What's causing so many emergency updates?

[DavidR]

Check the VLC file associations as clearly .bin files are associated with it. Why that is required I don't know.

Why would avast see it as a problem, if avast uses the pkg...........00000001.bin file it is still able to action it as it knows what to do with it, it certainly isn't going to call VLC to run it.

[cooby]

@SugarD-x, in Reply#1
I'm one version behind, see my sig, not many. Will update soon. I doubt this is the cause of all this strangeness.

@Charyb, (post above this one)
I know. Many config files are associated with not what they're supposed to be
I didn't design windows. No, really, it usually works just fine for firewall config (MS Outlook association), some other config files in in XML format (windows sees is as associated with XML editor, which it's not), and various others.
So most unlikely avast would have an issue with .BIN file here. If avast does, then indeed we have a problem.

@DavidR and RejZoR,
- Normal Avast updates normally come come in. Avastsvc.exe launches avast.setup, communication is over TCP, outbound to one of several avast servers. Directly to avast IPs, no proxy. All allowed, not logged.
- Emergency updates are by TCP through the avast proxy port. Don't ask why. I have no clue. I don't care. Having read, long ago, what it's about, when my Firewall alerted, I made a rule to permit and log since emergency updates are infrequent, except what's in this thread.
- Inbound connections are not needed, unless I run a server of some sort. If they were for Avast, I'd ditch avast. Once you establish outbound to avast server (direct or through the proxy port), replies (updates) come in. True for outlook mail, gmail, web pages, really any internet stuff. Avast NEVER asked for any incoming connection to my box. It doesn't want it. It doesn't need it.

- Bit more review of what I have:
When my firewall watches behavior it reports it in the text file in addition to the behavior log. The log rolls over, so all I have is since Oct27. It's easier to extract the events from the text file, so here it goes:

This is how it used to be, 14 emergency jobs in 10 days more or less - see attached FW-systemlog1

Then the flood began with something downloaded to the \temp directory, sure looks weird, I hope it's not some trojan I'm happily allowing.
The .exe files aren't there any more, so I can't even upload to virustotal.
Since it came in, I have that flood I reported. Perhaps Avast changed the meaning of emergency updates and uses the application for streaming as well?
Several, not all, are followed by the normal update event like this
[13/Nov/2012 13:15:28] DriverEventHandlersImpl.cpp: "System" action = 'permitted', operation = 'creating_proc', proc = 'c:\Program Files\AVAST Software\Avast\AvastSvc.exe', subj = 'c:\Program Files\AVAST Software\Avast\Setup\avast.setup'
see attached FW-systemlog2

[RejZoR]

Well, i'd use some tool to monitor what Emergency Update component is writing to the disk (and to what files) and how many bytes it is transfering inbound. Only way to really find out if it's actually downloading anything or not...

[user_1000]

Personally I don't believe that there have been 104 emergency updates, they are designed to overcome a problem whereby you can't actually use the regular update process. The emergency update has been said to be a very rare/unusual occurrence and one no doubt we would see topics about in the forums.
<snip>

There has been a 4 emergency updates, not 104! As far as I know default value was 100, so there has been 4 emergency updates.

[Tetsuo]

There has been a 4 emergency updates, not 104! As far as I know default value was 100, so there has been 4 emergency updates.

Yesterday Avast downloaded an executable (a signed file with a long name of numbers and letters) in my windows/temp directory.
That file was automatically removed soon after, without any further actions. I know this, because of my HIPS.
I believe the file was downloaded by the Emergency Updater and  probably for some other OS (W8?)  it may have installed some emergency update: http://forum.avast.com/index.php?topic=107886.msg860588#msg860588 - but maybe I'm totally wrong...

This is the third time I (my HIPS) saw Avast downloading an executable like that. Ah, my OS is Win XP and I'm running the latest Avast Free, by the way.

[user_1000]

Yesterday Avast downloaded an executable (a signed file with a long name of numbers and letters) in my windows/temp directory.
That file was automatically removed soon after, without any further actions. I know this, because of my HIPS.
I believe the file was downloaded by the Emergency Updater and  probably for some other OS (W8?)  it may have installed some emergency update: http://forum.avast.com/index.php?topic=107886.msg860588#msg860588 - but maybe I'm totally wrong...

This is the third time I (my HIPS) saw Avast downloading an executable like that. Ah, my OS is Win XP and I'm running the latest Avast Free, by the way.

Yes. I can also see that Avast Emergency Updater applied something on November 13, 2012. And that how many times Emergency Updater has been applied something depends on a few things (clean install, etc).

But as far as I know there has been about 3-4 emergency updates.

[cooby]

There has been a 4 emergency updates, not 104! As far as I know default value was 100, so there has been 4 emergency updates.

Yesterday Avast downloaded an executable (a signed file with a long name of numbers and letters) in my windows/temp directory.
That file was automatically removed soon after, without any further actions. I know this, because of my HIPS.
I believe the file was downloaded by the Emergency Updater and  probably for some other OS (W8?)  it may have installed some emergency update: http://forum.avast.com/index.php?topic=107886.msg860588#msg860588 - but maybe I'm totally wrong...

