Hacked?? I can not find any info on these files!!!
-
emupdate is a legitimate avast process so do allow it.
-
Thank you for the reply!!!
-
emupdate is a legitimate avast process so do allow it.
emupdate is a legitimate Avast process, but whether the individual "random name" files are legitimate depends on whether they are properly signed by Avast. I have yet to be convinced that this backdoor procedure doesn't open up a possible security hole.
Interestly this morning there are two "random name" files in my emupdate folder, both Avast signed. One dated 28/12/2013 and the other 31/12/2013. A WinND5sum shows that they are identical (93f3fad76b9a38d19c4c6db46542089c)
Given that the PC is run each day for some considerable hours, it seems the emupdate process has been applied twice (since my last full reinstall), the same file (albeit with a change of name) has been downloaded twice (at my expense) and the process both times has failed to clean up. Not impressed !
-
There seems to be some confusion on what RunOnce actually means.
It doesn't mean "run one time only".
From Microsoft...
"Run and RunOnce registry keys cause programs to run each time that a user logs on. The data value for a key is a command line."
"By default, the value of a RunOnce key is deleted before the command line is run. You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs. Without the exclamation point prefix, if the RunOnce operation fails the associated program will not be asked to run the next time you start the computer."
This example from a Windows XP SP3 box shows that the key was updated today, and by my observation, updated daily...
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 20131224 REG_SZ C:\Program Files\AVAST Software\Avast\setup\emupdate\c101a010-40fe-42c9-a1d7-4b42d9a59aea.exe /check 12/30/2013 9:00:02 AM 101
-
emupdate is a legitimate avast process so do allow it.
emupdate is a legitimate Avast process, but whether the individual "random name" files are legitimate depends on whether they are properly signed by Avast. I have yet to be convinced that this backdoor procedure doesn't open up a possible security hole.
Interestly this morning there are two "random name" files in my emupdate folder, both Avast signed. One dated 28/12/2013 and the other 31/12/2013. A WinND5sum shows that they are identical (93f3fad76b9a38d19c4c6db46542089c)
Given that the PC is run each day for some considerable hours, it seems the emupdate process has been applied twice (since my last full reinstall), the same file (albeit with a change of name) has been downloaded twice (at my expense) and the process both times has failed to clean up. Not impressed !
idem...two emergency files but any problem solved.. think :o
-
emupdate is a legitimate avast process so do allow it.
Hello,
I think as long as we will not have a specific example about what really makes this legitimate process, we still have many posts about it.
Why avast has not yet spoken about it?
Pleasure?
No needed to know ?
-
WinPatrol popped up yesterday asked if I wanted to run the Emergency Update so I clicked on allow. I'm not the least concerned about it.
-
I'm not the least concerned about it.
Either you've read a lot into what people have reported here, and/or you have ultimate faith in Avast's protection, and/or you just like living dangerously. ;)
When the security software starts to act more like malware people really SHOULD notice.
But apparently this (relatively new) behavior is now becoming well-known and expected of Avast. I've had several copies of GUID-named executables show up and a RunOnce entry added since my last reboot several days ago. Seems a bit like overkill, but if you're infected and this "emergency update" stuff saves your bacon I'm sure it will be a happy time.
-Noel
-
WinPatrol popped up yesterday asked if I wanted to run the Emergency Update so I clicked on allow. I'm not the least concerned about it.
Ehm..... well we know your memory is not the best
http://forum.avast.com/index.php?topic=142468.0
-
Is 'emergency update' a delivery channel for software patches?
The use of random file names is a great nuisance. Is it a 'subtle' nudge in the direction of Avast Security Suite? I would say that the feature, as implemented, is a big put-off.
-
WinPatrol popped up yesterday asked if I wanted to run the Emergency Update so I clicked on allow. I'm not the least concerned about it.
Ehm..... well we know your memory is not the best
http://forum.avast.com/index.php?topic=142468.0
I'm not concerned about it now. It doesn't show up in start up or task scheduler so I don't know where it's hiding.
-
Is 'emergency update' a delivery channel for software patches?
The use of random file names is a great nuisance. Is it a 'subtle' nudge in the direction of Avast Security Suite? I would say that the feature, as implemented, is a big put-off.
This description of Emergency Updater was posted in June 2012 (link provided by Lukas from Avast on the Feeedback site)...
http://www.ghacks.net/2012/06/30/avast-update-brings-emergency-updater-and-sitecorrect-features/ (http://www.ghacks.net/2012/06/30/avast-update-brings-emergency-updater-and-sitecorrect-features/)
-
This description of Emergency Updater was posted in June 2012
That and the GUID-named executables are two different things. Maybe they're related, but we haven't had word on the latter and the linked article doesn't cover it.
-Noel
-
This description of Emergency Updater was posted in June 2012
That and the GUID-named executables are two different things. Maybe they're related, but we haven't had word on the latter and the linked article doesn't cover it.
-Noel
This was Nov. 23, I believe. And it is in reference to the Nov. 21 GUID emupdate...
http://forum.avast.com/index.php?topic=140730.msg1025160#msg1025160
Gregg
-
I didn't get a definitive answer back then, and I don't see any more clarity now... Is Vlk with Avast? One other member mentioned that he thought Vlk is the CTO, but there's no solid indication ("Global Moderator, Serious Graphoman" doesn't say much to me). Are only Avast team members moderators?
-Noel
-
I didn't get a definitive answer back then, and I don't see any more clarity now... Is Vlk with Avast? One other member mentioned that he thought Vlk is the CTO, but there's no solid indication ("Global Moderator, Serious Graphoman" doesn't say much to me). Are only Avast team members moderators?
-Noel
Administrators, Global Moderators and avast! team are all part of the avast! team.
Here is a full list: [some accounts may be inactive]
http://forum.avast.com/index.php?action=groups;sa=members;group=24
And as far as I know, Vlk is still with avast!.
He was last on the forum on 27th December.
-
The CTO sorta looks like Vlk...
http://www.avast.com/en-us/about (http://www.avast.com/en-us/about)
(http://forum.avast.com/index.php?action-profile;u=4)
-
I didn't get a definitive answer back then, and I don't see any more clarity now... Is Vlk with Avast? One other member mentioned that he thought Vlk is the CTO, but there's no solid indication ("Global Moderator, Serious Graphoman" doesn't say much to me). Are only Avast team members moderators?
-Noel
Lord.....
I first worked with Ondrej (aka vlk) during the Win Vista beta, working to get Avast running under Vista. He has been CTO for a long time, and remains so, to the best of my knowledge (and according to the web site). He definitely knows his stuff, so I have a very strong tendency to trust what he says.
Is this enough of a "solid indication"? (Oh, and jwoods link to the management team does show him as CTO of you need more :-))
Gregg
-
Thanks for setting me straight, folks.
It would probably be better if the Avast! employees would have show solid indication about who they are when they post here. With security software, especially, statements of those actually in-the-know vs. other folks' observations can be quite important.
-Noel