Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: LeLe on April 19, 2004, 04:57:29 PM

Title: Program's Internal State Corrupted???
Post by: LeLe on April 19, 2004, 04:57:29 PM
 ???
I have been using Avast (home version) for almost a month and a half, and have been very pleased with it. Yesterday, I discovered that my computer had several windows indicating some 'buffer' errors. I deleted those windows and tried to get into my Outlook Express (I have the latest IE browswer installed on a Win98 os, Compaq Presario computer). A window came up with the following:
"Buffer Over-run detected Program....OGRAMFILES\ALWIL\Software\Avast4\ASHMAISV.exe
A buffer program has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated."
Has anyone had this happen before, and if so, what did you do to fix it? Help!
Thanks!

LeLe
Title: Re:Program's Internal State Corrupted???
Post by: vojtech on April 19, 2004, 05:58:39 PM
You will have to download your mail with the scanner disabled (by the Mail Protection Wizard).

I would appreciate if you could resend me the mail that is causing it to help repair this bug. Thank you.
Title: Re:Program's Internal State Corrupted???
Post by: LeLe on April 19, 2004, 08:02:15 PM
Thank you for responding. I am at work at the moment, but when I get home, I will disable the avast antivirus scanner from my Outlook Express (email) and see if that fixes the problem.
I seriously do NOT want to be without an antivirus scanner for my email program (IE Outlook Express). I have come to rely on its detection accuracy. Is there any way that I can reactivate the antivirus for my email? If so, please let me know how I can do this.
BTW, are you sure you want me to forward all my email (if it works)? Most of it is spam (a real nuisance!). Let me know one way or another.
Thanks!

LeLe
Title: Re:Program's Internal State Corrupted???
Post by: LeLe on April 19, 2004, 09:38:38 PM
I went home at lunch and disabled the avast antivirus feature for my email program. I was able to download my email after that with no problem. I then sent you the emails that I had received, so far. The concern I have is that I will need to keep it disabled in order to get my emails from now on. That would not be very wise, imo. I would like to know what I need to do to fix this problem thoroughly, so that I can get the avast antivirus functioning in my email program, again.
BTW, before going to work this morning, I downloaded my emails (that I had not been able to download when the 'buffer' problem began last night) by using the online 'mail2web' site. Unfortunately, I deleted all of my 'junk' email from there. The email that I did not delete is what I sent to you. That may or may not have the 'bug.'
Any suggestions?

Thanks,

LeLe
Title: Re:Program's Internal State Corrupted???
Post by: seand on April 19, 2004, 11:13:17 PM
Please see thread  (click here) Buffer overrun problem (http://forum.avast.com/index.php?board=2;action=display;threadid=3963).

This is the same problem discussed there since this past Saturday.  So far there has been no response.
Title: Re:Program's Internal State Corrupted???
Post by: LeLe on April 20, 2004, 06:13:28 AM
Thank you, Seand, I caught the 'buffer' posts after I had submitted my query. :-[
Yes, indeed, it appears to be exactly the same problem. Now if we can only find out 'why' it is happening, and better yet, find a long-term solution.
I will stay alert to posts and see if someone can find the remedy without having to go to drastic measures of deleting or disabling avast. Avast has been such a good antivirus program - I would hate to lose it.  :-[

Again, thanks!

LeLe
Title: Re:Program's Internal State Corrupted???
Post by: Vlk on April 20, 2004, 08:11:12 AM
This seems to be a very serious problem -- but to solve it, we absolutely need the data, i.e. the emails that are causing the mail scanner to fail...

As many as possible, and ideally - in the "wire" format (i.e. as plain text messages), nothing like MS Outlook .msg files...

Thanks
Vlk
Title: Re:Program's Internal State Corrupted???
Post by: seand on April 20, 2004, 08:40:01 AM
LeLe, I could not agree more!  Avast is the first antivirus program I have ever used that handled mail so well and with such small resource requirements.  At this point I don't think I could live without it.

