Author Topic: Avast marked most startup apps as FileRepMalware and moved them to chest...  (Read 19378 times)

0 Members and 1 Guest are viewing this topic.

dark_skeleton

  • Guest
I am really disappointed. I don't care if you messed something up. I've been using your software for years without any problems, until yesterday when I powered off my PC in a good shape.
I powered it on today and noticed no startup apps launched apart from the bluetooth driver an o&o defrag window which said it had to repair itself (first bad sign). I just reset the PC hoping it was a temporary memory problem or something, but the issue persisted after the reboot.
I was looking at system logs and trying to find the issue, when avast popup appeared telling me that a file has just been quarantined because it's a virus! FileRepMalware, that's a virus' name. Wait what? That file couldn't be a virus or malware, because it was O&O Defrag's updater that just repaired itself a few minutes ago...

I am attaching the opened quarantine (and actions' log a few posts below) window that I saw after I restored all the files and SCANNED them manually... It says --no-virus-- now, but earlier EVERY one of those files said FileRepMalware.
I disabled reputation services in options, no more popups about files being infected/FileRepMalwared (and there were a few more added before I disabled it)
And that would be OK if I could just disable it, restore quarantined files and carry on. The thing is, I can't because your stupid app REMOVED all startup entries connected to those startup apps it quarantined!

I am furious and really disappointed in avast right now. One boot, Internet connection, and because of your app, I have to restore every single app by hand. It didn't even ask me or show any notifications if I wanted those files quarantined, it just did it. I am awaiting your response on this subject.

System: Windows 7 Pro x64
Avast version: 8.0.1497
Virus database: 130911-1

If you need any more data, please feel free to ask.

UPDATE: It also seems that your antivirus happily deleted (not just moved to chest) other apps' executables such as Truecrypt's. Thanks avast! Now I have even more apps to reinstall.
« Last Edit: September 12, 2013, 04:31:31 PM by dark_skeleton »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37008
Quote
I am furious and really disappointed in avast right now. One boot, Internet connection, and because of your app, I will have to restore every single app by hand. It didn't even ask me if I wanted those files quarantined, it just did it. I am awaiting your response on this subject.
have you selecte ask under action settings?


some info ....http://forum.avast.com/index.php?topic=124265.0




dark_skeleton

  • Guest
No, I have it on default quarantine move to chest-remove. Why would I change default options if they never failed me before? I haven't changed that action since I never imagined avast would do such tricks to me.

I finally found avast actions' log and I am attaching it to this post. It messed up my PC pretty hard. Every action is from today's firstboot (around 1 hour 7 minutes from posting this post)

The best part is now I really have to reinstall these apps, because removed files were deleted for good

Avast should think before publishing such stupid settings. If file's rep is FileRepMalware, why does it count as a virus? Of course the default action for a VIRUS it to QUARANTINE and DELETE it. But what if your stupid reputation service goes crazy like now? I am sure I'm not the only one affected because that would be too ironic.

The post/topic you linked above is a similar case, but mine is a global one since it affected my whole system. The topic also doesn't provide any solution.

I am actually very relieved my second drive is encrypted and I have to mount it manually. I can't imagine what would happen if it started scanning it...
« Last Edit: September 12, 2013, 06:04:06 PM by dark_skeleton »

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5420
  • Spartan Warrior
hi dark_skeleton,

Really sorry you've gone through this. 

Although it is late on this, reviewing your file shield setting seems to be in order, so as to prevent a repeat of this issue in the future.

Please note the settings in File System Shield below for all three categories:  To get to these settings, do the following:

Avast! Program GUI>Security>Summary>Current Status>double-click File System Shield.

THEN:  >Click Settings upper right>navigate to Actions area and change as appropriate and report back.

I've read your new reply just made now, and agree with you here.  Seems the default is to quarantine first, so...   Ask first would seem to be the safest option, then move to quarantine would be second, so I've taken the trouble to outline where these settings are.

