Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Beta - Avast => Topic started by: REDACTED on June 11, 2017, 07:06:27 PM
-
I post now in Beta, problem not solved with beta.
https://forum.avast.com/index.php?topic=201245.0 (https://forum.avast.com/index.php?topic=201245.0)
AVAST (agent suspect action) make connection to NAS with bad user.. and it's prevent NAS to enter hibernation!
(http://i.imgur.com/7S7G0Aj.png)
-
not solved with 17.5.2300.
Avast tries to connect to NAS when up, and prevents disks to hibernate in the NAS.
already added exclusion in agent suspect action:
C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\*.lnk
C:\Users\user\Desktop\Network\* (all network share in one folder excluded)
C:\Users\user\Links\....lnk (excluse all network link)
C:\Users\user\Voisinage réseau\*
no log, impossible to know what agents analyzed!
-
An antivirus that creates more problem than what it prevents! Still not resolved
-
Which shield is causing the issue?
-
The service aswbIDSAgent ("C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe")
If stop this service, agent Suspect action is stopped and request to my NAS with bad login STOP.
-
The service aswbIDSAgent ("C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe")
If stop this service, agent Suspect action is stopped and request to my NAS with bad login STOP.
aswbIDSAgent is the Behaviour Shield.
Could you disable the Behaviour Shield via Avast and check if the issue remains?
-
in french this name is 'Agent Actions Suspectes'.. and stop this agent without stop service not solve problem.
(http://i.imgur.com/fyJz3Do.png)
Add in this agent exception (see above) not solve.
Delete Avast, clean, install beta.. solve for more day, but it's same as before now.
-
Well you need to narrow it down to which shield is causing the issue .
-
You do not help. I already found.
Now I search another Anti-virus... There's more and more problem with Avast; And avast is more and more closed .. we no longer even know what is he doing.
For the moment, not found better (compare to avast if all basic service work, but actually must disable scan https,Behaviour Shield and service, wifi inspector work only if disable windows firewall; more time avast use too CPU and must stop/start all agents!). Chinese is doing well, but it does much more than antivirus.
-
Hi, how frequently did you see this wake-up? I mean like "once a day" or "every 5 minutes" or constantly? It would make sense to see such behavior being caused by Wifi-inspector, but currently not sure what could Behaviour Shield do to cause this. I'll investigate in case you'll decide to give Avast a try in the future.
Added:
In case you try it again, could you provide us with a procmon log?
(download from here: https://live.sysinternals.com/Procmon.exe, run and start capturing events, wait for the NAS to wake-up and then choose File/Save)
Thanks a lot!
Lukas.
-
I see attempts to access port 445 more than once per hour (via wireshark, or other tools to see process name) only when the NAS is accessible on the network. With hibernation disk set to 1hour, it never hibernate when computer is ON.
I already tested without install wifi inspector, but after more day, I reproduce the same problem.
I do not use network mounting, but shortcuts in the paths previously excluded from the analysis.
This day I continue to use AVAST, not found better, I continue test..
If you need new logs, in addition to those already sent in the previous topic (for the stable version). I have not yet removed AVAST on this PC
-
Please do as Lukor asked.
-
just a note, related to this topic: https://forum.avast.com/index.php?topic=201245.0
I've verified with the Behav Shield team, they are investigating it, but so far it seems Behavior Shield does not touch any network resource unless the process that is being executed and inspected by behavior shield is opening files from that share or is being started from that path. They hope to find out more with the procmon log.
-
(http://i.imgur.com/IYSO36j.png)
each hour, I see same; more access by avastUI, svc file/registry.. and aswidsagenta.exe and access to network by system account.
Wifi inspector is removed, Behaviour Shield is disabled but not removed.
(log-file.pml contains sensitive info, ipv6.. private ftp,email.. if necessary)
-
remove Behaviour Shield in add/remove program for AVAST remove the service aswbIDSAgent, and now my NAS can hibernate.
-
Hi Baudav,
it'd really help if you can share the procmon log with us. We'd like to check the file operation information only and the log may contain only 20s run. 10s before the NAS connection is established and 10s after it. If we don't have the log we can only guess what's happening on your computer.
I'll continue on lukor's post with addition question. Do you have any program/script on the NAS server which you run from it?
Thanks for the cooperation,
PDI
-
20170626-22h44 PML https://drive.google.com/open?id=0B-PnHjbdw-GwQWQwVU1TNXRvSjQ (https://drive.google.com/open?id=0B-PnHjbdw-GwQWQwVU1TNXRvSjQ)
20170626-23h44 PML https://drive.google.com/open?id=0B-PnHjbdw-GwalhxeXpiRXJ4OW8 (https://drive.google.com/open?id=0B-PnHjbdw-GwalhxeXpiRXJ4OW8)
include file/reg/net
-
Hi Baudav,
thanks a lot for the log. It helped me to understand the problem.
You once run SYNOLOGY-ASSISTANT-6.1-15030.EXE from the NAS or this file is stored somewhere in the registry/lnk file and the AswIDSagent tries to get the information from it which causes the NAS to start again.
You can try to do following steps:
1) stop the agent via UI or SCM (the aswidsagent.exe must be stopped before the next step)
2) delete C:\ProgramData\AVAST Software\Avast\IDS\malwareprofile\nodes.dat
3) restart you computer
We'll try to figure how to handle your use case better. We made some changes in this part of code recently and the fix'd be available in the next beta build.
Regards,
PDI
-
Hi,
thanks ;)
Yes I runSyno..assistant-installer from NAS last year, and another time after clean avast installation to update this Assistant synology with new version (6.1.15030).
agent already removed.. wait now next update to reinstall and test, or can test now, after nodes.dat removed? (if add exclusion from my NAS, or not execute this file)
note: to remove nodes.dat file, I must stop the Avast autoprotect first
-
Hi Baudav,
yes, I forgot to mention that.
Please try to run Behavioral Shield when you deleted the file if the issue is fixed for you.
Thanks,
PDI
-
issue not fixed :(
-
If it can help you, now I removed folder IDS and retest...
and previous IDS folder saved here: https://drive.google.com/open?id=0B-PnHjbdw-GwZXFkbWh0Vm9PRTQ (https://drive.google.com/open?id=0B-PnHjbdw-GwZXFkbWh0Vm9PRTQ)
log file exist for this agent ?
-
It's good, after remove all folder.
perhaps because in step 2 when remove nodes.dat; must remove backup.dat ? I see before remove all folder, the new nodes.dat is same size as backup.dat.
-
Hi Baudav,
I forgot about the backup :(
Thanks for the retest after the directory removal.
PDI
-
>:( another time, NAS not hibernate.. now with process monitor see aswidsagenta.exe search \\myNASname\...\SUBTITLEEDIT-3.5.3-SETUP.EXE
just installed
must add exclusion ? Does not seem to be resolved with latest update.
-
Hi Baudav,
the update doesn't contain any change for this issue. The change is planned for next release.
You can do the same steps as before. If you don't want to see the problem again, please, do not run any program from the NAS. Copy the executable to your PC and run the executable from it.
Regards,
PDI