I did uninstall/reinstall avast yesterday as well as visit the MS windows update site and scanned for updates even though technically speaking I had taken the most recent critical updates last Thursday.  Lo and behold the site reported I needed a "wrap up" patch (about 256K) to complete my updates.  I installed that immediately.  Since that time avast has downloaded/scanned about 2000 mails (cleaned 4 infections) without a problem.

I am keeping my fingers crossed for the AM download on Tuesday.  One of the accounts I check gets LOTS of spam (and viruses!) so I am a little anxious to see if all goes well.    This problem seems to have appeared for several people on the same weekend (ariaaudio was the first to report it in the other thread I mentioned above) and I can only assume it is a new variant of a spam message/virus, or else is associated with the MS critical updates  that everyone in the world was advised to take late last week.  (The only other change in my system I think are the two "push" VPS updates I got in avast  Pro late last week.)

As fas as I could tell none of the emails I had to bypass avast in order to downlaod had suspicious attachments so the problem is either in a new type of html body or else the MS updates.  Perhaps the "wrap up" security patch MS is providing "fixes" something with the critical update they are not talking about..

Keeping my fingers crossed!

Sean D
Title: Re:Program's Internal State Corrupted???
Post by: LeLe on April 20, 2004, 07:18:23 PM
Seand,
Thanks for the tips. I will check them out this evening (when I am at my personal computer). It would appear that the ms updates may have contributed in some way to this problem, since, I, too, updated very recently. I did not install the patch (wrap?), since I was not prompted to. I will check this out this evening, just in case I need it.
As the present, I am not experiencing any problems. I did as Vjotech recommended and disabled my antivirus. I then went back and reactivated it (after customizing my scanning options by scanning only 'inbound and outbound emails' - I did not check the 'scan archived msgs' box, and that may help).  I then downloaded the current email I had with no problem.
Like you...am keeping my fingers crossed! *G*

Thanks a ton for your help!

LeLe

PS: Methinks, there is more to this problem than meets the eye.  ::)
Title: Re:Program's Internal State Corrupted???
Post by: LeLe on April 20, 2004, 07:20:49 PM
Drats! I hate it when I misspell someone's name/nic!

My apologies, Vojtech!

 :-[

LeLe
Title: Re:Program's Internal State Corrupted???
Post by: CharleyO on April 20, 2004, 08:26:09 PM

I don't think the problem you are having has anything to do with the MS Updates. But, then again, that may depend on the OS you are using ... I dunno. I'm using W98SE fully patched and with the recent security updates. None of this caused me any problems with email nor avast!   :)  

The problem is more likely with either Outlook, Outlook Express, or the email you are receiving. Those two are not very good email programs as far as security goes.    :(    

Sorry, but that's my 2 cents worth. Hope the issue is resolved for you very soon!    :)  

Title: Re:Program's Internal State Corrupted???
Post by: seand on April 20, 2004, 09:33:13 PM
LeLe, so far today no "overruns" but I did not get a lot of mail so not sure yet what the status is.  One question:  you mentioned not checking the "scan archived msg" box, I can't seem to find that option in the Internet Mail On-Access config screens, can you tell me where that option is?

I am using Thunderbird as a mail client and I think you are using Outlook express so I am not sure that this problem is mail client related.  Until we find an actual email that causes this problem I guess it is all idle speculation as what initiated it.  I had been using avast for about three weeks with no problem and then the problem just popped out of the blue this weekend.    It appears a few others also encountered the overrun roughly in the same timeframe based on the posts to this forum.  That is why I believe it is probably one of two things:

1. A new type of html message or virus, or
2. Caused by the MS critical updates we all just installed.

I have set up my mail client to not delete my mail on the pop server after downloading so that I have a second chance at getting it all again in the event I get another crash using avast.  Murphy's law tells me I will have to wait a few days to get tihs to repeat but I am willing to wait if that what it takes to get a solution.  Up to this point I have been real impressed with avast particularly for email scanning in conjuction with Spampal so I really hope I do not have to abandon it now.

Thanks for the kind words CharleyO, I have no other stake in determining the cause other than  getting my avast to work again!