[EDIT:]   Setting to ask would not be a setting for the average user, which is why the default is likely set to quarantine first.
« Last Edit: September 12, 2013, 01:38:06 PM by mchain »
Windows 10 Home 64-bit 20H2 Avast Premier Security version 21.3.2459 (build 21.3.6164.652) UI version 1.0.612.

dark_skeleton

  • Guest
Thanks for answering, it's actually pretty unsafe that defaults for Virus are chest-remove and for pup/suspicious are ask-remove. It's a pretty invasive setting, but I guess it's ok for normal users (assuming all your services are working properly). I never cared much because I rarely had any viruses and actually didn't mind them being quarantined quickly.

What I'm asking is please verify if your reputation service is working properly. I am afraid to turn it back on because of what just happened and I'm actually thinking I might never turn it on again.

Because of it I will have to slowly restore my PC to it's previous state (I have the Windows system restore feature disabled since I'm running on an SSD)
« Last Edit: September 12, 2013, 01:47:20 PM by dark_skeleton »

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 710
  • A Good Old Indian!
FilerepMalware is a cloud avast backend technology.It works in run time and not while on demand scanning.

Send the file quarantined by avast to virus@avast.com with subject false positive.

FilerepMalware is the similarity search engine.Interesting that its detecting those files as similar to some family of malware  :o
« Last Edit: September 12, 2013, 02:10:26 PM by true indian »

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5420
  • Spartan Warrior
True.  While the system is booting up, the files run would be scanned by File System Shield, so is possible changing settings in File System Shield from automatically quarantining in this case to ask, in this case, would allow some control over an erroneous vps in place or file rep issue that somehow manifested itself here.  That is all we are after here.  These changes in settings are not for the average user, as most would not know how to answer and choose the right choice in action. 

To summarise, normal actions are as follows:  Quarantine, then delete.  Deletion is to be avoided if at all possible, as once that is done, the file is gone forever.  Repair only works on normal files that are infected with a virus. 

Repair cannot work on trojans or worms as the entire file is an infectious agent, so there is nothing to repair.  A virus infection is the result of a normal file having a part of its' code overwritten or changed to suit the intended actions of the virus code, so removing the virus code will, in most cases, clean the infected file.  A windows system file can be controlled/renamed by a trojan, and deleting a needed system file will wreck havoc on a system to the point where it may not boot again.  So, deleting is the very last resort, and is best reserved to remove known trojans or worms.  An infected system file can always be replaced by a known clean copy.
Windows 10 Home 64-bit 20H2 Avast Premier Security version 21.3.2459 (build 21.3.6164.652) UI version 1.0.612.

dark_skeleton

  • Guest
Well, I have finally restored my PC to the previous state (mostly). I don't really care about background tasks like Java updates or Adobe stuff so I haven't reinstalled them. The rest required me to repair using installers, reinstall over existing installations or uninstall and reinstall apps. Some required me to manually re-add startup entries, especially "scheduled tasks" and some to enter their settings, disable autostart, accept, re-enable autostart, accept. I also had to download over 1GB of installers. On the bright side, thanks to logging I knew exactly which apps were damaged. 3 hours of work that could've been avoided...

FilerepMalware is a cloud avast backend technology.It works in run time and not while on demand scanning.

Send the file quarantined by avast to virus@avast.com with subject false positive.

FilerepMalware is the similarity search engine.Interesting that its detecting those files as similar to some family of malware  :o
Especially that those files have absolutely nothing in common. Really, do you want me to send all these files to that address?
Files got removed without my approval, as you said, in run time. That wasn't on-demand scanning.

There has been a VPS update today not long ago, so I hope I won't have such surprises anymore, ever. I have changed settings to Ask and re-enabled reputation services for now. I also have to do the same on my second PC.

