Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Zagor on December 31, 2005, 04:21:26 AM

Title: User info about new fix for the next VPS?
Post by: Zagor on December 31, 2005, 04:21:26 AM
After Memory & Auto-start programs Scan with my avast Pro I get a false positive:

* Task '04 MY Memory & Auto-start programs (All Users)' used
* Started on Friday, 30. December 2005 16:58:00
* VPS: 0552-2, 29/12/2005
*
Process 248, memory block 0x00BE0000, block size 53248 [L] Saturday 14th-669 (0)
During the file repair, error occurred: The system cannot find the file specified
Infected files: 1
*
* Task stopped: Friday, 30. December 2005 17:01:24
* Run-time was 3 minute(s), 24 second(s)
*

The process was C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
from my BitDefender Free Edition

I reported this thing couple of times before. So I'll be waiting the next VPS... ;)
Title: Re: User info about new fix for the next VPS?
Post by: alanrf on December 31, 2005, 04:33:08 AM
Considering that antivirus programs are designed to look for tell tale signs of viruses it seems to me that one antivirus program is likely to find tell-tale virus signatures in another antivirus program. 

I think it perhaps excessive to expect any antivirus program to be developed in a way that it will not detect virus signatures in another antivirus product installed on your system.

If you choose to have multiple antivirus functions resident on your system then invesitgation of the "exclude" options of the various products would seem to me to make sense rather than expecting the antivirus product developers to save you from your own decisions.

Title: Re: User info about new fix for the next VPS?
Post by: Zagor on December 31, 2005, 05:32:51 AM
False positive is still a false positive.

I think it perhaps excessive to expect any antivirus program to be developed in a way that it will not detect virus signatures in another antivirus product installed on your system.

But tell me, how often is this happening with avast.  AFAIK know, very rarely. There are some issues with Panda definitions and nothing about Bit Defender. I don't think this is still unreasonable request. Maybe in the future this will be the issue, which will probably depend on new viruses and new principles of detection, but we don't know that for now.

If you choose to have multiple antivirus functions resident on your system then invesitgation of the "exclude" options of the various products would seem to me to make sense rather than expecting the antivirus product developers to save you from your own decisions.

avast is the only resident scanner on my system, BitDefender is just On-Demand application.

Think of all those fresh avast users, finding a virus that they can't remove due to error of avast (just look in the detection message). I 've seen a few users that gave up on a application just because there was one of two confusing messages or requests. There are not many people that are willing to sort things out like you & me now about software.

Is it so unreasonable to expect that Alwil team can make this kind of fix rather than expect from unexperienced (better disinterested) users to build up their exclusion list? And as it may sound trivial, those users are target demografic for the sale.

So who will be needing a rescue from their desicions? Anyway, this is my opinion and sugestion.
Title: Re: User info about new fix for the next VPS?
Post by: alanrf on December 31, 2005, 07:45:21 AM
Zagor,

I'm not trying to make a big issue with you.  Avast! has recently been criticized for the thoroughness and speed with which it deals with viruses.  Vlk has told us that more effort will go to addressing those issues.

Any of us who have ever been in a position to determine where our limited development resources will go must feel some sympathy for the avast! team.  They continue to make this product available for free to a huge number of people.  They are not of the size and resources (thank Heavens!) of Symantec and must, I am sure, be much more prudent in allocating their efforts. 

Their principal purpose is, and must continue to be, protection of the user community from existing and new viruses.  That, in itself, is a staggering task. 

We see all sorts of requests, the incessant demands from a certain poster for a  "prettier" interface - as if that will save anyone from a virus.  Then there are the demands for faster scanning, the background drone of "avast destroyed every exe on my system",  "why can't avast just quarantine a single email message?" etc. 

You (and I also) have chosen to install other software to assist us in the battle against malware.  I have chosen other software than you.  It does not seems to cause avast! to throw up any false positives.  While neither of us have chosen a second "resident" scanner both of our choices (by our choice) install software and signature files on our system.  We are but two users - there are many choices out there and more appear every month.  If I choose to demand of avast! that they do not cause problems with my choice and all the other users do the same - what are they to do?  They could spend all their time just avoiding problems from the extra malware avoidance products that you, I and every other user chooses to install. 

