Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: colorado_bob on February 27, 2011, 10:37:56 PM

Title: 6.0 Behavior Shield Problem
Post by: colorado_bob on February 27, 2011, 10:37:56 PM: I am running Windows XP SP3 Home Edition. When I updated to Avast! Free antivirus 6.0.1000, an old program stopped working. (The program is MKS Toolkit 5.2, which I have had running on XP for over 9 years).

When I start the program, it crashes, and offers to report the problem to Microsoft (Exception code 0xc0000005, flags 0x00000000). I have found that if I disable Avast's Behavior Shield, the program starts up fine. I only need to disable "Monitor the system for unauthorized modifications". Nothing I have tried configuring, other than disabling the shield, helps. I have tried:
- adding the program (as well as every program it might invoke) as a trusted process for Behavior Shields
- changing the action to take for the Behavior Shield to "Allow" or "Ask"

Note that as many times as the Behavior Shield crashes this program, nothing is logged in the statistics for Behavior Shield (neither suspicious events, nor events analyze).

My conclusions:
- The Behavior shield is somehow affecting this program, even when the program is marked as trusted
- Avast! does not even consider this action to be analyzing a Behavior Shield event

Any help would be appreciated.
Title: Re: 6.0 Behavior Shield Problem
Post by: pk on March 01, 2011, 03:18:40 AM: Could you please compress MTK Toolkit and upload it on out FTP? (instructions are here: https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=18&nav=0,61). It's hard to download MTK Toolkit from web, so this way would be much faster, thx.
Title: Re: 6.0 Behavior Shield Problem
Post by: colorado_bob on March 08, 2011, 02:09:10 AM: I have uploaded the file MKS-MIN.ZIP I have previously sent this file by email. I would appreciate acknowledgement that you have received this file and have been able to reproduce the problem.
Title: Re: 6.0 Behavior Shield Problem
Post by: SafeSurf on March 08, 2011, 10:23:52 AM: @ colorado_bob,

I have sent a message to pk to respond to you in this thread.

If you are still having difficulty with your current version of Avast, there is now a Pre-Release v. 6.0.1021 available Free: http://files.avast.com/files/beta/6.0.1021/setup_av_free.exe (http://files.avast.com/files/beta/6.0.1021/setup_av_free.exe) that you can either upgrade or do a clean install. Given the problems you had, I would suggest a clean install (uninstall using the Avast Uninstaller tool: http://files.avast.com/files/eng/aswclear6.exe (http://files.avast.com/files/eng/aswclear6.exe). Thank you.
Title: Re: 6.0 Behavior Shield Problem
Post by: giselle on June 03, 2011, 01:29:56 AM: I'm having the same problem, with MKS Toolkit 5.1a, which was working until I
switched to Avast 6.0.1125 earlier today. MKS Toolkit now only works if I turn
Avast OFF. The failure occurs whenever I am using any MKS command (e.g., vi, ls, pwd,
which, cp, rm, mv, rmdir, make), with the message:

MKS Toolkit for Win32 has encountered a problem and needs to close. We are sorry for the inconvenience.
It then sends information to Microsoft, listing modules such as:
vi.exe (the MKS command I was trying to execute)
ntdll.dll
kernel32.dll
snxhk.dll (this appears to be an AVAST module)
ADVAPI32.dll
RPCRT4.dll
etc., etc.

So, apparently, the problem has not been fixed yet.
Title: Re: 6.0 Behavior Shield Problem
Post by: SafeSurf on June 03, 2011, 09:55:01 AM: @ giselle,

Could you please compress MTK Toolkit and upload it on onto the Avast FTP? Here is additional information on how to invoke a memory dump file: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=71 (http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=71). It is a read-only file.

Please, zip and upload the C:\Windows\Memory.dmp file to this anonymous ftp server and name it uniquely giving us the name of the file in this thread: ftp.avast.com/incoming (http://ftp.avast.com/incoming). Avast will analyze it and respond back to you in this thread.