This is the third time I (my HIPS) saw Avast downloading an executable like that. Ah, my OS is Win XP and I'm running the latest Avast Free, by the way.

@Tetsuo,
Did your file look anything like the tail end of the first and last lines in the FW-systemlog2.txt I posted earlier?
That log is from the Behavior log of my firewall.
Unlike you, I'm one version behind. Also on XP.

Update:
Today, so far, 36 files have been streamed in. Files are visible in the data-stream directory, and firewall log says that it was by the emergency application again.
But it's been quiet since then, over 6 hours since I turned it on.

[cooby]

Well, i'd use some tool to monitor what Emergency Update component is writing to the disk (and to what files) and how many bytes it is transfering inbound. Only way to really find out if it's actually downloading anything or not...

Actually, one of the Avast logs clearly shows connections to avast servers, count of downloaded files. And I think proof is in the 36 streamed new files for today downloaded. In addition to the usual .map and .dat and others. Don't you think?

C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\AvastEmUpdate.ini , dated yesterday, also speaks of 104.

[Dch48]

My .ini file , which is located at C:\ProgramData\AVAST Software\Avast, says this;

LastAppliedPatchId=104

That's just a patch ID number and not the number of patches.  Therefore, I'm only seeing one.

I can't get to C:\Documents and Settings. Access is denied and I always run as an Admin.

[DavidR]

<snip>
I can't get to C:\Documents and Settings. Access is denied and I always run as an Admin.

Even as admin this is a hidden folder, you need to change your windows explorer, Tools, Folder Options, View and shoe hidden files and folders.

[Dch48]

<snip>
I can't get to C:\Documents and Settings. Access is denied and I always run as an Admin.

Even as admin this is a hidden folder, you need to change your windows explorer, Tools, Folder Options, View and shoe hidden files and folders.

I did that a long time ago. The folder shows but it has a lock icon on it and I can not view it's contents.



Searching Google for the issue I found that it really isn't an issue at all. In Win 7, the Documents and Settings folder isn't really a folder at all. It's what is called a junction point and is only there to enhance compatibility with software written for earlier versions of Windows. When something tries to store data there, it is redirected to C:\Users and puts the data in the appropriate place within that folder.

[user_1000]

My .ini file , which is located at C:\ProgramData\AVAST Software\Avast, says this;

LastAppliedPatchId=104

That's just a patch ID number and not the number of patches.  Therefore, I'm only seeing one.
<snip>

Yes, of course it's just a ID number, but I have monitored that AvastEmUpdate.ini file... and I can tell that wasn't a first applied patch. As far as I remember there has been a 3-4 emergency updates.

I'm just saying. I don't care, if you don't believe me.

[DavidR]

<snip>
I can't get to C:\Documents and Settings. Access is denied and I always run as an Admin.

Even as admin this is a hidden folder, you need to change your windows explorer, Tools, Folder Options, View and shoe hidden files and folders.

I did that a long time ago. The folder shows but it has a lock icon on it and I can not view it's contents.

<snip image>

Searching Google for the issue I found that it really isn't an issue at all. In Win 7, the Documents and Settings folder isn't really a folder at all. It's what is called a junction point and is only there to enhance compatibility with software written for earlier versions of Windows. When something tries to store data there, it is redirected to C:\Users and puts the data in the appropriate place within that folder.

OK, I can't get in there either, not that I had tried before on my win7 netbook.

Confusion reigned for a bit as I though you were talking about XP.

[Tetsuo]

@Tetsuo,
Did your file look anything like the tail end of the first and last lines in the FW-systemlog2.txt I posted earlier?

Yes it did (that was a digitally signed executable):

[09/Nov/2012 12:55:26] DriverEventHandlersImpl.cpp: "System" action = 'permitted', operation = 'creating_proc', proc = 'c:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe', subj = 'c:\WINDOWS\Temp\05a302db-aa6a-4543-8834-b5b4cfbada6a.exe'

(...)

[13/Nov/2012 13:15:10] DriverEventHandlersImpl.cpp: "System" action = 'permitted', operation = 'creating_proc', proc = 'c:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe', subj = 'c:\WINDOWS\Temp\6abefe7c-bb9f-4d4a-9035-6c3e7df3718d.exe'

[from Cooby's log]

[cooby]

@Tetsuo,
Thanks for your reply.
The sudden frequency of those emergency updates is baffling, as is that .exe in \temp folder - scary to say the least. I wish someone who writes Avast could tell us if Avast really issued those .exe files.

I'm beginning to think that the streaming updates and emergency updates are being used together (twice today in about 7 hours), since for the most part, yesterday and today all I see are the streaming updates, and as someone here mentioned, they do vanish when a regular update takes place. No new .exe in \temp folder since Nov.13.