No, that is not the right way for avast!  The right way right now for avast! is to be among the very best in combatting existing and new viruses - that will attract the mass of customers (hopefully a good proportion of them paying) that will enable the team to have resources to deploy against issues such as the one you have raised - but it must, I suggest, take second place to the prime directive.

Title: Re: User info about new fix for the next VPS?
Post by: curious! on December 31, 2005, 11:23:15 AM
Hi Zagor:

Just a little suggestion from me.

Go for AVG free, and under installation skip everything but on-demand scanner.

If you ,like me, stop ALL AVG processes except when you scan with AVG or update it you are safe from these problems. (perhaps unnecessary to stop the processes, but just to be sure.)  :)

I have been using AVG in this way for months without any problems.
The key is not INSTALLING AVG resident part or mailpart.

Always good with second opinion  ;D and this solution has worked for me for months.

(I have to admit: AVG never found anything that Avast missed.)  :)

Never had a problem with Avast interfering with AVG.

Hannibal Lecter
Title: Re: User info about new fix for the next VPS?
Post by: alanrf on December 31, 2005, 11:50:23 AM
Then, Mr. Lecter, what has all this effort bought you ... apart from nothing?

On second thoughts perhaps your nothing may relieve those hints of paranoia in the rest of us. 

Please keep us informed if "nothing" continues.
Title: Re: User info about new fix for the next VPS?
Post by: curious! on December 31, 2005, 12:01:03 PM
Then, Mr. Lecter, what has all this effort bought you ... apart from nothing?

It has brought me the same as Avast has done-nothing.  :D

Avast never found anything on my system.  :)

I use a-2 and Ewido,too. Ewido has never found anything on my system, a-2 too many false positives.

Short answer to your question: PEACE of mind  :-* and that is valuable for me.

No software can replace good brainware and safe hex.  ;)


I forgot to mention: Ad-aware(finds nothing apart from Alexa which I let alone).  ;D

Speaking of paranoia: I have a good portion of that, and paranoia can be useful.  ;)

One exception: I surf with Admin rights! (against all odds) according to experts.  :'(

Hannibal Lecter
Title: Re: User info about new fix for the next VPS?
Post by: alanrf on December 31, 2005, 12:11:10 PM
Mr. Lecter,

Why go to the trouble of disabling software when there are plenty of alternatives that provide excellent on demand scanning without the effort?

On reflection and reviewing some of your recent posts, please ignore my question.

I suspect that scanning your system 24x7 with every available product will probably not give you peace of mind. 
Title: Re: User info about new fix for the next VPS?
Post by: curious! on December 31, 2005, 12:26:50 PM
I have peace of mind as I said.  What are you insinuating? :(

Mr. Lecter,

Why go to the trouble of disabling software when there are plenty of alternatives that provide excellent on demand scanning without the effort?


What trouble are you talking abot. I have a simple bat-file to take care of that.  ;D

Mr. Lecter,


On reflection and reviewing some of your recent posts, please ignore my question.

I suspect that scanning your system 24x7 with every available product will probably not give you peace of mind.

What are you insinuating. You must be breaking some forumrules here.

Mr. Lecter
Title: Re: User info about new fix for the next VPS?
Post by: igor on December 31, 2005, 02:13:54 PM
Zagor, is the same "virus" found in BitDefender's process every time you run the scan? If yes, I'd say it's simply the same problem as with Panda definitions (though it's just a guess without seeing the real memory block).
If it is the case, even the "solution" is the same - ask BitDefender to properly scramble their signatures.
Title: Re: User info about new fix for the next VPS?
Post by: Zagor on December 31, 2005, 02:40:43 PM
Avast! has recently been criticized for the thoroughness and speed with which it deals with viruses.  Vlk has told us that more effort will go to addressing those issues.

