Avast deleted half my main projects

[czardas]

Pondus, this isn't about USB protection. I am unable to copy and paste my files into another folder on the same drive, even though they are in the exclusions list. What use is that?

[iroc9555]

You have an infected USB drive and the files too. You need to follow argus instructions and apply MCShield. Do not believe any of us ? See this topic which is very similar with your case:

http://forum.avast.com/index.php?topic=134661.msg988250#msg988250

[czardas]

I understand how much you love and want to protect the reputation of your favourite antivirus program, but what you are suggesting simply doesn't add up.

Firstly:  If you were to make a virus yourself, would you really be inclined to only infect portable executables, not yet added to an antivirus exclusions list, and which are packed in UPX? These files would be considered suspicious anyway, so your program would be a totally stupid and amateur virus right?

Secondly I decided to test your hypothesis by downloading a clean file I which uploaded in March (the memory stick had not even been purchased at this point in time). The download was blocked by Avast even though the file is zipped. After disabling Avast and downloading the file I checked that the hash of the zip file had not changed since the file's creation. The program is as yet unfinished. Link below.

http://www.czardas.co.uk/downloads/AutoMathEdit.zip

The SHA-1 of the file is 961D82B3A6A13868731DEF1018C7507CA454C9B2

More information about the file can be found here: http://www.autoitscript.com/forum/topic/142184-automathedit/#entry1062579

So while I appreciate your efforts, I'm pretty certain this is a problem with Avast and not with the memory stick, although this does not preclude the small possibility that the stick may contain infected files.

[Pondus]

So while I appreciate your efforts, I'm pretty certain this is a problem with Avast and not with the memory stick, although this does not preclude the small possibility that the stick may contain infected files.

so why not rule out that small possibility .... it cant hurt ... or ?

and then you can say .... what did i tell ya   

[czardas]

Oh don't worry, I intend to scan the drive when my computer starts to behave properly. It does so when I disable Avast, but that leaves me vunerable. I'm still uncertain what to do about this. I was going to sort through and archive many documents sitting in my main projects folder. This is a job which will take several days. I may simply have to disable Avast for that period. I could then try the latest program update once I can guarantee the safety of my data.

I do not consider myself an inexperienced PC user and I'm somewhat disappointed that I cannot control my antivirus program. I do not agree with suggestions in other threads that people are too stupid to make their own choices about what to allow and what to block. Taking control over the operation of someone else's machine is something I would class as a virus. I believe the problems to be partly bug related, however the default automatic quarantine policy without asking is turning Avast into something as unpleasant to use as Norton.

Is anyone using Avast able to download the file linked to above? Of course I took the effort to scan this file using Virus Total shortly after it had been uploaded. For anyone who doesn't trust the link. See below, or test it for yourself:

https://www.virustotal.com/en-gb/url/e62adffee352ea0ab66cd7b317a52c0ca51f2b8fa1755a15011597700e04f8ea/analysis/

[polonus]

This is what I get a possible FP: https://www.virustotal.com/en/file/2d7267265f42663c4a26364845cb6e126d411c10ec3b009bfbdea0a047e8f01d/analysis/
See: http://anubis.iseclab.org/?action=result&task_id=1ed676d43062168449de26f9b7a854513&format=html
Well I get an IDS alert here for that FILEMAGIC Zip archive data -> http://urlquery.net/report.php?id=5319157
Here I get no alerts whatsoever: http://www.autoitscript.com/forum/topic/142184-automathedit/

For this download there I get 0 flags= https://www.virustotal.com/en/file/480c2adec2e3db02556d0cc9e33eccb8f6d938d23d7aedb1b1c4a086293dd2e2/analysis/1336086159/

My assumption is FP,

polonus

[czardas]

Thanks polonus for testing it. Avast does not detect any threat yet it blocks the download for me. This is worrying because I imagine others will also not be able to download the file. If this is going to be the trend for the future, it will become problematic.

[polonus]

Well I think the problem is not with avast and the script but what happened at where you uploaded,
for that see the IDS alert given in the http://urlquery.net/report.php?id=5319157 scan
See the content returned here: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.czardas.co.uk%2Fdownloads%2FAutoMathEdit.zip&ref_sel=Google&ua_sel=ff
and I mean these lines
3677:G
3678:B AutoMathEdit/PK
Q
3679:Bø3Ž«=øa- ÿAutoMathEdit/AutoMathEdit.exePK
V
3680:B» rl‚
!$xøAutoMathEdit/SHA-1.txtPK
I%BeÜ‹jVƒ| ÿùAutoMathEdit/win-1252.exePK

3681:G
3682:B ÿA¹OAutoMathEdit/PK
äO

The detection is because of the strange syntax of the script language used, and maybe avast has problems with that.
Anyone with some other options? The  windows encoded(windows-1252) files need to be converted to UTF-8.
One av option would be to detect whether it's actually a completely valid UTF-8 file, and there it might have gone wrong
as you may have used a recode utility that was flagged!

polonus

P.S.
FP and avast developers should delve into this detection...