Sean D
Title: Re:Program's Internal State Corrupted???
Post by: seand on April 21, 2004, 02:31:20 PM
While waiting patiently to get another message that generates this problem I wonder if given the fact that the "buffer overrun" message and program self termination by avast is actually generated by the avast program code itself and not by the underlying Win XP os, perhaps tech support could provide a little more information on the circumstances that can lead to this situation?

This issue is preventing me from deploying avast pro as the standard antivirus solution on several workstations and I am a little frustrated about the lack of feedback on why this internally generated message is being displayed by avast.

Sean D
Title: Re:Program's Internal State Corrupted???
Post by: igor on April 21, 2004, 03:50:25 PM
Actually, this message is displayed by the Microsoft runtime libraries used by avast. The meaning of the message is "something went wrong". It's not possible to say more, because we don't have any other information.
It seems that there may be a bug somewhere in avast!, causing this message to appear sometimes, but that's all we know right now.
Title: Re:Program's Internal State Corrupted???
Post by: seand on April 21, 2004, 03:59:27 PM
Thanks for the feedback Igor.

In order to accelerate my attempt to get another message that causes the problem I will be forwarding several other accounts at my company to my own one in the hopes that the increased volume of email will help.  (hate having to deal with all the additional spam in my inbox though!)

I really do hope this issue can be resolved, as I stated elsewhere the elegance and simplicity of avast makes it one of those addictive programs one cannot do without.  The "push" updates feature in the pro edition is just superb.

Sean D


Title: Re:Program's Internal State Corrupted???
Post by: LeLe on April 22, 2004, 05:55:22 AM
Seand,
In the startup tray where the Avast icon is located, I double-clicked the icon and it brought up the "Avast, On-Access Scanner' window. On the left hand side of the window is a list titled: "Installed Providers." I highlighted the Outlook/Exchange (version 4.1-357) and then went to the Provider Configuration and clicked the "Custom" button. It brings up the "Resident Task Settings." The first tab is "Scanner." I then had the option of checking "Scan Inbound Messages" and/or "Scan Outbound Messages" and/or "Scan Archived Messages on Open"(This is the one I left 'unchecked'). Further down on that same window (Scanner Tab) I had the option of also checking "Scan Message Bodies,' which I checked for added precaution. It seems that having Avast NOT scan my 'archived messages' gave it 'less'  work load.
So far, it has not given me any more problems. (Crossing what fingers I have left to cross...lol).
This may have been my 'only' problem. But, from what I can read, it happened to many of us at approximately the same time frame and with different 'causes.' It sounds entirely too 'conincidental.' Again, methinks there is something 'afoot' that we haven't detected, yet.
I will be keeping tuned in, periodically, to see what others discover as this 'mystery' unravels.
My heartfelt thanks to everyone that responded and gave suggestions and methods on how to solve this problem.
*Hugs to all*

LeLe
Title: Re:Program's Internal State Corrupted???
Post by: LeLe on April 22, 2004, 06:07:29 AM
Charley O,
I am using Win98SE (my favorite OS). As far as I can tell, I, too, have all the latest Win Updates/patches.
I have to admit, I panicked when I thought that I would not be able to use Avast with my email program (Outlook Express). However, it seems (at least for now) that the problem was resolved by lessening the work load on Avast by unchecking the 'scan archived messages' option. I have tons of archived email messages, and I am sure that 'overwhelmed' Avast. So, for the time being, I will keep that option disabled (scanning archived messages), since in a manner, that would be scanning messages twice.
Thanks for your input... :)

LeLe
Title: Re:Program's Internal State Corrupted???
Post by: seand on April 22, 2004, 07:34:41 AM
Lele,

Thanks for the info on the "scan archives" option.   I am not using the Outlook/Exchange service because my main cleint is Thunderbird which I set up manually in the Internet Mail service area.   The option to scan archives is not available there.  You raise an interesting point though regarding the additional scanning of the archive as perhaps contributing to the problem.  In my case it was not doing that but one of my accounts does get a lot of spam and I have had over 2 thousand emails scanned on any single day during the prior two weeks before encountering the overrun.

I am anxious to try and get to the bottom of this because of my need to deploy avast on other workstations (On my own PC alone the number of email borne files cleaned and moved to the chest is pretty terrifying, over 838 during the first two weeks before I uninstalled/reinstalled avast last Friday, and 48 since then!).  I never realised the ferocity of these viruses and worms and prior to imstalling avast I had no statistics on just how many were coming via email.  

