Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: treker96mk2 on June 02, 2009, 03:24:12 AM

Title: malware submiting from chest
Post by: treker96mk2 on June 02, 2009, 03:24:12 AM
it says it well send doing next update but i see no mention in the log and no email.
the first is a trojan pws been in the chest for about a day since i hit the send botton yes my email was included in the email field.
the second is a pdf exploit i added to chest hit send and filled out the email field then i started a manual database update still no message.
how can i tell if they have been sent successfully?
Title: Re: malware submiting from chest
Post by: !Donovan on June 02, 2009, 03:49:17 AM
Getting your reply MAY take up to two weeks...
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 02, 2009, 04:53:33 AM
it would be nice if they had an automated email that tells you it was received.
Title: Re: malware submiting from chest
Post by: .: L' arc :. on June 02, 2009, 10:39:53 AM
-= I remember someone told me that if no dialog box appears, it will be sent to ALWIL via next update but I have no knowledge of how to confirm if file was successfully sent..

-= I think it would be nice if avast has a dedicated server for allowing users to upload infected files in ZIP or RAR format.. ??? Just a wish.. ;D

Title: Re: malware submiting from chest
Post by: DavidR on June 02, 2009, 04:16:02 PM
Right lets clarify:
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software), you should get a pop-up form to complete giving brief details about the submission, see image1. It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done, see image2.

it would be nice if they had an automated email that tells you it was received.
So it doesn't get sent by email but is uploaded directly to Alwil, your email is unknown so you won't get a reply.

Even if you emailed it directly to Alwil, you don't normally get a reply unless they need more information.

-= I remember someone told me that if no dialog box appears, it will be sent to ALWIL via next update but I have no knowledge of how to confirm if file was successfully sent..

Wrong, I believe you are mis-quoting something I said, if the pop-up form (dialog box you mention) doesn't appear, then you can't complete it and you 'can't' submit it as that is where the Submit button is.

-= I think it would be nice if avast has a dedicated server for allowing users to upload infected files in ZIP or RAR format.. ??? Just a wish.. ;D[/font]

They already have any email you send zipped and password protected going to virus (at) avast (dot) com is filtered. There is also an ftp function but that isn't designed for that, but for large files that couldn't be emailed, etc. and then only when you receive instructions to do so.

The new submission process from the chest is I believe in some way automatically processed (mini analysis), like a sort of triage process to try and assign some sort of priority of action.
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 02, 2009, 08:50:38 PM
i entered my email in the optional email field.
and i did not see the upload info doing update but it probably went by to fast to catch.

so i will assume it got there but it would be nice to at least have a log entry stating that the upload accord.
thanks for the help.
Title: Re: malware submiting from chest
Post by: DavidR on June 02, 2009, 10:06:10 PM
Check the C:\Program Files\Alwil Software\Avast4\Setup\setup.log using notepad, that should hold info on submissions as part of the update process.
Title: Re: malware submiting from chest
Post by: .: L' arc :. on June 03, 2009, 05:02:46 AM
-= I checked the logs but my file [zip.zip] wasn't on the log.. Though I clicked Email to ALWIL [no dialog box]..
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 03, 2009, 05:13:04 AM
is this it?
14:06:39 nrm/pkg  Submit: files 0, bytes 0, time 0 ms
14:06:39 nrm/pkg  Submit success: files 0, bytes 0, time 0 ms
Title: Re: malware submiting from chest
Post by: .: L' arc :. on June 03, 2009, 05:36:24 AM
-= Sorry about the previous post.. Found mine too.. Thanks.. ;)
Title: Re: malware submiting from chest
Post by: calcu007 on June 03, 2009, 05:47:50 AM
i entered my email in the optional email field.
and i did not see the upload info doing update but it probably went by to fast to catch.

so i will assume it got there but it would be nice to at least have a log entry stating that the upload accord.
thanks for the help.

if you want to send the file immediately then make a manual update and you will see the dialog sending the file
Title: Re: malware submiting from chest
Post by: DavidR on June 03, 2009, 03:19:59 PM
is this it?
14:06:39 nrm/pkg  Submit: files 0, bytes 0, time 0 ms
14:06:39 nrm/pkg  Submit success: files 0, bytes 0, time 0 ms

Yes that is the part of the log that shows it, you would have to look back in the log to a time after your submission as this part doesn't show any files to submit (files 0)...

