Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: davexnet on April 25, 2014, 06:41:46 PM
-
Here's the virustotal info
https://www.virustotal.com/en/file/161ae070c0ae04e550d583535e14b546b927ed13bb173a3a6e4ad5bb4aeefe06/analysis/1398443523/
Malwarebytes recognized and quarantined it.
-
Go to settings>Active protection>File system/Web shield and to second option from the bottom in the left list, choose scan for potentially unwanted programs. :)
-
HaHaHa, not detected?
Avast : NSIS:InstMonetizer-AW [PUP]
-
Looks like avast has detected it to me.
-
yes - I see it in the virustotal report. However, I kept a copy of the folder that contains this item
(4 files in a folder within the local settings\temp directrory) . When Malwarebytes detected it
and before it was quarantined I copied this folder to a separate drive. After MBAM free quarantined
the original files, I scanned the copied folder with avast and it didn't detect anything.
Perhaps my pattern is not up to date? I'll check.
It's not that - I right click the folder, scan it, and it says no threat detected.
As far as I can see, I do have PUP activated with avast! free.
-
This thread simply highlights the fact that there is no one size fits all Malware fighter, and there never will be. So Avast didn't detect one PUP. Big deal.
Avast's primary function is viruses.
MalwareBytes is the most aggressive PUP hunter.
SuperAntiSpyware is the most aggressive cookie cleaner.
Furthermore, the key word in PUP is "Potentially". One man's unwanted program may be another man's highly desirable deliberately installed program. I have a few of those. The only qualification for a PUP is that it may have been installed by stealth. Technically, Chrome is a PUP, although as far as I know none of the PUP hunters look for it.
-
I see what you're saying, but there's more to the issue.
The virustotal report I linked to shows that avast!detects it.
However, when I scan the same files on my system, there is no detection.
How many places within the GUI does one have to check/enable detection of PUP?
Perhaps somewhere during the avast! installation, there should be a big question -
"Do you want avast!to detect Potentially Unwanted Programs yes/no ?"
Regarding the PUP setting on this screen. I set it, but then I check it later and it's unchecked again.
Is this supposed to be a permanent setting or not?
-
The only qualification for a PUP is that it may have been installed by stealth.
Malwarebytes PUP criteria. http://www.malwarebytes.org/pup/
-
Once you tick a box then click "OK" the setting should stick.
Which version of v2014 are you running?
The reason the PUP's are not ticked is that many users wouldn't know the difference between a "good" PUP and a "bad" PUP.
That said, some PUP's are good, while others are not good. The keyword is "potentially".
-
@ davexnet
I would say that the difference in VT finding it is that they would have the scan settings set to scan for PUPs.
You have found one area to enable PUPs scanning, but that is for the on-demand scans (needs to be set for each scan type, see below), which personally I don't bother with. As most of the files scanned in an on-demand scan are either dormant or inert, then the point in checking is lessened. The avastUI > Settings > Active Protection > File System Shield is the on-access resident scanner and you can/should set that to check for PUPs if that is what you want.
If I remember the Web Shield is set to scan for PUPs, if not that is an other area, the Mail Shield also has a PUPs scanning option, this is off by default I believe.
Why it isn't being detected in the on-demand scan rather depends on which scan you have set it on. Each different on-demand scan Quick; Full System Scan; Custom scan, etc. has to be set to scan for PUPs. Is it possible that you have set it for only one scan but are running a different scan.
-
When I look at (right click the avast icon)/open avast user interface/scan/settings/sensitvity
it show that scan for PUPs is checked.
However, when I using Windows Explorer and I navigate to the folder containing this PUP,
I right click the folder/scan. After 10 seconds or so a box opens up and tells me
SCAN COPMPLETE - no threat found. In this same box on the right you see "settings".
Clicking on this brings me back to the similar "avast scan settings". Clicking on "sensitivity"
(on the left) now shows "scan for PUPs to be unselected. Something odd going on here.
Secondly, as I mentioned, using avast this way does not detect anything amiss,
yet the avast entry in virustotal detects it.
I can upload the folder if you'd like to test this.
EDIT I've just DavidR's new post, David I do have PUP selected, but see the anomaly I mentioned above.
Perhaps you can tst this for me.
-
I can't really check it as I don't have anything on my system that would be classified as a PUP to scan.
However according to this you aren't setting the correct one for the explorer scan.
