Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Mele20 on April 10, 2010, 08:28:46 AM
-
Yesterday, I installed Avast 5 on my XP Pro SP2 virtual machine running on VMWare Workstation 7. I used the computer all evening, rebooted it once I think I recall. Then I shut it down. I booted it just now and DURING BOOT AS THE DESKTOP WAS LOADING Avast popped up and said it had detected a trojan. The file in question is an antivirus performance test file that almost all AV vendors alert on each test in the file. That is fine as it is a test of your antivirus program. What I don't understand though is why Avast alerted on it during boot. Nor do I understand why it says the PROCESS connected to the file is Procguard.exe. Procguard.exe is the GUI for ProcessGuard. The file in question is located in my downloaded programs folder and has zero to do with ProcessGuard’s GUI.
This is the first time I have ever seen an antivirus program alert to a file and a process at the same time. Here is an instance of why Avast should NOT have removed IGNORE! The way I read the popup Avast wanted to move the file and THE PROCESS both to Quarantine! If I had allowed Avast to try to do that at best what would have happened would have been that I would have ended up with pgaccount.exe (ProcessGuard driver) running and no GUI which potentially could cause a major problem if PG alerted on something and I had no way to instruct it as to how to handle the alert!
I had to close the Avast alert window via the upper right X to avoid a mess. Then Avast alerted again immediately before I could turn off the real time scanner. It took four tries before I was fast enough to be able to turn off the real time scanner before another Avast alert.
An IGNORE option is ESSENTIAL. I CANNOT USE THIS OTHERWISE EXCELLENT PROGRAM WITHOUT AN IGNORE OPTION. I also need a setting to IGNORE infections inside archives. Default there should be, like any detection, NOTIFY ME and temporarily block access until I make a choice regarding what I want Avast to do and ignore should be one of the options. I certainly don't want Avast trying to clean what it thinks is a virus in an archive when it really is an FP as trying to clean in an archive will usually fail and destroy the archive.
-
There is an Ignore command, and it is called "Block" (in the dropdown list).
All the Block command does is prevent the file from executing. No action is (physically) performed on the on-disk file.
BTW the "Process" field tells you which process accessed the file, triggering the scan (remember we're talking about an "on-access" scanner). If it was the GUI part of ProcessGuard, most likely ProcessGuard was just trying to prefetch some icons from a list of applications or something like that, opening and reading the file and thus triggering the scan.
Thanks
Vlk
-
Ah...come on! There has been a lot of discussion on this board about removing Ignore option in ver 5. You know as well as I do that Ignore is NOT the same as Block.
I need an Ignore choice. Simple as that. I uninstalled Avast and when asked for feedback I said it was because you removed Ignore from version 5. I said I was going back to Avira 9 if I can find a download for it because (warts and all) Avira has an ignore choice. I still have Avira 8 on my host XP Pro machine and I have used ignore a lot over the 3 plus years I have had Avira.
I cannot fathom why procguard.exe would be looking at that file. Avira, and all but one Vendor at VT, detect that file (38 vendors detect it). I have had Avira, McAfee Enterprise (I used to beta test for them) and several other AV on that machine (it is a test machine) and procguard.exe has never before accessed that file during boot. This is the first time I have had Avast on a machine that runs ProcessGuard and I was wondering if they would get along.
You ignored my other question (about actions when a virus is found in an archive) which relates to the same subject: can Avast users actually configure Avast as they want it? The answer for ver 5 is NO. It is a sad situation today in that most AV vendors now ignore the needs of "power" users. Maybe the solution would be two versions - one for average users and one for power users.
-
Avira 10 is out. And it is Sh*t! I watched a Review. The guy got infected and got Blue Screen at third Link.. Not Nice Avira.
-
I didn't say I was going to install Avira 10. Heck, I just UNinstalled Avira 10 beta Suite to install Avast. I was a beta tester for Avira for three years. I know 10 has a lot of problems. I really like Avast 5 except for this configuration problem which is a big thing to me.
-
Ah...come on! There has been a lot of discussion on this board about removing Ignore option in ver 5. You know as well as I do that Ignore is NOT the same as Block.
I need an Ignore choice. Simple as that. I uninstalled Avast and when asked for feedback I said it was because you removed Ignore from version 5.
This is simply not true.
No functionality was removed from avast 5 with respect to this.
The only change that took place was that the option IGNORE in v4.8 was RENAMED to BLOCK.
There was no real "Ignore" option in v4.x (meaning that avast would allow you to execute a file that it thinks is infected), and there is none in v5.
I said I was going back to Avira 9 if I can find a download for it because (warts and all) Avira has an ignore choice. I still have Avira 8 on my host XP Pro machine and I have used ignore a lot over the 3 plus years I have had Avira.
In case avast, real Ignore is accomplished by adding to the exclusion list (of course, with the possibility of infecting your system unless used with caution).