Edit: To please all those concerned w/my post.
Title: Re: 6.0 Behavior Shield Problem
Post by: giselle on June 03, 2011, 11:31:59 AM: I won't be at that machine again until Monday, but will try to do that then. What do you mean by sending you the MKS Toolkit, though? Do you want the installation disk? Or what's installed? It's many files in several directories, and requires a number of registry settings (including PATH settings) to work.
Title: Re: 6.0 Behavior Shield Problem
Post by: SafeSurf on June 03, 2011, 11:37:50 AM: You posted in the same thread as the other OP with the same problem and if you look at the previous post, that was the reply from the Avast Team member.

Why don't you submit a mini-dump file when you get the BSOD problem, and this way Avast can actually see what is causing the issue. You will still do the mini-dump the way I provided the directions in my last post. Waiting until Monday is not a problem.
Title: Re: 6.0 Behavior Shield Problem
Post by: ady4um on June 04, 2011, 12:42:24 AM: Quote from: SafeSurf on June 03, 2011, 09:55:01 AM
Or
- Upload it using the Run command-line in Windows: Windows Key + R (to get the run box), copy and paste this:
Code: explorer ftp://ftp.avast.com/incoming

and drag the file into the window, from another explorer window.

I think that command - line code is not correct. I think the code should be
Code: [Select]
explorer ftp://ftp.avast.com/incomingbut please correct me if I'm wrong.
Title: Re: 6.0 Behavior Shield Problem
Post by: DavidR on June 04, 2011, 01:47:19 AM: It is the forum software, if you don't wrap ftp paths in the ftp tag it adds the http element.

e.g.
Code: [Select]
[ftp]wrap the ftp path in these tags[/ftp]
like this:
Code: [Select]
[ftp]ftp://ftp.avast.com/incoming[/ftp]
Turns out like this in the post:
ftp://ftp.avast.com/incoming (ftp://ftp.avast.com/incoming)
Title: Re: 6.0 Behavior Shield Problem
Post by: ady4um on June 04, 2011, 02:41:30 AM: Quote from: DavidR on June 04, 2011, 01:47:19 AM
It is the forum software, if you don't wrap ftp paths in the ftp tag it adds the http element.

e.g.
Code: [Select]
[ftp]wrap the ftp path in these tags[/ftp]
like this:
Code: [Select]
[ftp]ftp://ftp.avast.com/incoming[/ftp]
Turns out like this in the post:
ftp://ftp.avast.com/incoming (ftp://ftp.avast.com/incoming)

Yes, I know that, but the bottom line is that a user copying that code might not see the mistake (according to their experience/knowledge), if it is indeed a mistake.

Since SafeSurf is not new to this forum (so he knows the tags), I wanted to confirm if that code he posted was correct, for the OP and/or other users following those instructions.

Specifically, to be technically correct, SafeSurf suggested using the command-line in Windows ("explorer..."), so posting the code as a link (using tags; whether the "http" tag as he used or the "ftp" tag as DavidR posted) gives the user a wrong result anyway.

Experienced users might have caught the mistake, but the point of the command-line code was to help less experienced users.

So, again, if I'm not mistaken, that code should be:

Code: [Select]
explorer ftp://ftp.avast.com/incoming
which the user could copy + paste in the Windows command-line (or in <Win>+<R>).
Title: Re: 6.0 Behavior Shield Problem
Post by: DavidR on June 04, 2011, 03:18:09 AM: Copying and pasting what is in the 'Turns out like this in the post:' example won't fail as it doesn't have the http tacked on to the front of it, because I have wrapped that in the ftp tags.

