Behaviour shield/Windows Defender Update question

[Paradoxian]

So, being the nervous type, I tend to look at Avast shield activity from time to time. With the Behaviour Shield, there is usually no or very little activity unless something new is activated/executed. When Windows Defender is updated, there is a couple of hits relating to that. The times I've looked at the shield, this update has often been downloaded and installed long before, and I only see the last entry which seems benign (unfortunately I can't remember the path). Just checking a little over an hour ago, I was slightly concerned when I saw this in the shield (wrote it down):

C:\Windows\Temp\7f420305-bb43-459c-b9e9-aaededacff.exe

Now, it wasn't blocked or anything, just analyzed. I went to the Temp folder, and this being Vista, received a UAC-related pop-up asking me to confirm by clicking "Continue", and there was a 500 kb or so tmp-file dated 13/11. It was auto-deleted before I got to see the exact file name, but I presume it was identical og related to the analyzed file.

This worried me somewhat. According to the Windows Update panel there hadn't been a search for updates today. A minute or couple of minutes later later or so new entries appeared in the behaviour shield interface, similar to the ones I'm used to seeing when there has been a Windows Defender Update. When I checked the Windows Update panel again, this time it showed that there had been a search and installation, although dated a few minutes later than when I checked the Temp folder.

So, if anyone can tell at a quick glance whether or not this is something to worry about, I would appreciate it. I've since checked the Windows Defender and Update logs, and according to them, Windows\SoftwareDistribution is used, and there is mention of temporary file paths:

Deleted c:\9a5d0b7b1591f090e4d505\1.139.1681.0_to_1.139.1946.0_mpasdlta.vdm._p
Deleted c:\9a5d0b7b1591f090e4d505\mpasdlta.vdm

But nothing about the Temp folder. Is this strange or not? Is it likely that the Temp folder has also been used, even though the Update panel dated the update search differently? Maybe it always uses the Temp folder, and I just didn't notice because I have always only seen the latest behaviour shield entry, after the entire update process is finished.

And finally, even if this is completely ordinary and nothing to worry about, have I compromised the security of the Temp folder by removing the "lock" when accessing it?

I'm going to run a boot-time scan now and probably a full file system scan later. I'd very much appreciate if some of you can spare the time to comment in the mean-time. Hopefully this is nothing.

[Pondus]

I'm going to run a boot-time scan now and probably a full file system scan later.

a quick scan covers all areas where activly running malware hide
i only run full if quick find something.....and boot scan only if avast tell me to 

[Paradoxian]

All right, thanks. Just finished a boot time scan though which didn't find anything. Any thoughts on the temp folder activity in relation to Windows Update/Defender and the behaviour shield? I guess I could also ask on the Microsoft Support forums, but I find there are a lot of very knowledgeable people here, and it was Avast after all which made me aware of the activity (though it didn't register it as harmfull).

[Pondus]

nope....but i send the removal expert a pm

[Paradoxian]

nope....but i send the removal expert a pm

You did? Thanks. By the way, in my eventlog in the Avast log directory, there is usually this entry whenever I shut down the computer:

13-11-2012   16:52:00   HttpDaemon accept: A blocking operation was interrupted by a call to WSACancelBlockingCall.

Now, for the first time, there is this:

13-11-2012   17:16:39   HttpDaemon recv: An existing connection was forcibly interrupted by an external host

Translated from Danish, so there might some errors.

[Pondus]

Translated from Danish, so there might some errors.

hva fanden laver du mand.   
copy and paste det du vil oversette in i google translate hvis det er vanskelig

[essexboy]

mpasdlta.vdm = most recent delta signature set of AntiSpyware definitions
This is a file containing updates of the spyware definitions.

When testing scalability with a large number of client connection attempts to an instance of the SQL Server Database Engine running on Windows Server 2003 Service Pack 1 and later, Windows may drop connections if the requests arrive faster than SQL Server can service them. This is a security feature of Windows Server 2003 Service Pack 1 and later, which implements a finite queue for incoming TCP connection requests.

Basically this was a defender update and the shutdown occured whilst it was autoupdating

[Nesivos]

All right, thanks. Just finished a boot time scan though which didn't find anything. Any thoughts on the temp folder activity in relation to Windows Update/Defender and the behaviour shield? I guess I could also ask on the Microsoft Support forums, but I find there are a lot of very knowledgeable people here, and it was Avast after all which made me aware of the activity (though it didn't register it as harmfull).

Windows temp folders are notorious hives for backdoor Trojans.   Temp files should be cleaned at least once a day.   Other known hiding places for backdoor trojans are in User directory trees including the Desktop, Download folders and Application Data directory.