Title: Re: malware submiting from chest
Post by: treker96mk2 on June 03, 2009, 07:26:08 PM
none of those have a number other then 0.
searched the entire log.
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 03, 2009, 07:46:03 PM
i just submitted the pdf file again and it had the sending dialog
but the setup.log has not been modified since june 2.?
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 03, 2009, 08:15:01 PM
this is new an acces denied on manual update home edition.
here is the log.
03.06.2009 11:12:58 general: Started: 03.06.2009, 11:12:58
03.06.2009 11:12:58 general: Running setup_av_pro-537 (1335)
03.06.2009 11:12:58 system: Operating system: WindowsXP ver 5.1, build 2600, sp 3.0 [Service Pack 3]
03.06.2009 11:12:58 system: Memory: 72% load. Phys:292852/1047216K free, Page:1637736/2518356K free, Virt:2069088/2097024K free
03.06.2009 11:12:58 system: Computer WinName: HOME-PC
03.06.2009 11:12:58 system: Windows Net User: HOME-PC\ed-admin
03.06.2009 11:12:58 general: Cmdline: /downloadpkgs /noreboot /updatevps /silent /progress 
03.06.2009 11:12:58 general: DldSrc set to inet
03.06.2009 11:12:58 general: Operation set to INST_OP_UPDATE_GET_PACKAGES
03.06.2009 11:12:58 general: Old version: 537 (1335)
03.06.2009 11:12:58 registry: Error deleting registry: Software\Alwil Software\Avast\4.0\UpdateReady (0x00000005)
03.06.2009 11:12:58 system: Using temp: C:\DOCUME~1\ed-admin\LOCALS~1\Temp\_av_proI.tm~a02108 (43194M free)
03.06.2009 11:12:58 general: SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
03.06.2009 11:12:58 internet: SYNCER: Agent=Syncer/4.80 (av_pro-1335;p)
03.06.2009 11:12:58 system: Computer DnsName: home-pc
03.06.2009 11:12:58 system: Computer Ip Addr: 192.168.0.2
03.06.2009 11:12:58 system: Installed in: C:\Program Files\Alwil Software\Avast4 (43194M free)
03.06.2009 11:12:58 internet: SYNCER: Type: use IE settings
03.06.2009 11:12:58 internet: SYNCER: Auth: another authentication, use WinInet
03.06.2009 11:12:58 package: Part prg_av_pro-537 is installed
03.06.2009 11:12:58 package: Part vps-9060200 is installed
03.06.2009 11:12:58 package: Part news-50 is installed
03.06.2009 11:12:58 package: Part setup_av_pro-537 is installed
03.06.2009 11:12:58 package: Part jrog-128 is installed
03.06.2009 11:12:58 general: Old version: 537 (1335)
03.06.2009 11:12:58 general: GUID: 6c8af49f-7615-4be2-be04-0e3811168543
03.06.2009 11:12:59 general: Server definition(s) loaded for 'main': 255 (maintenance:0)
03.06.2009 11:12:59 general: SelectCurrent: selected server 'Download908 AVAST Server' from 'main'
03.06.2009 11:12:59 internet: SYNCER: Type: use IE settings
03.06.2009 11:12:59 internet: SYNCER: Auth: another authentication, use WinInet
03.06.2009 11:12:59 general: Entered SetupProcessPro::Do( INST_OP_UPDATE_GET_PACKAGES )
03.06.2009 11:12:59 general: Entered SetupProcessWin32Avast::Do( INST_OP_UPDATE_GET_PACKAGES )
03.06.2009 11:12:59 general: Entered SetupProcessWin32::Do( INST_OP_UPDATE_GET_PACKAGES )
03.06.2009 11:12:59 general: Entered SetupProcess::Do( INST_OP_UPDATE_GET_PACKAGES )
03.06.2009 11:12:59 general: progress thread start
03.06.2009 11:12:59 internet: SYNCER: Agent=Syncer/4.80 (av_pro-1335;f)
03.06.2009 11:13:00 internet: Used server: http://download908.avast.com/iavs4x
03.06.2009 11:13:00 package: Download servers.def, servers.def.vpu failed with error 0x00000005.
03.06.2009 11:13:00 internet: Used server: http://download908.avast.com/iavs4x
03.06.2009 11:13:01 general: Server definition(s) loaded for 'main': 255 (maintenance:0)
03.06.2009 11:13:01 general: SelectCurrent: selected server 'Download661 AVAST Server' from 'main'
03.06.2009 11:13:01 internet: SYNCER: Type: use IE settings
03.06.2009 11:13:01 internet: SYNCER: Auth: another authentication, use WinInet
03.06.2009 11:13:01 internet: Used server: http://69.93.227.242/iavs4x
03.06.2009 11:13:01 internet: Used server: http://69.93.227.242/iavs4x
03.06.2009 11:13:01 file: GetFileWithRetry: prod-av_pro.vpu downloaded .
03.06.2009 11:13:01 file: GetNewerStampedFile:compatCopyFile failed: C:\DOCUME~1\ed-admin\LOCALS~1\Temp\_av_proI.tm~a02108\onefile, C:\Program Files\Alwil Software\Avast4\Setup\prod-av_pro.vpu, error: 0x00000005
03.06.2009 11:13:01 package: Tried to download prod-av_pro.vpu but failed with error 0x00000005
03.06.2009 11:13:01 package: LoadAllDefs failed 0x00000005
03.06.2009 11:13:01 general: Err:Access is denied.
Title: Re: malware submiting from chest
Post by: Lisandro on June 03, 2009, 08:30:29 PM
03.06.2009 11:12:58 system: Windows Net User: HOME-PC\ed-admin
03.06.2009 11:13:01 package: LoadAllDefs failed 0x00000005
03.06.2009 11:13:01 general: Err:Access is denied.
You seem to be the admin and even though, the access error 5 is listed there... strange uh? I'm empty on guessing what is happening...
Title: Re: malware submiting from chest
Post by: DavidR on June 03, 2009, 08:40:12 PM
i just submitted the pdf file again and it had the sending dialog
but the setup.log has not been modified since june 2.?

