Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: dolphins on January 25, 2014, 09:20:56 PM

Title: Emergency Update Annoyance
Post by: dolphins on January 25, 2014, 09:20:56 PM
OK, first thing I have reinstalled with only File System Shield enabled because of other problems Avast is causing with forums and email.

Also

Every day, sometimes 2 or 3 times per day I get prompted from my firewall to allow emergency updates from Avast. There are usually 5 to 7 prompts consecutively all wanting to connect through port 80 from multiple Avast servers. Even if I set a rule to allow them permanently I still get prompted. At one time I had over 15 permanent permissions just for the Emergency Update service in my firewall filter rules but still the prompts kept coming. This is not acceptable!
Title: Re: Emergency Update Annoyance
Post by: Eddy on January 25, 2014, 09:25:03 PM
What exact version of avast are you using?

If you set the rule and Kerio is still asking you, you haven't set the rule correctly or there is a problem with Kerio.
Title: Re: Emergency Update Annoyance
Post by: Michael (alan1998) on January 25, 2014, 09:30:06 PM
remove the photo or edit it. Your IP is in the photo.
Title: Re: Emergency Update Annoyance
Post by: AdrianH on January 25, 2014, 09:41:12 PM
Personally I would find a better firewall.  Kerio was tired many years ago.

I use Private Firewall , the emergency updater runs as scheduled , it never bothers me .

If you only have file shield installed your system is at risk.

Give your system specs and what problems you have, maybe someone can help.
Title: Re: Emergency Update Annoyance
Post by: cooby on January 25, 2014, 11:22:31 PM
Nothing wrong with Kerio, it's one of the finest firewalls.

@dolphins, when Kerio alerts, look at the bottom - you need to make a permanent rule for this application - but don't include the remote IP since the server changes.  Make sure your rules sequence is ok - it might not be since you say you allow the update and it still won't run. But I suspect your problem is with the child executables.

The main problem is what happens after when the new file comes in.
Outpost, OnlineArmor, Sunbelt, any GOOD firewall, sees a NEW EXECUTABLE. By design it must ask for permission.
Since Avast gives those new child executables  a different filename, such as
c:\Program Files\AVAST Software\Avast\Setup\fec4d8ce-99fb-4ea5-8a09-f19dcf12eb20.exe
c:\Program Files\AVAST Software\Avast\Setup\629ce6f5-9888-4934-b71d-7fbd07ed0dea.exe
the good firewalls must alert, even if something like trusted app (avastEmUpdate.exe parent) is permitted.

This has been discussed, and dismissed here as firewalls' fault. Few discussions worth reading (and there are many more on this forum)
http://forum.avast.com/index.php?topic=126731.0
http://www.outpostfirewall.com/forum/showthread.php?27540-Avast-9-emergency-update-exe-files

All we need is an invariant filename.
Title: Re: Emergency Update Annoyance
Post by: dolphins on January 26, 2014, 05:08:08 AM
Kerio 2.1.5 is one of the best no nonsense rule based firewalls ever developed. But don't take my word for it, ask some security experts on some of the accredited security forums. I'll put it up against any of today's bloated firewalls. I don't need bells and whistles I just want strong protection which is what Kerio gives me.

That is not my IP address it is an Avast server's IP address. It wouldn't matter if it was my IP anyway.

@cooby I set the permanent rule and it works until Avast wants to phone home again. Like you said, Avast's executable changes its file name every time so I don't see any way to allow it with filter rules?

Title: Re: Emergency Update Annoyance
Post by: schmidthouse on January 26, 2014, 05:19:23 AM
I followed much about The Avast EMupdater discussions(Here and the Agnitum Forum) and Just adding I have NO Issues here using Outpost Pro on either xp or W8.1 with this Avast process or nagging popups. :)
Title: Re: Emergency Update Annoyance
Post by: cooby on January 26, 2014, 07:02:11 AM
@dolphins,
Now, your screenshot doesn't show the full name of the .exe file you put there, I guess it's the same as in the rule name.
AvastEmUpdate needs a connection as you're coding it. Just put it in the right place.

The randomName.exe file does not need the internet connection, at least not for me. It gets downloaded when emergency update sees one is required. It is then run.
It causes some firewalls to alert because its name changes so HIPS or behavior blocking sections of a firewall respond, not the packet rules.

On the other hand, if you look into the Outpost forum thread I posted, you will see that there was an alert for both behavior and connection for the randomName.exe. So I guess every firewall alerts slightly differently or sees different events, and also it may well be related to what sort of HIPS/behavior settings one has. I don't have that option, so every new .exe causes a prompt.

Are you sure the alert you get from Kerio is for the randomNamed.exe? The one you posted originally is just for the emergency update.

