Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: NON on November 15, 2016, 02:43:13 PM

Title: [12.3.2280-12.3.2281] CyberCapture exclusions not working?
Post by: NON on November 15, 2016, 02:43:13 PM

Hello all,

I found a strange case that exclusions of CyberCapture is not working as expected, see attached picture.
Note that I use 12.3.2281 beta, while similar issue was reported in the Japanese forum whose OP uses 12.3.2280.

File "kinza.exe" is digitally signed, and DeepScreen did NOT interfere its execution. Executed then immediately captured by CC even if the path of the file is in the exclusion list.
When I add the path into File System Shield exclusion list, then CC stops capturing it.
Moreover, CC never stops capturing it how many times CC says "The file is clean".


The captured app "kinza.exe" is a web browser based on Chromium.
https://www.kinza.jp/en/

The file itself is not downloaded from the web, but installed by the installer downloaded from the web.
So, "Downloaded from the web" flag must be inherited.


I found these strings in avast log.
From Autosandbox.log

Code: [Select]

2016/11/15 21:35:51 Autosandbox candidate: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
[Source: local://*C:\Windows\System32\services.exe ]
[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
[Reason: 0x00020000]
--> Result: Not sandboxing (because the file is trusted).

2016/11/15 21:59:58 Autosandbox candidate: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
[Source: local://*C:\Windows\System32\services.exe ]
[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
[Reason: 0x00020000]
--> Result: Not sandboxing (because the file is in the exception list).
From custody.log

Code: [Select]

2016/11/15 21:36:34 Blocked: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
[Source: local://*C:\Windows\System32\services.exe ]
[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
[Reason: 0]
2016/11/15 22:00:32 Blocked: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
[Source: local://*C:\Windows\System32\services.exe ]
[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
[Reason: 0]
I'll provide more information if needed.
Thanks.

Title: Re: [12.3.2280-12.3.2281] CyberCapture exclusions not working?
Post by: Be Secure on November 15, 2016, 02:49:27 PM

Can you post the Virustotal link of that file? :)
Must be a bug. :-\

Title: Re: [12.3.2280-12.3.2281] CyberCapture exclusions not working?
Post by: Eddy on November 15, 2016, 02:53:04 PM

As the installer is downloaded from the web, I suspect the hash of it is changing and makes Cybercapture treating it as a new file.
This is just a guess ofcourse.

Title: Re: [12.3.2280-12.3.2281] CyberCapture exclusions not working?
Post by: NON on November 15, 2016, 02:57:54 PM

Quote from: Be Secure on November 15, 2016, 02:49:27 PM

Can you post the Virustotal link of that file? :)
Must be a bug. :-\

Here you go:
https://www.virustotal.com/ja/file/83a9b4c6351c4f7e15e70ce046a49944a8590d7d979974b727148cdad90b455d/analysis/1479217904/

Quote from: Eddy on November 15, 2016, 02:53:04 PM

As the installer is downloaded from the web, I suspect the hash of it is changing and makes Cybercapture treating it as a new file.
This is just a guess ofcourse.

I don't think the hash is different everytime, because Virustotal has a record about the file as of 6 days ago. (I re-scanned the file so now it gone :-\)