Confusingly there is another setup.log file and I never know which is used for what (they look the same) check out the other one, C:\Program Files\Alwil Software\Avast4\DATA\log\Setup.log.

Are there any files in the C:\Program Files\Alwil Software\Avast4\DATA\spool\suspic folder ?
That is where they are stored before upload.
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 04, 2009, 06:31:13 AM
other log still says 0
and the folder you mentioned is empty.
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 04, 2009, 06:40:07 AM
okay i have set the pdf exploit to send again and there is now a file in the folder you mentioned.
Title: Re: malware submiting from chest
Post by: DavidR on June 04, 2009, 03:07:48 PM
When the folder is empty there are no files awaiting upload, either they haven't been submitted or they have been sent.

So now that is in the folder the submission is ready to be uploaded during either the next auto update or on a manual iAVS update. I suggest doing a manual update and watch its progress, first it will download any update, then it will upload the file from the suspic folder (you should see that part of the process and clear the folder) and finally it will complete the update process and display the update details.
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 04, 2009, 06:18:50 PM
when i woke up and read you reply an update check had already accord the folder is empty and the pdf exploit is now detected.
the log still has 0.
can others please see if this is a bug or is it just me?
Title: Re: malware submiting from chest
Post by: DavidR on June 04, 2009, 06:31:35 PM
This is what the log should look like from a previous submission, see image extract.

Check both log files, and check back further, you can even search for the package submit: string.
Title: Re: malware submiting from chest
Post by: DavidR on June 04, 2009, 06:41:51 PM
Update:

OK I have resubmitted a file previously submitted, see image1 the file being uploaded and image2 and extract of the C:\Program Files\Alwil Software\Avast4\Setup\setup.log showing successful upload.