Having read about your setup, I plan on setting up Outlook Express as a second client on my PC and have both clients download the mail but not delete it from the server so that if I do mange to repeat the overrun I will have a copy of all emails still on the pop server that i can send to avast support for analysis.

Thank you for having opened this thread, it gave me some relief to know that what I was experiencing was not unique (I guess misery loves company) and I am hopefull that at some point soon the problem will be fixed.

Sean D
Title: Re:Program's Internal State Corrupted???
Post by: Vlk on April 22, 2004, 08:32:26 AM
I see a couple of misconceptions that should be clarified:

1. The Outlook/Exchange provider does NOT handle Outlook Express. OE is a totally different program from Outlook, with totally different messaging model and plug-in model. In avast, OE is treated just like any other POP3/IMAP4/SMTP-based e-mail client (Eudora, Pegasus, IncrediMail, Mozilla etc.) and is covered by the 'Internet Mail' module. Hence changing any of the properties of the Outlook/Exchange shield in avast has absolutely no effect unless your using (full-blown) Outlook.

2. The "Scan Archived Messages" option in the Outlook/Exchange provider means whether or not scan messages that are not in transport (inbound, outbound) but rather are already stored in the Outlook folders (Inbox, Sent Items, Drafts etc). I agree, it'd be more appropriate if this option would be called 'Scan Stored Items' but that doesn't change the fact that the option does what I just said. SO, it doesn't have anything in common with archive scanning, i.e. scanning of "packed" files (ZIP, ARJ, RAR etc.). To set the options for archive scanning, you'd need avast! Professional Edition. There you could finely customize which archives avast should scan in which provider.

3. While thinking that archive scanning could have some connection with the problems you're experiencing is not a bad idea, I don't think it's correct. The reason is the following: the scanning itself (i.e. also the decompression in case of packed objects) is performed inside the avast main service process ashServ.exe, NOT in ashMaiSv.exe (the mail scanner). This is how it works. However, what you're seeing is a runtime error inside ashMaiSv.exe so it's quite likely that the core of the problem is elsewhere. My personal tip is the heuristics and/or PUSH module, because it's probably the part of ashMaiSv.exe that actually tries to dissect the message (i.e. is sensitivite to input data).

Hope this helps,
Vlk
Title: Re:Program's Internal State Corrupted???
Post by: seand on April 22, 2004, 09:42:41 AM
Vlk,

Thanks, that was helpfull.

I decided to upgrade avast! tonight to the new build just released since I figured there was not much point to trying to debug an older build.  On reboot I discovered that the new build detected Norton Antivirus installed on my PC even though I had uninstalled it (the older build did not complain and did load the resident scanner, but the new build seems to have found some remnant still around and refused to load the resident scanner)

In an effort to try and get rid of everything Norton and Symantec  on my PC  (XP) I used add/remove and unistalled Live Update and PCAnywhere (the only related items that were still in the add/remove applet)  After a reboot, avastt resident shield did run and the Internet Mail service functioned, my mail client downloaded mail and it was scanned by avast etc.  But... somehow these uninstalls messed up my Internet Explorer and it gets  a fatal error when trying to run it.  Likewise my System Restore  function also seems to be broken.  I am accessing my PC remotely from home so will have to wait until I get to work in the AM to try booting to safe mode and trying to undo everything I did tonight and starting fromm scratch again.  I don't think any of this is related to avast and as soon as I get it all cleared up I will start testing the new build again to see if the overrun returns.

Additional iinfo:  Yes I had set the Internet Mail scanner to use Heuristics and also insert clean messages, as well as use the "push" feature.  I dont plan on making any changes to this so that going forward I am theoretically trying to find/repeat the problem I encountered before with the same config but a new avast build .  If it does not occur again perhaps the new build will have helped (or maybe it was whatever was still hanging around from my Norton uninstall that the new build found tonight).