This is off-topic: You may want to put port 80 into the remote port, also limit your local ports to 1029-5000 if on XP, some other range for newer Windows.
Title: Re: Emergency Update Annoyance
Post by: RejZoR on January 26, 2014, 07:24:44 AM
Last time i checked, "best firewall" and "being heavely outdated" doesn't go together at all. Kerio is not being updated for years, so why are you even relying on it?
Title: Re: Emergency Update Annoyance
Post by: Eddy on January 26, 2014, 07:46:15 AM
Best firewall is still a hardware firewall.
Title: Re: Emergency Update Annoyance
Post by: RejZoR on January 26, 2014, 12:45:33 PM
It isn't. Hardware firewall is a dumb firewall that just filters packets, but has no clue what's going on on a system level. Hardware firewall is only useful if you want to prevent access in or out for specific ports and IP addresses.
Title: Re: Emergency Update Annoyance
Post by: dolphins on January 26, 2014, 02:37:43 PM
@cooby The filter rule is for the Emergency Update exe not one of the random file names. I deleted all the old filter rules for Avast so I'm starting fresh to see if I can get this straightened out?

Oddly this has been happening for the last 2 weeks but today it has not happened yet. It usually happens right after I boot up in the morning but so far nothing. I will make screen captures of each one and post them here if and when they pop up again? If you're familiar with Kerio you already know it will always use the first rule in the list which overrides the lower priority filters. So maybe one of the old rules was the problem? Since this is an ongoing problem with other firewalls also, I will post any new results here that may or may not help you.

Thank you for staying on topic and not joining the pissing contest about firewalls.  :)   
Title: Re: Emergency Update Annoyance
Post by: cooby on January 26, 2014, 08:19:57 PM
There haven't been new emergency files since Jan23, so it has to be quiet if your packet filtering rules are now ok and in correct sequence.
When one arrives, Kerio will alert you if you check for new or changed executables.
I just dusted off an XP box that had Avast on it. In the log of MD5 items in Kerio is at least one of the randomName.exe jobs - see picture.
So, like I said, for me it's on the behavior side and not the packet filtering side of the firewall.

Now, as I think about it some more, even if the fileName didn't change, a firewall will alert to the change of contents. So yes, we do need to live with it if we want a firewall to monitor what runs, rather important protection method in my opinion :)

Sorry about that copied post#8, I meant to edit something, messed up and gave up.
Title: Re: Emergency Update Annoyance
Post by: dolphins on January 27, 2014, 07:44:21 PM
@cooby That explains why it just started happening all of a sudden. So I can expect more of this nonsense on the next update unless they issue a fix.

I always delete all MD5 signatures when I delete filter rules so I'm currently running with a clean slate, so to speak.

As for the random file name change, I would think that most firewalls would alert users of this?
Title: Re: Emergency Update Annoyance
Post by: dolphins on January 29, 2014, 05:05:45 PM
First thing this morning after boot up it started again only this time the 'New found Hardware' wizard opened when I allowed the update.  I have not installed any new hardware in this machine in the last year.

The MD5 signatures stay the same but the file name changes (See Attachment).
Title: Re: Emergency Update Annoyance
Post by: cooby on January 29, 2014, 06:11:40 PM
@cooby ... So I can expect more of this nonsense on the next update unless they issue a fix.
No, you can't get a fix neither here nor in the firewalls as I mentioned earlier when I took a bag off my head.
As for the random file name change, I would think that most firewalls would alert users of this?
Firewalls with HIPS or behavior will alert so long as they're setup to alert on new executables, new components etc. So the settings do play a role. For instance in Kerio if you didn't want any behavior alerts, you'd need to turn off MD5 monitoring. Bad idea, unsafe, but you can do that. Likewise in Outpost's antileak settings.

Yeah, I got a emergency update yesterday as well.
I feel those things are cleverly written when they can make a change without the need for reinstallation of Avast.
Title: Re: Emergency Update Annoyance
Post by: hake on January 29, 2014, 10:08:35 PM
Are 'emergency updates' dependent on streaming updates being enabled?  If so, I'll disable the thing.

This is a flippin' nuisance.  An occasional emergency update is one thing but it's routine.  I put up with it because Avast is such good protection but it's a bad do really.

How about an option to be able to set Avast to request randomly or fixed name emergency update executables?  Obviously random naming should be default but the user ought to have the option of electing to download fixed named executables.  These things are digitally signed after all.  I would like the choice.
Title: Re: Emergency Update Annoyance
Post by: bob3160 on January 29, 2014, 10:29:48 PM
Are 'emergency updates' dependent on streaming updates being enabled?  If so, I'll disable the thing.

This is a flippin' nuisance.  An occasional emergency update is one thing but it's routine.  I put up with it because Avast is such good protection but it's a bad do really.