Yes, I read that and I'm looking forward to it!

Any of us who have ever been in a position to determine where our limited development resources will go must feel some sympathy for the avast! team.

Absolutely, as a human component to this story it is highly resonable to assume that money represents the primary guidance in determing the future interests for development. I sympathyze completely, belive me.

Their principal purpose is, and must continue to be, protection of the user community from existing and new viruses.

Of course, was there anything else besides that? This is and should stay the primary   goal. I wasn't trying to make an issue. My point was that for solving Bit Defender "problem" avast team would reap much more benefit rather than choose not to. Point was also that this was not a colosal demand, speaking of solving it. Especially since this is a rare case of software disaccording.

I still think that my post about that was usefull, just in terms of informing other users .
Maybe a solution for Alwil is to announce this issue in the FAQ like the Panda case.

They could spend all their time just avoiding problems from the extra malware avoidance products that you, I and every other user chooses to install.

I don't think that Bit Defender is the part which can be disregarded, especially because it's popularity. You are right, but with a little correction, if you allow me. This must be avast politics in case of "extra malware avoidance products" for the lower part of the market, but not for the top 10 giant which encludes Bit Defender. The way for dealing with is their decision, I'm just trying to make a suggestion.

Thank you for the debate, Zagor.
Title: Re: User info about new fix for the next VPS?
Post by: Zagor on December 31, 2005, 02:45:12 PM
Hi Zagor:

Just a little suggestion from me.

Go for AVG free, and under installation skip everything but on-demand scanner.

If you ,like me, stop ALL AVG processes except when you scan with AVG or update it you are safe from these problems. (perhaps unnecessary to stop the processes, but just to be sure.)  :)

Hi my friend, thank you for concern.

I've been there, I've done it. AVG was on my system exactly the way like you suggest. Prior to install, I've been skiping the on-demand scanner and it was my solution for a few months. I had no problems but soon I turned back to my long time favorite Bit Defender.
As always, I'm looking and testing new solutions. Due to that my machine felt a good portion of software, but some pieces of software deserved special status, speaking of efficiency.

Avast Pro included!
Title: Re: User info about new fix for the next VPS?
Post by: Zagor on December 31, 2005, 02:49:55 PM
Zagor, is the same "virus" found in BitDefender's process every time you run the scan? If yes, I'd say it's simply the same problem as with Panda definitions (though it's just a guess without seeing the real memory block).
If it is the case, even the "solution" is the same - ask BitDefender to properly scramble their signatures.

Hello Igor,
yes, the same "virus" is found in BitDefender's process every time I run the scan. I'm interasted in you're opinion on dealing with this issue and what is avast politics, if you have the time?

I will be glad to help if there is more info I can post.
Title: Re: User info about new fix for the next VPS?
Post by: DavidR on December 31, 2005, 03:46:09 PM
The problem with chasing other AVs signature files is that it adds another layer of complexability to your scan which is likelt to reduce the speed, something that everyone is screaming about, the need for speed.

Assuming a detections is made, the location would have to be checked to see if this culd be related to another AVs signatures and decide if it is indeed a false positive and ignore it. Now any time the AV company changes something in its file naming or the user uses a different folder to the default, then any additional checks would be negated.

Why should avast or any other AV company spend time and money developing another level of checking to cater the errors or omissions of other AVs if their signatures aren't encrypted as in Panda's.

This may well not be the case with dbss.exe as I can't see why a supposed on-demand scanner is in memory?
Quote
"Process 248, memory block 0x00BE0000,"
"The process was C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe"

Quote
bdss.exe (BitDefender scan server) - Details

The bdss.exe process runs in the background and scans your system for virus threats. If you stop this process, BitDefender will not be able to effectively protect your computer from viruses and trojans, so unless it causes problems with your system your should try and leave it running.
Title: Re: User info about new fix for the next VPS?
Post by: Zagor on December 31, 2005, 04:03:43 PM
But how much work can this be for Alwil to solve the problem? One day, two, how much resources and time? This isn't a frequent case. If it tuns out to be then you are probably right.