Like LeLe says, keeping my fingers crossed!  (seems like nothing is easy with MS)

Thanks,

Sean D
Title: Re:Program's Internal State Corrupted???
Post by: LeLe on April 22, 2004, 05:51:30 PM
Vlk & Seand,
Vlk, I agree with Seand - and thanks for the clarifications. It's always good to clear away any misconceptions (of which, I have many!) :-\

In reading the recent posts, I am now back at the 'drawing' board (in my mind, that is) of what to do about the buffer problem that is potentially hiding somewhere ready to pounce on my poor email program  :o
Alas, it appears my 'ritual' (tinkering with my settings) was more placebo than cure!  :-\
While I am enjoying the absence of the 'Program's Internal State Corrupted' windows for the time being - I will definitely keep checking in to keep abreast of this matter.

My thanks to everyone  :)

LeLe

PS: Regardless of the recent problems, I think Avast is the best and each response has been a wealth of information to me! :D
Title: Re:Program's Internal State Corrupted???
Post by: seand on April 22, 2004, 08:47:18 PM
Whewh! don't ask what it took to get my XP back in good health but its done and the new build of avast is running and filtering mail.  Just a reminder of my configuration:

OS: Windows XP Pro
avast! version 4.1 Professional
Build Apr2004 [4.1.389]
Xtreme Toolkit version 1.9.4.0
ActiveSkin version 4.2.7.3
Internet mail provider enabled (Sensitivity set to High)
                                                 (Silent mode, general answer No)
Insert note into clean message checked
Heuristic set to silent and mark it in subject field
Push iAVS enabled
Standard Shield provider enabled (Sensitivity set to normal)
All other providers disabled.

Mail Client: Thunderbird and Outlook Express (both downloading  all new mail but not deleting from pop server)

Testing will continue for the next few days to see if the overrun problem will reoccur and if it does I should have a copy of the message left on the pop3 server.

LeLe you have been very helpful also and I would like to compliment you on the gracious way you have participated in this discussion. Yeah Texas!  

Thanks everyone for your help and comments, hope this thread gets to end pretty soon, I cant wait to start deploying avast! to a few other workstations.

Sean D


Title: Re:Program's Internal State Corrupted???
Post by: LeLe on April 22, 2004, 10:28:33 PM
Seand,
You are most welcome. You have been most gracious, yourself!  :)
As Vlk pointed out, my tinkerings really didn't affect any vital settings on my computer. (I had to re-read his clarifications and believe it or not, I understood them.  ;D)
So, my quest continues on what could have caused my problem, will it happen again, and what can I do to prevent it. Methinks, I need guidance on what my Avast settings (home version) need to be set on for my OS (Win98SE) to perform at its optimum.

Suggestions are most welcome!

Have a great day.  :)

LeLe
Title: Re:Program's Internal State Corrupted???
Post by: seand on April 23, 2004, 03:26:36 PM
Lele, I am not an expert on antivirus programs or specifically avast!  I have spent a lot of time focussing on the spam problem in the past and have learned quite a lot about mail proxies that way.  Avast acts a mail proxy for the generic mail clients (such as OE and Thunderbird)and so one setting you need to look at is the pop3 server timeout in your mail client.  Depending on your internet connection speed and the largest file you expect to get you may need to adjust that.  I typically set it to 2 or 2 and 1/2 minutes because I do get 9 megabyte files as attachments sometimes.  (On a dial up connection I would expect to have to make that timeout a lot more.)

I have not tried tweaking avast during this test period since I am trying to replicate the overrun problem and have left all my settings as I described above but they seem to be working fine.

My experience so far indicates that email antivirus detection is much more important then I thought.  While the number of viruses in emails is quite smalll compared to the amount of spam emails one receives, actually the percenatge of viruses in non-spam emails is quite high based on what I have seen in the last few weeks.  

I started getting concerned about this recently because of all the press on the new viruses making the rounds and was frankly amazed  after I installed avast at how many were actually coming into my inbox.  Prior to having avast installed I was simply deleting what appeared to be suspicious emails but never really kept count.  The number of infected email borne files in my avast "chest" is quite startling!  That is why I am evaluating avast for deployment to other workstations at my company.