So it is working as expected on my system.
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 04, 2009, 10:40:22 PM
the only suspic in both setup logs were .wav.
Title: Re: malware submiting from chest
Post by: DavidR on June 05, 2009, 12:16:25 AM
The only files in there should be those with weird looking names contained in the {wriggly brackets}.suspic, as in my images as it doesn't retain its original file name as it is also encrypted I believe.

You aren't looking for suspicious files in the log but the specific line entries for the upload:
Quote
17:34:17 min/int  file C:\Program Files\Alwil Software\Avast4\DATA\spool\suspic\{44A437B5-6482-456B-B2E5-CB49EBE1F233}.suspic submitted (6F48D34BDA1E1D52173818F6061C23AE411408B91EA07AB7660112B7741BE093)
17:34:17 nrm/pkg  Submit: files 1, bytes 91502, time 35844 ms
17:34:17 nrm/pkg  Submit success: files 1, bytes 91502, time 35844 ms
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 05, 2009, 09:11:02 PM
okey i do not remember seeing that a search for suspic only showed entry's for .wav probably for the sounds avast uses.

29.05.2009   14:03:07.000   1243630987   file   Direct move of file: C:\Program Files\Alwil Software\Avast4\ENGLISH\suspic.wav
29.05.2009   14:03:07.000   1243630987   file   Installed file:C:\Program Files\Alwil Software\Avast4\ENGLISH\suspic.wav
Title: Re: malware submiting from chest
Post by: DavidR on June 05, 2009, 09:22:39 PM
That is just the audio file for notifying you of a suspicious email, etc.

You should be searching within the setup.log (for the Submit: files string) using notepad.
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 06, 2009, 12:15:13 AM
data log setup.log
Submit:

29.05.2009   14:06:39.000   1243631199   package   Submit: files 0, bytes 0, time 0 ms
29.05.2009   14:06:39.000   1243631199   package   Submit success: files 0, bytes 0, time 0 ms

there are more but there the same zeros just different times.
Title: Re: malware submiting from chest
Post by: DavidR on June 06, 2009, 01:43:11 AM
That is from 29/5/2009 8 days ago so doesn't correspond to your submissions as topic only started on the 2nd and first submissions after that. The log is in chronological order with new lines added at the bottom (appended) so any submit: files entry would be near the bottom of the file.
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 06, 2009, 04:57:06 PM
all submit are like that just 0 for the entire log.
Title: Re: malware submiting from chest
Post by: DavidR on June 06, 2009, 05:27:26 PM
So there is either something weird going on with your system as it isn't getting submitted, are you actually getting the pop-up form (image posted earlier) when you click the email to Alwil Software option ?

If you aren't then as explained earlier it won't be submitted as you have to complete the form and click the Submit button.
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 08, 2009, 02:14:35 PM
when i click email the form does show up i then entered my email checked the i know what i am doing box and clicked send. i have noticed the sending dialog but it's not recorded in the log?
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 09, 2009, 02:25:28 PM
sent an adware installer toolbar from one of those send an ecard emails 2mb the dialog showed and it was logged,
sorry about my previous response i originally meant to say i checked the little box in the sending dialog the says i know what im doing or something like that. i have since edited my previous response to correct that.
thank you.
09.06.2009   05:18:08.000   1244549888   internet   file C:\Program Files\Alwil Software\Avast4\DATA\spool\suspic\{00BA3AE1-9E46-4084-9B74-539CBF02AEA5}.suspic submitted (7BDD537BFB47E3377F335DFD72CA729B960BB18129E7A67C51D28897ABBFFA38)
09.06.2009   05:18:08.000   1244549888   package   Submit: files 1, bytes 2763862, time 33031 ms
09.06.2009   05:18:08.000   1244549888   package   Submit success: files 1, bytes 2763862, time 33031 ms
Title: Re: malware submiting from chest
Post by: DavidR on June 09, 2009, 03:38:18 PM
Well it looks to be working as expected now, hopefully it was a computer glitch before.
Title: Re: malware submiting from chest
Post by: treker96mk2 on June 09, 2009, 06:23:01 PM
yep
thanks for the help and ill keep an i on it.
Title: Re: malware submiting from chest
Post by: DavidR on June 09, 2009, 06:26:48 PM
You're welcome.