This might be a weird question but does Avast still use sf.bin.

[EmoHobo]

The capitalization may not be right on that name, I remember seeing it on an older version when I do full scans, but I don't see it coming up anymore, I thought it was some kind of code emulation or something, but I don't see it anymore when running scans, perhaps I'm just missing it.

Not finding any kind of nasties on my machine, looking it over now and running MalwareBytes, no signs of alteration to Avast Antivirus and it's not finding anything.  So I'm just curious if it's supposed to run.

Version Number: 7.0.1466 and 120917-0 on Windows XP Service Pack 3

[DavidR]

As far as I'm aware nothing has changed and sf.bin (and emulation) is still used it is in each instance of a VPS sub-folders in the avast\defs folder.

[cooby]

I saw it run yesterday because firewall's behavior watch alerted that it wanted to run. Last update of sf.bin was 9-12-12 I think as I see from C:\Program Files\AVAST Software\Avast\defs\12091700 directory. There's also sf1.bin with the same date.

[EmoHobo]

Ah, I just probably haven't been paying enough attention, the only time I ever saw it running was when I ran a full scan with Avast or Malware Bytes and I'm rarely paying close attention during those times.

Well, I'm sure nothing is wrong, but I appreciate you guys taking the time to answer.  Although is there a way to test if it's working properly?  Better safe then sorry.

[EmoHobo]

I saw it run yesterday because firewall's behavior watch alerted that it wanted to run. Last update of sf.bin was 9-12-12 I think as I see from C:\Program Files\AVAST Software\Avast\defs\12091700 directory. There's also sf1.bin with the same date.

Both of them are there for me, so I suppose it's nothing to worry about.  Although mine called it Alwil Software because I've had Avast for far too long without a clean install but I've had no issues, so I haven't been concerned.

[cooby]

I used to have Alwil software. But did a clean install when v7 came out

I don't think it has to be anything nefarious when emulation kicks in - just suspicious enough for Avast to take another look at perhaps unknown to it process at this time.
I don't log everything, but yesterday I was doing some new activity I hadn't done before in Snagit. Another thing that triggers it sometimes is Opera plugin wrapper, rundll and java update. It's hard to tell, but the .exe file just preceeding the use of sf.bin were these few in the firewall log I do have.

The pest of this thing is that avast changes the path because of the date, so my firewall sees emulation as a new application each time avast triggers it to run. The good side of this I suppose is that I actually see when it is used

[EmoHobo]

Well the thing is I haven't seen it kick in a long while but maybe it's because I never really download or run any new software, I've been running the same few programs for like the last few years, the only time things change is when they update, which is rarely for those programs.