Once I have completed testing for the overrun I will begin tweaking (if necessary) and wil be glad to share my experience then.  

Hopefully that will be real soon.

Test results for the last 13 hours: 3258 emails scanned and 40 infected files and no overruns encountered yet.  (In order to accelerate the test I have set up some customer support accounts to also come to my account and am getting overwhelmed with all the detected spam (Spampal) and viruses (avast)!)


Sean D

Title: Re:Program's Internal State Corrupted???
Post by: seand on April 24, 2004, 09:55:48 AM
Well, 7126 emails later (with 147 infected files moved to the avast "chest") I think I found an email message that causes the bufferrun!

It appears to have at least two malfomed headers and I was able to crash avast twice while attempting to download this specific message.

On first glance at the source of the message the problem did not jump out at me but by using a hex-editor I saw lots of trailing spaces in the boundary header line and also a weird line after the Status: header.

I zipped up the mail message (two copies downloaded a few minutes apart, each time crashing avast. I had to reboot between crashes to get the avast Internet Mail provider to start and crash again.)

Vlk, I am sending you an email with the files in a zip.   I hope this can help fix the problem.  Both messages are identical and display ok in Thunderbird and Outlook Express so the mail clients appear to be more forgiving of the malformed headers then the avast parser.  I imagine that the other crashes we have had leading up to this did not necessarily have the identical flaws that this one has but it should help the programmers to figure out how to deal with non RFC headers and try and deal with incorrectly formatted messages.

The message that caused the crash had no attachments and just basic html in the body.

Thanks LeLe for hanging in there and keeping this thread going.  I kind of feel bad about this thread popping to the top of the board whenever I post because I do not want folks to think the avast is fatally flawed.  I like the program so much I just felt I had to do my best to help identify the problem so that it can be fixed.

Looking forward to the programmers' analysis and hope this helps produce a "fix" for the problem. (I sure hope you can repeat the crash with the files I am sending!)

Sean D

Title: Re:Program's Internal State Corrupted???
Post by: seand on April 26, 2004, 03:43:00 PM
Because this thread is related to the Buffer Overrun thread I am posting pavlels' reply here also:

seand, thanks for your help! We found the problem (incorrect memory allocation for boundary string, which caused crash of ashmaisv.exe). Program update will be released during tomorrow. sorry for this bug ;-(

I am really delighted with the superb service provided by the whole avast! team.  Thanks Vlk for getting back to me on a Sunday!

Thanks again to everyone, I am really looking forward to being able to use avast! again for all my internet mail scanning.

Sean D
Title: Re:Program's Internal State Corrupted???
Post by: Vlk on April 26, 2004, 03:55:08 PM
Sean, thanks...

You can test the new version right now - if you want. Please download the updated file from http://cat.asw.cz/~vlk/ashMaiSv.exe and simply replace the existing one with this new one (obviously killing the running process first).


Please note that the avast auto-repair feature will take place soon - trying to "repair" the replaced ashMaiSv.exe to its original state and asking you for a reboot -- you can ignore this prompt (although after the reboot, the file will indeed be replaced by the original [4.1.389] version).

Thanks
Vlk
Title: Re:Program's Internal State Corrupted???
Post by: seand on April 26, 2004, 04:00:15 PM
Vlk, wow that was fast! I am on business travel today but will be able to access my workstation in about 3 hours and will do the update then.

Thanks again and my compliments to the entire avast! team.

Sean D
Title: Re:Program's Internal State Corrupted???
Post by: seand on April 26, 2004, 08:58:47 PM
Vlk, I downloaded and installed the new file following your instructions.  On a reboot I was prompted by avast to reboot but I cancelled and let the normal startup take place.  The Internet Mail Service is running and scanning mails (I checked the file in the avast directory and it not been replaced so I assume I am running the new file as the Internet Mail Provider.

The About message says I am running build  4.1.389 but the automatic update screen did pop up and say a new version was available.

I asume that if I reboot I should  replace the file again as above, reboot  and then  ignore the reboot prompt from avast and continue with normal startup, is that correct?

So far "scanned count" is 176 and "infected count" is 16 so it appears to be functioning well.

Sean D