When I look at (right click the avast icon)/open avast user interface/scan/settings/sensitvity
it show that scan for PUPs is checked.
The Explorer scan settings are in a different place avastUI > Settings > Antivirus - scroll down to 'Special Scans' and use the Settings > Sensitivity option. But by default the explorer scan (AshQuick.exe) is the most thorough scan and it should scan for PUPs.
If not than at some point I have set it to scan for PUPs and that setting remains set. See image, whilst my image settings broadly look similar, all of the various Sensitivity setting screens look similar, so we really need to know which one you are looking at. e.g. is it the same one I mentioned, avastUI > Settings > Antivirus - scroll down to 'Special Scans' and use the Settings > Sensitivity ?
-
DavidR,
you're right, I had not turned on PUP scanning in the "special scans" you mentioned.
Once I did that, the PUP was detected in Windows Explorer/right click.
It seems the GUI has room for improvement. Too many places you have to remember.
Thanks for the tips!
One interesting thing, although it's detected by this explorer scan, I can still use copy/paste in explorer to
move the infected file from one location to another with impunity. Shouldn't be detected there also?
Dave
-
You're welcome.
-
DavidR,
please see my update above, I added another circumstance.
regards -
Dave
-
General comment:
IMHO Avast in recent times is simply trying to do too much. I regard it as an anti-virus - nothing more.
Refer my post above, and the one soon after it from Pondus. If you want a good PUP checker, use Malwarebytes.
-
DavidR,
please see my update above, I added another circumstance.
regards -
Dave
Copy and paste isn't opening, modifying or running the file (instances where depending on the file type, it could be scanned), it also isn't a new creation either, so there is no scan.
Note, the scan undertaken would be by the file system shield, not the explorer scan.
-
DavidR,
please see my update above, I added another circumstance.
regards -
Dave
Copy and paste isn't opening, modifying or running the file (instances where depending on the file type, it could be scanned), it also isn't a new creation either, so there is no scan.
Note, the scan undertaken would be by the file system shield, not the explorer scan.
Thanks DavidR -
I did one more test - I had the files in a 7z archive and extracted the files to a folder.
During this circumstance the bad-ware was detected. I guess it's time to delete
this puppy. The interesting thing is, how did a folder containing these files get into the temp folder?
I suspect some activity on the web did it, rather than me consciously running something in the foreground
that this piggy-backed on.
-
Archive files by their nature are inert (by default archives aren't scanned), you have to unpack them and or run the executables for them to present a risk.
Actually extracting/unpacking the archive would be creating new files (outside of the archive), that should trigger the file system scan.
The interesting thing is, how did a folder containing these files get into the temp folder?
I don't know as I don't have anything to work with, originating archive and location and what temp location. That said, depending on your Operating System and Folder options, archives may be shown as folders
-
It's Windows XP, so it uses the default temp folder, like so:
G:\Documents and Settings\Dave\Local Settings\temp
This was the location where the files were originally identified, not in an archive (7z,zip)
but regular files (.exe, .dll) in a sub folder.
The 7z file was created by myself in order to explore how/when avast! detected the bad file(s).
I did just about everything I could think of except actually run the exe.
Would a PUP be detected by the webshield, assuming this download was the result of some
java script from a web page?
-
how did a folder containing these files get into the temp folder?
Perhaps you'll get a clue from here:
http://www.installmonetizer.net/faq.php
(Hmm, sounds somewhat like what avast! has been accused of lately by some.)
-
It's Windows XP, so it uses the default temp folder, like so:
G:\Documents and Settings\Dave\Local Settings\temp
This was the location where the files were originally identified, not in an archive (7z,zip)
but regular files (.exe, .dll) in a sub folder.
The 7z file was created by myself in order to explore how/when avast! detected the bad file(s).
I did just about everything I could think of except actually run the exe.
Would a PUP be detected by the webshield, assuming this download was the result of some
java script from a web page?
Being in a Temp location could possibly mean that they were Temp Internet Files - C:\Documents and Settings\David\Local Settings\Temp\Temporary Internet Files - but why why there would be .exe or dll files in there is strange.
PUPs are scanned for by default in the web shield as far as I'm aware, but I'm also sure there are instances when they may not be scanned. Anything that downloaded on https (secure connection) or isn't downloaded using an http connection and http protocol.