Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Daffy on October 20, 2006, 05:19:34 PM
-
Windows Defender Real-Time Protection agent has detected spyware or other potentially unwanted software.
For more information please see the following:
http://www.microsoft.com
Scan ID: {CC7B71AF-F6C2-4BAE-B0E5-E0174E382A0A}
User: Me
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found: service:avastTestService
Alert Type: Unknown
Detection Type:
This warning, and another one likewise, is in my log under system. should I be alarmed.
-
If the "Path Found: service:avastTestService" is an indication this is a service named 'avastTestService' then it isn't one that I've heard of and isn't in my service list (XP Pro, avast Home 4.7.892).
I think you should exercise extreme care and don't delete or do anything that can't be restored. There doesn't seem to be much in the way of useful information in the alert, when it states "Real-Time Protection agent has detected spyware or other potentially unwanted software." The word potentially is very relevant, also Name: Unknown and Alert Type: Unknown would make me consider it a weak and possibly suspect alert.
This would appear to be a registry entry that is thought suspect without any associated file, personally I would either add it to the ignore list if it has one, or ignore it without adding to any list and monitor what happens on the next update does it continue to detect it.
-
The other path is :
Scan ID: {25004FAE-7D02-4D4A-A9A9-0B79E1058468}
Path Found: driver:avastTestService
But they are both from yesteday. There is no warning today.
Did a quickscan with Defender. Nothing found.
Maybe its a false detection?
-
I suspect an FP too.
-
avastTestService has been mentioned in these forums before as a registry key.
I am guessing, but it appears to be a temporary internal function of avast used to establish that the user has administrator rights on the system. Once used it is removed and therefore cannot normally be found.
It would appear that Windows Defender spotted this temporary system update and reported it. It would probably make sense for the avast team to alert their friends in Microsoft of this and any other similar internal functions that Windows Defender might need to know about.
-
It would probably make sense for the avast team to alert their friends in Microsoft of this and any other similar internal functions that Windows Defender might need to know about.
Yeah, the best thing to do...
-
I have done a Hijack This tour in a Danish forum, and scanned with Dr. Web Antivirus.
Nothing is found, and there are no more warnings in my log.
I guess it must have been a FP. Somehow alarnrf´s guess makes sense to
me.
-
alanrf pretty much guessed it. The avast installer/updater, before doing any actual work, verifies that certain conditions are met. Among these things, it makes sure the currently logged on user has write access to the HKLM\System\CurrentControlSet\Services key. This is done by simply _attempting_ to create a subkey called "AvastTestService", and if it succeeds, immediately deleting it.
It is possible that a heuristic watchdog in Windows Defender somehow finds this suspicious...
Cheers
Vlk
-
alanrf pretty much guessed it. The avast installer/updater, before doing any actual work, verifies that certain conditions are met. Among these things, it makes sure the currently logged on user has write access to the HKLM\System\CurrentControlSet\Services key. This is done by simply _attempting_ to create a subkey called "AvastTestService", and if it succeeds, immediately deleting it. It is possible that a heuristic watchdog in Windows Defender somehow finds this suspicious...
Why don't you just try to create the 'final' (correct) service and then delete it? Why just trying to create a 'simulated' service? ??? ::)
-
It seems to me that this is a reasonable and predictable way of determining that the rights exist before making any other changes that, by their nature, could well be different on each set of updates.
I have installed Windows Defender on my system - so it will be interesting to see if anything else from avast is reported.
-
It seems to me that this is a reasonable and predictable way of determining that the rights exist before making any other changes
If you're testing, trying to create than delete, what will be the difference between trying to create the 'real' service and a 'test' one? ::) ???
-
Because you would have to rewrite that piece of code for every new change instead of using a method and code determining rights that remains consistent and well regression tested.
It is probably part of some standard routine called "Establish rights exist" and nobody trying to be efficient would rewrite that for every change coming along.
-
Because you would have to rewrite that piece of code for every new change
Change? avast services is being there for quite a long long time...
And, besides, I've wrote to 'delete' and do it again, so, it won't make ANY difference test one or another. The test is deleted and then recriated when it's being really installed...
-
I'm sorry Tech, it seems very obvious to me from the post of Vlk that a standard set of conditions are being checked by avast. This is nothing to do with installing a service, the key could just as well be called MyLeftFoot.
However, it looks like we will not agree ... and I very much doubt that avast is very interested in ours views on how to code their product. I'll leave a last word on this thread to you.
-
To me it seems reasonable to check permissions before trying to apply installation/update that might require administrator privileges otherwise you end up with a failed install or update, which could be a pain to correct.
I would have thought that Windows Defender would have alerted on the proper install/update in any case if it is going to make changes to the registry.
-
I very much doubt that avast is very interested in ours views on how to code their product.
Me too 8)
I'll leave a last word on this thread to you.
I'll leave it to you. Never mind 8)
-
David,
Windows Defender does. As an example - because of a screwup on a BBC website every Beeb radio program I wanted to listen to this weekend used Real Player (I product I rather dislike). Every program I listened to caused RP to add its wretched start-up program to the registry. At least with Windows Defender I can say I do not want the addition to be permitted.
Windows Defender even tells you about changes it makes itself.
-
Yes one of the problems with any form of HIPS is the potential for lots of pop-ups and for users with limited experience it can have a fearful effect, they either deny or allow everything negating some of its value. A little like many outbound connections and anti-leak and or component control warnings, they can become very confusing.
I too fall into the 'I don't like Real Player' camp, it wants to take over the world just because you use it for a streaming audio broadcast.