And why would Bit Defender make their own encryption more efficient, so the users could buy more of avast?

And really, how much pain on the detection engine are we talking here, regarding couple of exclusions?
Title: Re: User info about new fix for the next VPS?
Post by: Zagor on December 31, 2005, 04:07:25 PM
Quote
bdss.exe (BitDefender scan server) - Details

The bdss.exe process runs in the background and scans your system for virus threats. If you stop this process, BitDefender will not be able to effectively protect your computer from viruses and trojans, so unless it causes problems with your system your should try and leave it running.

Bit Defender Free does not contain resident modules, yet this *.exe was on every computer I installed Bit Defender.
Title: Re: User info about new fix for the next VPS?
Post by: DavidR on December 31, 2005, 04:34:26 PM
It's not how much work is it for Alwil, but how much this extra processing effort to check for other AVs file locations, etc. adds to everyone of avast's users processing effort too. I for one wouldn't want avasts scan to be potentially slowed because of the errors or omissions of other AVs.

Quote
And why would Bit Defender make their own encryption more efficient, so the users could buy more of avast?
Sorry I don't follow your logic here. Turn that logic on its head, why should avast adjust their scanning to make up for the errors or omissions of others, so the users could buy more of Bit Defender?

It is not a couple of exclusions, but potentially many, many more for all AVs and this would be a moving target that have to be constantly monitored to ensure the exclusions/exceptions are up to date.
Title: Re: User info about new fix for the next VPS?
Post by: DavidR on December 31, 2005, 04:40:47 PM
Quote
bdss.exe (BitDefender scan server) - Details

The bdss.exe process runs in the background and scans your system for virus threats. If you stop this process, BitDefender will not be able to effectively protect your computer from viruses and trojans, so unless it causes problems with your system your should try and leave it running.

Bit Defender Free does not contain resident modules, yet this *.exe was on every computer I installed Bit Defender.
I've also seen something similar in Ewido even the free version has a Service running ewidoctrl.exe (not on my system it is set to manual), a throw back to the trial version which included resident protection. The only issue I had with the service stopped was for manual updates seemed to need the service running.

Perhaps BitDefender is living in the hope you will upgrade.
Title: Re: User info about new fix for the next VPS?
Post by: igor on December 31, 2005, 04:44:36 PM
I'm interested in you're opinion on dealing with this issue and what is avast politics, if you have the time?

avast! politics is (exactly as my opinion) rather simple: we will not fix these kinds of "false alarms", for various reasons. That's it.

But how much work can this be for Alwil to solve the problem? One day, two, how much resources and time? This isn't a frequent case. If it tuns out to be then you are probably right.

I'm not sure if DavidR's suggestion ("negative checks" making avast! ignore the file) would be possible. It seems like a security risk to me - what would prevent a real virus from including this specific signature to make avast! ignore it? Applying checksums is also hardly possible - the virus databases change almost daily.

Basically, what we'd have to do is changing our signatures (the conflicting ones). This, however
- may negatively affect avast!'s detection
- would work only until the other AV maker changes their signatures
- may not even be possible, if the conflicting module contains the whole usable virus area
- may be a lot of work: avast! reports only the first detected virus in the file/block, but there may actually be tens or hundreds of them detected (i.e. if we change one, Saturday 14th-669 in this case, another one appears)

And this all only because somebody didn't do their homework? No, thanks. You may call it a matter of principle, if you like.

And why would Bit Defender make their own encryption more efficient, so the users could buy more of avast?