You ignored my other question (about actions when a virus is found in an archive) which relates to the same subject:
There's no difference between ordinary and archived files. If you have avast set to Ask, you can choose any action you want (or no action by means of the BLOCK button).
can Avast users actually configure Avast as they want it? The answer for ver 5 is NO. It is a sad situation today in that most AV vendors now ignore the needs of "power" users. Maybe the solution would be two versions - one for average users and one for power users.
I'm still confused - what exactly is the feature you need, and is missing from avast?
Vlk
-
It appears that I misunderstood ignore in 4.8. I only used 4.8 briefly a year or so ago. Briefly because I couldn't get used to the GUI. So, I was going on the discussions here about ignore in 4.8 vs block in 5. Maybe I misunderstood posts I read here about the issue.
In Avira ignore means ignore. You can execute the file. That is how it should be. It is my computer not Avast's. If I want to execute a file Avast has no business stopping me if I choose ignore. If I choose block then Avast blocks me from accessing that file. I know I could disable Avast real time protection while I access the file and Avast does have a quite superior (compared to Avira) method of disabling a shield as you have several choices. With Avira you have to remember that you disabled Guard as there is no reminder...no disabling for x number of minutes only. I like how Avast has disabling shields set up. Still though, I want an ignore option. But if ignore was never there in the first place in any version of Avast well it is unrealistic to think it would be in this version.
As for archives, there are those choices at the bottom of the Actions screen. I must be confused by how those are presented because it seemed to me that archives were a special case and handled differently from other detections. What you are saying is that those options at the bottom, regarding whether to try cleaning the virus in the archive and leaving the rest of the archive intact, or deleting the entire archive if malware is detected, etc. doesn't occur unless you first choose an action such as "clean" correct? I misread that entirely I think.
-
Ignore versus block. Huge difference for me. Ignore means let it go and block just blocks it. :)
-
Ignore versus block. Huge difference for me. Ignore means let it go and block just blocks it. :)
It bothers me considerably that apparently Avast does NOT know the difference between "ignore" and "block" since in 4.8 the word "ignore" was used but it actually was not ignore but block. There are problems, of course, in translation but it seems to me that at some point in 4.8 labeling "block" incorrectly as "ignore" would have been addressed and properly fixed by Avast. Sloppy to not fix it until ver 5.
There is a huge difference between "block" and "ignore". Ignore means that Avast should act as though it never noticed the file and never thought it was malware. Block means Avast blocks access to the file. I can't fathom how Avast could have thought the two words meant the same thing and only realized they didn't in version 5? This just makes me wonder what else in Avast is sloppy and incorrect?
Ignore in the AV world generally means ignore until reboot of the computer but some AV have an option to "ignore always". Avira 10 has this option (before version 10 the option was simply "ignore"). Avira is almost as bad as Avast in that "ignore always" in ver 10 does NOT mean ignore always. Rather, it means what it has meant in past versions (ignore until reboot), but someone didn't proofread the English version very well and added "always" to the standard ignore option. This is causing lots of confusion in the Avira forum.
-
This just makes me wonder... why you waste so much of your time writing here ;)
It's interesting that I don't remember anybody (of that 100 millions of users) ever having complained about version 4 blocking access to the file for the "Ignore" action. Now, when it's renamed - but behaves the same, it's suddenly a problem.
-
I "waste" my time because an antivirus program is arguably the most important piece of software I will ever install on my computer. It damn well better be what it claims to be. Time was when I was a trusting person when it came to AV vendors and their products. Funny thing was though, that was not smart of me. One of the worst offenders was Kaspersky with the chkdsk fiasco and their blatant lying. We users at my home security forum taught them a bitter lesson in how important TRUST and ethics are in the AV vendor world (or any business for that matter but particularly true in the AV business where trust is everything). They have never recovered from what we exposed in our famous thread. I am currently wondering if I have some weird penchant for attaching myself to dishonest AV vendors...not speaking of Avast here...but thinking of Avira and what I just learned and had confirmed about them. Their house is burning and they are asleep.
It is sort of a red herring to go on about how no one complained about the wrong wording in Avast 4.8...but it is interesting. I would have complained but as I said I couldn't stand the GUI (although Winamp is my SOLE media player) so I didn't have Avast 4.8 long enough to notice that either you used the wrong word when describing Avast's action and were actually describing a different action or that, if I took the word at face value, then obviously there was a bug. Maybe other AV vendors have problems with English also and also misname block as ignore and maybe users who came from those AV expected the same bad use of English with Avast.
I'll let you in on a little "secret". ;) I won't be "wasting" much time here this coming week as I have something majo this upcoming week that will take most of my time. :D
-
Ignore versus block. Huge difference for me. Ignore means let it go and block just blocks it. :)
There is a huge difference between "block" and "ignore". Ignore means that Avast should act as though it never noticed the file and never thought it was malware. Block means Avast blocks access to the file.
Exactly! Words mean things... now that they have correctly named the Block function they need to add an "ignore" function to the choices.
-
And than you can wait for infected users who were used to 4.8 and will blame Alwil for it :-\
Greetz, Red.
-
And than you can wait for infected users who were used to 4.8 and will blame Alwil for it :-\
Greetz, Red.
