No "exclude" choice in scan window, and no unique sig on an excluded file

[Vanguard]

When scanning, it halts when it hits a false positive.  There are lots of choices except the one needed when hitting a false positive: adding THAT file to the exclusion list.  Yes, there is an exclusion configuration within the program but it certainly isn't available in the scan window.  The user has to record the false positive (because drilling through a log of a hundred thousand files means you'll miss the entry) so they can later update the exclusion list. 

So what if a folder or file is in the exclusion list?  It does NOT specify the file that is to be excluded.  It merely specifies a path or filename.  There is no hash that gets stored on the file so THAT file gets excluded.  Any user or malware could overwrite that file which would then be excluded from future scans.  Anyone with 2 brain cells knows that a filename does not identify a specific file by its contents.  Other anti-virus programs that I've used have a PUP (Probably Unwanted Program) or similar function to not just whitelist a file by its path but also keep a signature (hash) of that file so THAT file is the one excluded, not a different file by the same filename and in the same path because the old one got overwritten.  If you excluded every John Smith merely by his name from some type of scrutiny, you are obviously NOT eliminating a particular John Smith from scrutiny.

The scan provides no option for the user to identify that a PUP should be excluded in future scans.  Avast provides no means of identifying THAT file and merely uses its path and name which is worthless since the file could be replaced with another in the same path and by the same filename.  I was surprised that Avast was so deficient in identifying a particular file to exclude.

Without the ability to exclude a file to prevent the same false positive in future scans and without a means of uniquely identifying the file (not by name or path) that is to be excluded, scanning is unreliable and remains always interrupted with false positives.

Why the obvious blunder on not storing a hash on the file to ensure THAT is the file being excluded?  Hell, with Kaspersky (when tested a year ago), they even used alternate data streams (ADS) available in the NTFS file system to record that they had already scanned a file so they didn't have to waste time to scan it again - but that worked only because a hash or signature was also stored in the ADS to uniquely identify the file that had already been scanned.  If the hash was wrong because the file got modified or overwritten then the hash mismatch would get the file scanned again and the ADS updated.  If the ADS were severed from the file, there was no datestamp, scan mark, or hash and the file would get scanned.  That helped in speeding up their scanning.  However, it also makes sense even without using ADS to keep a list of PUPs not only by their path and filename but also with a hash to ensure you really are excluding the file that you chose to exclude.

[Vlk]

When scanning, it halts

That's one of the limitations of the Home Edition. In the Professional Edition, you can preconfigure how to behave when something's found.

So what if a folder or file is in the exclusion list?  It does NOT specify the file that is to be excluded.  It merely specifies a path or filename.

Right. But, if there's a false positive, the correct procedure is not to add it to the exception list, but to submit it to our lab and have it resolved by ourselves. If you sent us the files in question, we'd analyze them and if they indeed prove to be false positives, we'll remove their detection immediately.

Hell, with Kaspersky (when tested a year ago), they even used alternate data streams (ADS) available in the NTFS file system to record that they had already scanned a file so they didn't have to waste time to scan it again - but that worked only because a hash or signature was also stored in the ADS to uniquely identify the file that had already been scanned.  If the hash was wrong because the file got modified or overwritten then the hash mismatch would get the file scanned again and the ADS updated.  If the ADS were severed from the file, there was no datestamp, scan mark, or hash and the file would get scanned.  That helped in speeding up their scanning.

Sure, but the principal problem with this aproach is that you'd generally need to rescan after each virus definition update (to make sure the detection for this particular file hasn't been added in the interim). So (especially in case of Kaspersky - that issues updates many times a day) it proved to be almost useless.

However, it also makes sense even without using ADS to keep a list of PUPs not only by their path and filename but also with a hash to ensure you really are excluding the file that you chose to exclude.

Avast currently doesn't detect PUP's, simply because there's no way to exclude them from scanning. This should change in the next version.

Cheers
Vlk

[Vanguard]

Thanks for the quick reply.

When scanning, is there a way to put a *copy* of the file into the chest and then submit that?  I don't want to lose access to the PUP until whenever the sig database gets updated and I get a copy.  There is a "Move to Chest" option in the scan window but there is no "Copy to Chest" option.  Once I move the PUP into the Chest then *I* can't use it anymore.  My guess is that I have to move the PUP into the Chest and then extract a copy out of the Chest.  

By the way, getting to the Chest is rather convoluted.  There's no context [sub]menu item when right-clicking on the tray icon to get at the Chest.  I have to start the AV program and then click the Chest icon (or use File -> Chest menu if the option to use skins for the Simple UI is enabled).  Do I really need to run the AV program when I merely want to investigate and manage the Chest?

One of the PUPs is a Nirsoft utility.  This has been a false positive in many AV programs for a very long time which evidences the resistance of AV vendors to skip some Nirsoft tools.  I realize the history of Nirsoft (as hackers who wrote some tools) but those tools are handy to us users, too.  They don't install unless the user chooses, they don't load on startup unless the user chooses, and they behave as expected by the user.  While this file could be submitted for analysis and then whitelisted in the database, the same process repeats if the tool gets updated so there are long delays before PUPs get included in the database and why an exclude option is often provided.  Based on past posts in these forums, I'm pretty sure you've had the Nirsoft utilities for analysis for quite some time.

The other false positives were for .vmdk files for VMs in VMWare Server.  These contain base OS installs with OS updates but no other software is installed (Windows XP SP-2, Solaris 10, Fedora 7).  There would be no point in submitting these files because no one else would have the same files.  When they build their VM, they may select different install options, like to include games.  When they create their own accounts using their own names and configure their desktop shortcuts then their userprofile is unique to them.  That means the VM files will not be the same from user to user.  These files are huge at 1GB to 16GB so they are too large to submit, plus if I tweak anything, like installing something like 7-Zip or reorganize the Start menu, then the VM files change.  Obviously I'd like to exclude these huge files because I know they don't have viruses (and even if they did then they are isolated inside the VM) plus it would reduce scan time - but, as pointed out, a path and filename does not uniquely identify a specific file.

For now, I will have to exclude these false positives based merely on their paths and filenames.  Unfortunately, any malware that slides in under the same path and filename also gets excluded from the scan.

[oldman]

To access the chest easier, create a shortcut on your desktop to program files\alwil software\avast4\ashchest.exe