That's certainly not the reason. But:
- I'd call it "good manners of AV maker" to scramble the virus signatures
- it may actually cause various problems even when there's no other AV involved. Let's say, for example, that the program crashes and DrWatson makes a dump on disk (saving the decrypted signatures from memory). Now, the user suddenly finds an "infected" file on his disk.
Or, there's a much more serious problem in Win9x: the operating system doesn't clear the newly allocated memory (like NT-based systems do). Additionally, many programs don't clear the memory themselves - (older?) MS Office, for example. So, the following can happen: Windows decide to swap some pieces of AV memory out and give it to MS Office instead. Office doesn't clear the memory block, fills only the necessary items and saves the block to disk. Now, your antivirus suddenly warns you about an "infected" Word .doc file. A closer inspection reveals that the .doc file contains a big block of virus samples - dumped virus database from memory.
This is not a theoretical speculation - we've seen a number of such files from Avast32 (that also kept decrypted virus signatures in memory).
Title: Re: User info about new fix for the next VPS?
Post by: Zagor on December 31, 2005, 05:03:51 PM
Perhaps BitDefender is living in the hope you will upgrade.

:) Perhaps, but not in the next 12 months until my avast Pro license expires.
Title: Re: User info about new fix for the next VPS?
Post by: Zagor on December 31, 2005, 05:10:34 PM
we will not fix these kinds of "false alarms", for various reasons. That's it.

I understand.

I'm sorry now but I have to go, because in the next 10 days I will be on my vacation without the computer, so I'll gues I'll see you then.

David, Igor, Alanrf, Lector and to the rest of the Forum, I wish you happy holidays, virus free and with good health and lot's o' money :)

See you in 10 days  8)
Title: Re: User info about new fix for the next VPS?
Post by: Lisandro on December 31, 2005, 05:40:56 PM
The bdss.exe process runs in the background and scans your system for virus threats. If you stop this process, BitDefender will not be able to effectively protect your computer from viruses and trojans, so unless it causes problems with your system your should try and leave it running.
On contrary, this is not true. Zagor, look, BitDefender (free) is not resident. It does not protect you of nothing!  :P

Why should avast or any other AV company spend time and money developing another level of checking to cater the errors or omissions of other AVs if their signatures aren't encrypted as in Panda's.
Fully agree.

But how much work can this be for Alwil to solve the problem? One day, two, how much resources and time? This isn't a frequent case. If it tuns out to be then you are probably right.
I can't think different from Igor and David here... No need for extra avast work, for sure.

This may well not be the case with dbss.exe as I can't see why a supposed on-demand scanner is in memory?

And why would Bit Defender make their own encryption more efficient, so the users could buy more of avast?
BitDefender free loads two Services in background. If you scan memory with avast, the back encription of BitDefender is just being shown to the user. BitDefender could be used as a background scanner (not resident) only if the two services are set to manual while avast is scanning memory.

And really, how much pain on the detection engine are we talking here, regarding couple of exclusions?
It's not a matter of exclusion but security risk, extra work that not worth for Alwil.
Title: Re: User info about new fix for the next VPS?
Post by: bob3160 on December 31, 2005, 09:36:42 PM
Quote
They continue to make this product available for free to a huge number of people.  They are not of the size and resources (thank Heavens!) of Symantec and must, I am sure, be much more prudent in allocating their efforts. 
I have to take exception with your analogy. The free version is simply a stripped down version of the Pro version.
Alwil makes it's money selling the Pro version and gets lot's of publicity and free advertising by offering a free version.
Alwil as any other AV company is expected to deal with adding new detection as soon as possible and likewise keep
false positives down to a minimum.
If a false positive is discovered, it should be dealt with immediately. Not whenever it's prudent.
It's a known fact that Corporations have no loyalties toward their customers. They operate for profit not charity.
Customers therefore should also only have a loyalty toward themselves and their system.
As long as an AV product protects your system, use it and support it. When the AV product fails you, get something better.
That's just the way business and life works.
Title: Re: User info about new fix for the next VPS?
Post by: igor on December 31, 2005, 10:05:43 PM
OK, let's put it another way - this is not a false positive; somebody took samples of real viruses here and stored them in their own file/module.
Title: Re: User info about new fix for the next VPS?
Post by: bob3160 on December 31, 2005, 10:11:22 PM
OK, let's put it another way - this is not a false positive; somebody took samples of real viruses here and stored them in their own file/module.

In that case, avast! or any AV should be screaming to alert you.