Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: asparagus on April 03, 2021, 11:39:49 AM

Title: Password Protection warning about WUDFhost.exe
Post by: asparagus on April 03, 2021, 11:39:49 AM

I searched the forum and can find no prior posts on this subject. Yesterday Avast Premium Security's Password Protection feature popped up a warning about WUDFhost.exe (see attachment 1). It happened just after I had (USB-)connected my camera to upload some pictures. I don't think this can be a coincidence even though I have been doing this every day or two for months and have never had the warning before. I checked and confirmed that WUDFhost.exe is a standard and critical Windows component, so I clicked Allow App. Now it will always be allowed to access my login info (see attachment 2). It seems likely that this was a false positive but I remain uneasy:

• Why would WUDFhost.exe be needing to access my login info?
• Was connecting my camera indeed the trigger?
• If so, why would Password Protection not have warned me before?
• Should I have blocked access, and if so, how do I undo Allow Access?

PS I just noticed something in the screenshots that I did not notice yesterday. Th path to the login data references a user (one of three set up on the machine) who was not logged in at the time (and indeed seldom is). Now I am more concerned than I was before.

Regards,
Andy

Title: Re: Password Protection warning about WUDFhost.exe
Post by: Asyn on April 03, 2021, 12:52:22 PM

Quote from: asparagus on April 03, 2021, 11:39:49 AM

...how do I undo Allow Access?

-> https://support.avast.com/en-ww/article/298/ (Blocked & Allowed apps)

Title: Re: Password Protection warning about WUDFhost.exe
Post by: asparagus on April 16, 2021, 09:16:21 PM

It's happened again. Same symptom, different "baddie". I took a screenshot at the time but seems I didn't save it. It was another Windows file (apparently) and again it was (apparently) trying to access the login data for the same user as before, a user not logged in. This time I blocked it. Although I don't have a screenshot, I (eventually) managed to find in Avast where the identity of the file was recorded: sdiagnhost.exe, in c:\windows\system32.

Can an Avast person please advise what is going on here? They might be Windows processes but they shouldn't be trying to access login data for a user not even logged in. Seems to me either something nasty is going on, or Avast is misinterpreting something benign. I can't think of another explanation.

Andy