Author Topic: Suspicious program - how do I exclude?  (Read 3967 times)

0 Members and 1 Guest are viewing this topic.

TomMelly

  • Guest
Suspicious program - how do I exclude?
« on: February 08, 2013, 05:04:45 PM »
I have a program that Avast keeps flagging as suspicious due to low prevalence (not surprising - it's a program that only our company uses). The program is now listed several times in the exclusions list, but I keep getting prompted each time it runs (which creates another exclusion entry). The only extra detail I can think of is that I'm calling the program multiple times via a batch file rather than directly.

How do I make sure this program doesn't trigger an alert?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Suspicious program - how do I exclude?
« Reply #1 on: February 08, 2013, 05:16:45 PM »
Well, can you write down what is in the exclusion list?
The best things in life are free.

TomMelly

  • Guest
Re: Suspicious program - how do I exclude?
« Reply #2 on: February 08, 2013, 05:37:28 PM »
About 10 of these:

X:\updt_to_sql\cmdUPDT_to_SQL.exe

For the moment, I've disabled "The file prevalence/reputation is low" in the REASONS FOR AUTOSANDBOXING dialogue, and that's stopped it constantly flagging the program.

Offline Gopher John

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2098
Re: Suspicious program - how do I exclude?
« Reply #3 on: February 08, 2013, 06:44:48 PM »
If the file is run from removable media, then I don't think it can be excluded from autosandboxing.
AMD A6-5350M APU with Radeon HD Graphics, 8.0GB RAM, Win7 Pro SP1 64bit, IE11
i7-3610QM 2.3GHZ, 8.0GB Ram,  Nvidia GeForce GT 630M 2GB, Win7 Pro SP1 64bit, IE 11
Common to both: Avast Premium Security 19.7.2388, WinPatrol Plus, SpywareBlaster 5.5, Opera 12.18, Firefox 68.0.2, MBam Free, CCleaner

TomMelly

  • Guest
Re: Suspicious program - how do I exclude?
« Reply #4 on: February 08, 2013, 07:38:07 PM »
Ah! It's not removable, but it is a mounted encrypted disk - would that do it?

Incidentally, whatever the case, there is something odd about the multiple entries in the whitelist (which is then ignored) - should I document it and file a bug report?

Offline Gopher John

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2098
Re: Suspicious program - how do I exclude?
« Reply #5 on: February 09, 2013, 12:53:25 AM »
Ah! It's not removable, but it is a mounted encrypted disk - would that do it?

Incidentally, whatever the case, there is something odd about the multiple entries in the whitelist (which is then ignored) - should I document it and file a bug report?

I'm not sure.  Is the disk mounted on boot-up and do you have access to it's contents immediately after logging into Windows?  If you have to enter a separate password to access the encrypted disk, that's possibly the cause.  Hopefully, Avast staff will see this thread and provide some insight.
AMD A6-5350M APU with Radeon HD Graphics, 8.0GB RAM, Win7 Pro SP1 64bit, IE11
i7-3610QM 2.3GHZ, 8.0GB Ram,  Nvidia GeForce GT 630M 2GB, Win7 Pro SP1 64bit, IE 11
Common to both: Avast Premium Security 19.7.2388, WinPatrol Plus, SpywareBlaster 5.5, Opera 12.18, Firefox 68.0.2, MBam Free, CCleaner

TomMelly

  • Guest
Re: Suspicious program - how do I exclude?
« Reply #6 on: February 09, 2013, 08:34:58 AM »
It's mounted after I log in to windows XP - a standard TrueCrypt drive.

I can see the logic of excluding it from the exclusions - after all, several CDs could contain different autorun.exes. The bits that don't make sense or could be improved are:

  • To keep adding the same file to the exclusions and then ignoring it
  • No obvious way to prevent the prompting during a session without turning off that particular criteria

I'd suggest that the file should not be added to the exclusions (since it's going to be ignored), and that a file on removable media should only trigger one warning until the media is changed.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Suspicious program - how do I exclude?
« Reply #7 on: February 09, 2013, 08:43:18 AM »
Set the AutoSandbox to "Ask", that should help.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

TomMelly

  • Guest
Re: Suspicious program - how do I exclude?
« Reply #8 on: February 09, 2013, 10:15:52 AM »
I have, but the problem is that my batch file calls the program several times, and each time I need to give permission, and each time it adds a new instance of the program to the exclusions list.

That said, I've now resolved the issue by moving the exe to my C drive (where it should probably live anyway - it's only the confidential data I need on the encrypted drive).

Offline Gopher John

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2098
Re: Suspicious program - how do I exclude?
« Reply #9 on: February 09, 2013, 03:57:52 PM »
It sounds like Avast considers the program a new program every time that it is decrypted to run when it is called by your batch file.
AMD A6-5350M APU with Radeon HD Graphics, 8.0GB RAM, Win7 Pro SP1 64bit, IE11
i7-3610QM 2.3GHZ, 8.0GB Ram,  Nvidia GeForce GT 630M 2GB, Win7 Pro SP1 64bit, IE 11
Common to both: Avast Premium Security 19.7.2388, WinPatrol Plus, SpywareBlaster 5.5, Opera 12.18, Firefox 68.0.2, MBam Free, CCleaner