How about an option to be able to set Avast to request randomly or fixed name emergency update executables?  Obviously random naming should be default but the user ought to have the option of electing to download fixed named executables.  These things are digitally signed after all.  I would like the choice.
I don't understand why you aren't simply allowing avast! access through your firewall ???
You either trust your AV or, find a different one IMHO.
Title: Re: Emergency Update Annoyance
Post by: MrMaxaMan on January 30, 2014, 12:38:04 AM

I don't understand why you aren't simply allowing avast! access through your firewall ???
You either trust your AV or, find a different one IMHO.

I allow Avast through my firewall but the emergency updates are separate alerts.
Title: Re: Emergency Update Annoyance
Post by: cooby on January 30, 2014, 02:17:01 AM
@hake, we have to live with it. I finally came to the conclusion that's how it has to be, unless you want a convenient, but much weaker, protection. Emergency update is not routine. Yes, it runs often checking. Just connects out to check and stops when there's nothing to do. But the download and a new .exe file is infrequent and a pest of sorts.

@bob3160, The issue is not "access through the firewall".
Avast setup and emergency update need outbound connection to avast servers and get it.
The random named executables never want any outbound.

The debate is about what avast emergency runs. It loads and runs a child process of a random named .exe file.
Just like a trojan would from an infected website or an obfuscated link in email.

A good firewall watches that sort of thing. It sees it as a new executable file and alerts. Even if the filename were the same, it will be seen as a change. See the Outpost discussion in a link I showed in post#4 as well as more of my ramblings in post#12 in this thread.

Edit:
In post#14 ,  dolphins shows the behavior logged new executables, and here's mine from yesterday - see pic.
Not a TCP to http port connection at all, just a new .exe file to deal with when emergency launches the new file just loaded into \setup.
Title: Re: Emergency Update Annoyance
Post by: hake on January 30, 2014, 03:43:35 AM
These random named executables run in a folder which is self-defence protected by Avast.  It doesn't suggest confidence in that self-defence if digitally signed executables from a known location initiated by Avast cannot be given fixed names.

Isn't it a sign of something wrong if you are always running emergency updates?  They were mercifully rare with Avast 8 but have turned into an absolute flood with Avast 9.  This is presumably why so many now feel compelled to protest.
Title: Re: Emergency Update Annoyance
Post by: hake on January 30, 2014, 12:48:03 PM
If Avast downloaded its emergency update files from sources using actual IP addresses and secure connections, used digitally signed files and took advantage of its own self-defence protection, why are randomly named files necessary?
Title: Re: Emergency Update Annoyance
Post by: guestja on January 30, 2014, 03:04:28 PM
Winpatrol Plus is holding these emergency  updates pending permission to to allow also.
Title: Re: Emergency Update Annoyance
Post by: bob3160 on January 30, 2014, 03:22:10 PM
Winpatrol Plus is holding these emergency  updates pending permission to to allow also.
+1
Title: Re: Emergency Update Annoyance
Post by: GreggH on January 30, 2014, 08:27:31 PM
I have 4 of these files in the emupdate folder. I have no idea which if any have been run, except for the last one, dated today. And the only reason it was run? I saw it, and the RunOnce entry in Autoruns, and restarted my machine. The reason I don't know about the others... I do not restart my box unless it is required by something, like Microsoft updates. It is not unusual for my desktop "uptime" to be 14 days, 21 days, or longer. It runs 24/7. What good is an "emergency update" to Avast, if it is required to restart the machine to install it, but I am not told that.

Am I the only person who leaves their machine on 24/7? And how is someone who does, supposed to get these so-called "emergency update" files?

Gregg
Title: Re: Emergency Update Annoyance
Post by: chris.. on February 01, 2014, 12:12:48 PM
hello,

what curious it is there were (for me):
- 2 Em.Up in december - 1 at the beginning and 1 at the end of the christmas offer on the avast UI
- 2 Em.Up in january - 1 at the beginning and 1 at the end of the "more secure Avast program" offer on the avast UI

probably just a coincidence  ::)
Title: Re: Emergency Update Annoyance
Post by: GreggH on February 01, 2014, 01:26:24 PM
My 4 files are the 28th and 30th of December, and 29th and 30th of January. They all read exactly the same version (8.0.0.0) and exactly the same size (181,136 bytes). There are no Run or RunOnce entries in my registry, so I would ask 1) what is the purpose of keeping these files hanging around if they are not in use for anything, and 2) is it safe to delete them?

Gregg
Title: Re: Emergency Update Annoyance
Post by: guestja on February 01, 2014, 02:21:00 PM
I contacted Bill at Winpatrol about emergency updates. He is looking into it . If necessary he will change code . Meanwhile if you have the Plus edition there is a workaround:

"if you are a PLUS member, there is a workaround on our options page. Click the button that says "Hide Alert Messages" and you'll see we have a checkbox allowing users to ignore any RunOnce entries since their typically used for updates. Any malware attacks will show up in more than that one location".