Well call it something else then... like "Allow", or "Allow to run".
-
Alwil software long ago took the decision they wouldn't have a single click option that allowed a user to run what it considered an infected file and if the user wanted to allow a file to run then they manually added it to the exclusions to achieve that.
This way there is no likelihood of someone accidentally selecting an option/button that would allow a virus to run. They are looking after the many users that aren't as competent and confident in what they are doing and why the default actions air on the side of safety.
In 4.8 there were many people who when the alert required a user input, many choose delete and that had some consequences if this were a false positive.
So there really had to be a way to protect some users by having an automated option that chose the least damaging option move to the chest. Many of us who didn't like that either because there was no way to recover a file from the chest (in safe mode) if you couldn't boot into normal windows mode. That omission has been corrected in a program update to be released soon.
There are far more inexperienced users than experts in the 100 million plus avast users, so they have to cater for the majority, experts are more than capable of looking after themselves and adding a file to the exclusions if required.
More importantly if they know something is a false positive they are also capable of confirming that (virustotal), submitting the file to avast for analysis and correction of the detection, which helps all avast users than simply excluding a file that helps only one person.
-
OK. That makes sense. Thanks for the explanation. :-)
-
You're welcome.
-
Well in fact I'm not really against adding an Ignore feature (if it's backed by a strong confirmation, e.g. similar to the Stop shields confirmation box), it just isn't there yet as there were obviously more important things on the list.
I just find it a bit amusing how much emotions this (in my opinion, very minor) topic has raised.
-
Well then, I hope I can look forward to seeing this option added one of these days. :) I don't mind strong confirmation as I wouldn't want inexperienced users getting confused and choosing that option for the wrong reason. Hopefully, a strong confirmation would get them to think carefully about it and to not click that option unless they were absolutely sure of what they were doing.
Having said that though, I find this trend in so many software, and websites, now of blackening the screen dramatically and flashing lights, etc when trying to get the users attention to be silly and most annoying. That uncalled for drama was the main reason I couldn't disable UAC in Vista fast enough. It has the opposite effect on me. Instead of producing caution on my part, the excess drama, and the black screen which I HATE, makes me just want to click anything so I can get my screen back to a normal look. I figure it cannot be at all important if the vendor or website has to use a lot of unnecessary drama.
If something is important then the importance will speak for itself. If it has to be "enhanced" then it can't be very important. That was my initial reaction to UAC and later to all websites and vendors, including Avast, who insist now on hyping everything up. Hype up things, then nothing is important. UAC is a joke most can't wait to turn off and and blackening screens and flashing stuff in my face, I hate it from any source. If it gets much worse I may not get a new computer as it really interferes with enjoying surfing the net as so many websites do it now for minor little things and why I can't fathom. Vendors like Avast, I understand, are trying to convey seriousness and get the user's attention by doing it but it has the opposite effect on me. It just makes me really irritated.
-
Having said that though, I find this trend in so many software, and websites, now of blackening the screen dramatically and flashing lights, etc when trying to get the users attention to be silly and most annoying. That uncalled for drama was the main reason I couldn't disable UAC in Vista fast enough. It has the opposite effect on me. Instead of producing caution on my part, the excess drama, and the black screen which I HATE, makes me just want to click anything so I can get my screen back to a normal look. I figure it cannot be at all important if the vendor or website has to use a lot of unnecessary drama.
If something is important then the importance will speak for itself. If it has to be "enhanced" then it can't be very important. That was my initial reaction to UAC and later to all websites and vendors, including Avast, who insist now on hyping everything up. Hype up things, then nothing is important. UAC is a joke most can't wait to turn off and and blackening screens and flashing stuff in my face, I hate it from any source. If it gets much worse I may not get a new computer as it really interferes with enjoying surfing the net as so many websites do it now for minor little things and why I can't fathom. Vendors like Avast, I understand, are trying to convey seriousness and get the user's attention by doing it but it has the opposite effect on me. It just makes me really irritated.
I think you misunderstood the concept here. The primary purpose of the "dramatic" blackening of the screen, flashing (etc) is not really to get the user's attention and/or look more impressive, but to disallow any malware or scripting tools from actually hooking into the UI and/or injecting fake keystrokes to the dialog ("automating" it).
Switching to a separate desktop is a very powerful concept that really helps fighting these types of problems. So, yes, I agree it can be annoying at times, but it actually has a deeper purpose, and if used modestly, it is a feature that really makes good sense.
Thanks
Vlk
-
Thank you! :) You are the first person to actually explain the purpose. I've commented on this elsewhere in the past and got ignored. I suppose I should have thought about how switching to another desktop could fight some malware. I have programs such as ProcessGuard on XP and Online Armor ++ to defeat much, if not all, of that with their classic HIPS, and the web is filtered through the Proxomitron with Sidki's latest configs, but most users don't have such software. But some sites do this when you go to look at photos!
BTW, I don't think Avast uses it excessively...I am just super sensitive to it I think. ;)