[Paradoxian]

Basically this was a defender update and the shutdown occured whilst it was autoupdating

I'm not so worried about mpasdlta.vdm since it was mentioned in the Windows Defender update log (MpSigStub.txt in Windows\Temp). I'm wondering if the temp .exe file the behaviour shield analyzed has something to with Windows Defender. I'll try to describe the timeline of events (GMT+1):

~16:34  I casually check the Avast behaviour shield interface and notice it has analyzed this file:
C:\Windows\Temp\7f420305-bb43-459c-b9e9-aaededacff.exe
   16:36  Most recent search for updates according to the Windows Update panel
   16:37  Most recent installation of updates according to the Windows Update panel
~16:36-37  Entries in Avast behaviour shield interface clearly related to Windows Defender (seemingly legitimate, I've seen them before)

Now, a couple of reboots later and this is what the Avast event log looks like:

13-11-2012   16:46:47   HttpDaemon accept: A blocking operation was interrupted by a call to WSACancelBlockingCall.
13-11-2012   16:52:00   HttpDaemon accept: A blocking operation was interrupted by a call to WSACancelBlockingCall.
13-11-2012   17:16:39   HttpDaemon recv: An existing connection was forcibly interrupted by a remote host.
13-11-2012   17:27:52   HttpDaemon accept: A blocking operation was interrupted by a call to WSACancelBlockingCall.
13-11-2012   18:11:19   HttpDaemon accept: A blocking operation was interrupted by a call to WSACancelBlockingCall.
13-11-2012   19:13:26   HttpDaemon accept: A blocking operation was interrupted by a call to WSACancelBlockingCall.
13-11-2012   21:26:18   The virus definitions have been automatically updated to version 121113-1.

Now the "call to WSACancelBlockingCall" occurs at every reboot as far as the log goes back, so it's fairly standard and probably benign. But I've never seen the entry I've bolded before, and the term "remote host" in combination with the temp folder activity makes me worry a bit. I haven't actually noticed anything odd, such as slowdowns or weird glitches, and normally I might not even check these logs and shield interfaces, but well, I did and now I'm a bit worried.

[Paradoxian]

Translated from Danish, so there might some errors.

hva fanden laver du mand.   
copy and paste det du vil oversette in i google translate hvis det er vanskelig

Nordmand? ;-)

Jeg har ikke så meget tillid til Google Translate når det gælder tekniske termer.

[Paradoxian]

Just found what appears to be the correct translation:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms740668(v=vs.85).aspx

Connection reset by peer.
An existing connection was forcibly closed by the remote host. This normally results if the peer application on the remote host is suddenly stopped, the host is rebooted, the host or remote network interface is disabled, or the remote host uses a hard close (see setsockopt for more information on the SO_LINGER option on the remote socket). This error may also result if a connection was broken due to keep-alive activity detecting a failure while one or more operations are in progress. Operations that were in progress fail with WSAENETRESET. Subsequent operations fail with WSAECONNRESET.

The bolded part is what was mentioned in the avast event log (appropriately named EventLog). To reiterate:

13-11-2012   16:52:00   HttpDaemon accept: A blocking operation was interrupted by a call to WSACancelBlockingCall.
13-11-2012   17:16:39   HttpDaemon recv: An existing connection was forcibly closed by the remote host
13-11-2012   17:27:52   HttpDaemon accept: A blocking operation was interrupted by a call to WSACancelBlockingCall.

On my Vista machine, the log is in this path: C:\ProgramData\AVAST Software\Avast\log
Perhaps some of you could check your logs to see if this is normal, and even better, explain what it means?

[Paradoxian]

I hope it's all right to bump a thread. I only have two questions, which I hope are rather simple to answer for the knowledgeable users on this board.

1) Does Windows Update, specifically Windows Defender definition updates, involve the use of C:\Windows\Temp ?

2) What do the following entries in C:\ProgramData\AVAST Software\Avast\log\EventLog.txt mean:

13-11-2012   16:52:00   HttpDaemon accept: A blocking operation was interrupted by a call to WSACancelBlockingCall.
13-11-2012   17:16:39   HttpDaemon recv: An existing connection was forcibly closed by the remote host
13-11-2012   17:27:52   HttpDaemon accept: A blocking operation was interrupted by a call to WSACancelBlockingCall.

[cooby]

Windows Defender is some behavior or hips application, right?
Your file is similar to what two of us saw recently on XP as reported by Behavior or HIPS applications, not Avast. But your filename is 2 characters shorter.
I wonder  if it might be related to, what appears to me, to be a slightly different avast update or avast emergency update scheme.
The thread is here
http://forum.avast.com/index.php?topic=109340.0
and in post#16 the second log looks similar to what you're discussing. And it's about a file on Nov.13 as well.
Sorry if I'm on the wrong path, but seeing an executable in \temp folder does give me cold shivers so I'm just trying to compare notes and guesses as to what's going on

[Paradoxian]

That's interesting. My file was detected by Avast itself though, and I didn't think the Behaviour Shield would monitor Avast's own activities?

Do you know if there are any logs I could check to confirm whether or not this is Avast-related? The logs in your thread seem to be specific to your firewall (I just use the default Windows Firewall).