Thank your for your time and explanations, it seems like software is alive and making its own decisions, huh
« Last Edit: September 12, 2013, 05:23:09 PM by dark_skeleton »

Offline abruptum

  • Super Poster
  • ***
  • Posts: 2237
Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
« Reply #8 on: September 12, 2013, 04:11:18 PM »
Because of this horror story, I've changed Action's settings in File System Shield.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5420
  • Spartan Warrior
Well, I have finally restored my PC to the previous state (mostly). I don't really care about background tasks like Java updates or Adobe stuff so I haven't reinstalled them. The rest required me to repair using installers, reinstall over existing installations or uninstall and reinstall apps. Some required me to manually re-add startup entries, especially "scheduled tasks" and some to enter their settings, disable autostart, accept, re-enable autostart, accept. I also had to download over 1GB of installers. On the bright side, thanks to logging I knew exactly which apps were damaged. 3 hours of work that could've been avoided...

FilerepMalware is a cloud avast backend technology.It works in run time and not while on demand scanning.

Send the file quarantined by avast to virus@avast.com with subject false positive.

FilerepMalware is the similarity search engine.Interesting that its detecting those files as similar to some family of malware  :o
Especially that those files have absolutely nothing in common. Really, do you want me to send all these files to that address?
Files got removed without my approval, as you said, in run time. That wasn't on-demand scanning.

There has been a VPS update today not long ago, so I hope I won't have such surprises anymore, ever. I have changed settings to Ask and re-enabled reputation services for now. I also have to do the same on my second PC.

Thank your for your time and explanations, it seems like software is alive and making its own decisions, huh
Glad to help.  As for the files lacking commonality, they are all common driver/system files, albeit from different programs. 

Sorry this happened to you.  You might want to consider installing a disk imaging programs for situations such as this to be able to recover in minutes instead of hours.  A restored image will revert all settings, and include the last known good vps version taken at the time of the image, back to a running system exactly the way it was at the time that snapshot was taken.  You then can skip the known bad vps, if indeed that was the cause and move on.
Windows 10 Home 64-bit 20H2 Avast Premier Security version 21.3.2459 (build 21.3.6164.652) UI version 1.0.612.

dark_skeleton

  • Guest
Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
« Reply #10 on: September 14, 2013, 11:16:02 AM »
I''ve had enough of this. I have just booted my PC today and this again.
I had everything set on Ask as suggested, but it only asked one question and there wasn't even an option to take no action. It still quarantined all my files... WTF?!
I did a full scan yesterday, Avast found nothing, just a few wannabe-PUPs which weren't PUPs (I manually enabled searching for PUPs).
Of course, all chested files' startup entries have been removed, too.

From what I've noticed, it only happens on first boot of the day (?)

I DEMAND EXPLANATION and uninstalled your antivirus. This went too far.

EDIT: removed caps and cursing because I felt bad about it and I know it's not your fault... I'm still enraged though
« Last Edit: September 14, 2013, 12:39:32 PM by dark_skeleton »

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
« Reply #11 on: September 14, 2013, 01:46:18 PM »
This is indeed a horror story. I also disagree that average users should be considered that stupid that they can't answer the question 'Do you want Avast to automatically block this potential threat?' YES, NO or DON'T KNOW

Offline Erebus

  • Full Member
  • ***
  • Posts: 143
Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
« Reply #12 on: September 14, 2013, 04:31:55 PM »
Removed due to incorrect location for feedback. Sincere apologies.
« Last Edit: September 15, 2013, 05:11:23 PM by Erebus »

Offline ram1220

  • Full Member
  • ***
  • Posts: 114
Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
« Reply #13 on: September 14, 2013, 11:44:14 PM »
 I went into my Avast settings yesterday and changed all of them to Ask First. The first time Avast deletes anything on my system without asking me it is gone. No looking back. I do know what I am doing. Avast needs to change the default back to Ask.

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Avast marked most startup apps as FileRepMalware and moved them to chest...
« Reply #14 on: September 15, 2013, 01:18:51 AM »
Well I just added these rules and I still can not download my own program from my own website. I have no choice other than to disable Avast. The program seems to be broken. This is a potentially dangerous action I'm about to take. Running an unprotected machine is not only dangerous for the person who uses it. I always had a fondness for Avast but I can no longer recommend it as I have often done in the past. I still would like Avast to be great again, like it used to be. The program is now too complicated for advanced users to use.
« Last Edit: September 15, 2013, 03:16:15 AM by czardas »