What you showed in your post is what I have in my general information on uploading minidumps to the avast.com incoming folder, so I' perfectly aware of it. The purpose of my explanation and examples is so that those posting ftp links do it correctly, then the user doesn't have to figure out anything.
Title: Re: 6.0 Behavior Shield Problem
Post by: ady4um on June 04, 2011, 05:58:24 AM: @DavidR, I wasn't talking about "copy + paste" your code. I was talking about the code SafeSurf posted:
Quote
explorer http://ftp://ftp.avast.com/incoming

which, if I am not mistaken, will fail either when clicking on it or when "copy + paste" -ing it.

@SafeSurf, whichever the correct code is, please correct it (for users following the instructions).
You might want to use the "strikethrough" tag over the previous (wrong) code and write (add) the correct one using the "code" tag for the command-line code (not a link).

TIA.
Title: Re: 6.0 Behavior Shield Problem
Post by: SafeSurf on June 04, 2011, 12:08:36 PM: @ ady4um,

I attempted to edit my link, but it is the way the forum is responding to posting the link that is adding the http. Since you have made your statement about the issue, I'm sure by now the OP is well aware of things and David has clarified it. I did not make a mistake in posting it...this is how the forum changed the link at the time of my posting and I am unable to change it now. Let's leave the discussion at that and not get long winded about it so the OP can get back on-topic. Thank you. :)

See edited changes above.
Title: Re: 6.0 Behavior Shield Problem
Post by: DavidR on June 04, 2011, 01:32:03 PM: You at some point have done a copy and paste of my little script, unless you use the Quote button and then copy the relevant section, you lose any important formatting tags that prevents the forum software making any modifications.

So you need the stuff (ftp URL, etc.) that you don't want modified or any formatting applied by the forum software wrapped in code tags.
e.g. [code]ftp://ftp.avast.com/incoming (ftp://ftp.avast.com/incoming)[code]

You can only see them in this post because I have used another tag nobbc (No Bulletin Board Code) to wrap them, this also prevents some forums modifying what is inside.

There is an FTP icon, 2nd row 4th from the left in the reply window that will insert these FTP tags which makes the code tag redundant. But you can use Code icon, 2nd row third from the right in the reply window that will insert these code tags and you just paste the FTP url in between them. The Code tag is handy for other things which you don't want any formatting applied to, etc..
Title: Re: 6.0 Behavior Shield Problem
Post by: giselle on June 07, 2011, 11:09:48 PM: This is not a BSOD problem. The window comes up saying there's been a problem,
offers to send it to Microsoft, then whatever MKS Toolkit program I'm using just quits.

I'm not sure where you want a dump taken in that process. I don't know what, other
than the dump, you want me to send. There are many programs in that toolkit, and every
one I've tried has the same problem.

For now, I'm just turning Avast off. I'll turn it back on when Avast fixes the problem, or just go to another program altogether.
Title: Re: 6.0 Behavior Shield Problem
Post by: giselle on June 08, 2011, 03:28:13 AM: Well, this is getting more interesting. I have Avast on my laptop, (the report
above was for a desktop). Both machines run XP Pro SP3. On the laptop, also
running Avast 110607-1 and 6.0.1125.

The desktop Avast won't let MKS Toolkit programs run. The laptop has no problem
running the programs in MKS Toolkit.
Title: Re: 6.0 Behavior Shield Problem
Post by: giselle on June 08, 2011, 05:09:47 AM: Avast 6.0.1125, 110607-1 on a desktop running Windows 7 Pro, SP1, also has no problems with MKS Toolkit.
Title: Re: 6.0 Behavior Shield Problem
Post by: giselle on July 20, 2011, 09:55:19 PM: OK, no solution, apparently. I will dump Avast and find another virus program. Too bad, I liked Avast.
Title: Re: 6.0 Behavior Shield Problem
Post by: Asyn on July 20, 2011, 09:58:21 PM: Quote from: giselle on July 20, 2011, 09:55:19 PM
OK, no solution, apparently. I will dump Avast and find another virus program. Too bad, I liked Avast.

Did you update to 6.0.1203 yet..??