D

[polonus]

Hi czardas,

Just reported to me that there is also heuristic detection with this Japanese scanner: http://check.gred.jp/?url=http%3A%2F%2Fwww.czardas.co.uk%2Fdownloads%2FAutoMathEdit.zip
See: http://jsunpack.jeek.org/?report=abf27a0521f0c0fbda5a8ad6de99c5e6ae05b39f
And the scan of the zipfile content I copied from the jsunpack scan content: https://www.virustotal.com/nl/file/e9460fbd4b465b236b728df836c4adb2cf8fd8ba59cd39435907051429d68132/analysis/1379196217/
no detections whatsoever...so it is the heuristics for the filetype that is to blame!

polonus

[czardas]

Well I think the problem is not with avast and the script but what happened at where you uploaded,
for that see the IDS alert given in the http://urlquery.net/report.php?id=5319157 scan

I uploaded simply to my own website using FTP.

See the content returned here: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.czardas.co.uk%2Fdownloads%2FAutoMathEdit.zip&ref_sel=Google&ua_sel=ff
and I mean these lines
3677:G
3678:B AutoMathEdit/PK
Q
3679:Bø3Ž«=øa- ÿAutoMathEdit/AutoMathEdit.exePK
V
3680:B» rl‚
!$xøAutoMathEdit/SHA-1.txtPK
I%BeÜ‹jVƒ| ÿùAutoMathEdit/win-1252.exePK

3681:G
3682:B ÿA¹OAutoMathEdit/PK
äO

The detection is because of the strange syntax of the script language used, and maybe avast has problems with that.
Anyone with some other options? The  windows encoded(windows-1252) files need to be converted to UTF-8.
One av option would be to detect whether it's actually a completely valid UTF-8 file, and there it might have gone wrong
as you may have used a recode utility that was flagged!

polonus

This is more likely to be causing the problem. I am not responsible for the AutoIt compiler, nor the interpreter which is also included during compile time. The lines you point to may be something to do with winzip, but I don't know that yet. I know some form of compression is used during the AutoIt compile process. I also can inform you that a new version of AutoIt is likely to be released in the near future.

P.S.
FP and avast developers should delve into this detection...

D

Well if something can be done about the automatic quarentine issue I would be happy for Avast to flag my files as false positives. If an advanced user mode existed which allowed more control over the program, I would consider that a great improvement.

Regards.

[czardas]

Hi czardas,

Just reported to me that there is also heuristic detection with this Japanese scanner: http://check.gred.jp/?url=http%3A%2F%2Fwww.czardas.co.uk%2Fdownloads%2FAutoMathEdit.zip
See: http://jsunpack.jeek.org/?report=abf27a0521f0c0fbda5a8ad6de99c5e6ae05b39f
And the scan of the zipfile content I copied from the jsunpack scan content: https://www.virustotal.com/nl/file/e9460fbd4b465b236b728df836c4adb2cf8fd8ba59cd39435907051429d68132/analysis/1379196217/
no detections whatsoever...so it is the heuristics for the filetype that is to blame!

polonus

Okay thanks. Perhaps the next release of AutoIt and Avast will resolve the issue. Fingers crossed. I do understand the need for caution.

[polonus]

Well, Czardas, as you saw from that Japanese file scan it was a Section Header Heuristicakl detection - AMW10-100
About these heuristical flags:

Possible Header Infection

If the entry point of a PE program does not point into any of the sections but points to the area after the PE header and before the first section's raw data, then the PE file is probably infected with a header infector. This is an extremely useful heuristic to detect W95/CIH-style virus infections and virus-corrupted executables.

That was the cause of the FP if it was one, but on the other hand IDS detection also found that on the header response from the uri we uploaded at netquery.
So interesting how the reactions will be...

polonus

[czardas]

Well I'm waiting for the Japanese heuristics to analyse the file and send a full report to the  owner of the website they do not trust. 

They have so far sent me a link to see the status of the analysis. There is a message saying 'The system is unable to analyze the file.'.

https://check.gred.jp/sub/result_file.html?exe_id=18aef580-dcd6-4a2b-8faf-c5eaf13cc6bf

I sent them this message anyway

私のウェブサイトは、任意の脅威が含まれていません

ありがとう

Googleが翻訳

(My website does not contain any threats - thank you):

Do you recommend I post a link to this thread in the FP forum? Well I did anyway.

Topic Link: http://forum.avast.com/index.php?topic=134854.0

[polonus]

Let us wait for some answers first.

Heuristic analysis has proved to be a successful way to detect new viruses. The biggest disadvantage of heuristic analyzer based scanners is that they often find false positives, which is not cost-effective for users. In some ways, however, the heuristic analyzer is a real benefit.

quote taken from http://computervirus.uw.hu/ch11lev1sec6.html t
As I said before the Suricata IDS alert is a file identity rule alert. The find could also because of an old zip back-up file. In that case a JojoDiff utility scan could be worth while. Let us see what it brings.

polonus

[true indian]

czardes,your USB stick is infected,get it cleansed first and then complain about the false positives without even reporting the flagged files to avast virus lab via email to virus@avast.com 

You can stop behaving like a blind person and try to make efforts.Go back and read,get the facts right,live in reality and cooperate and stop the ranting it makes you look more like a troll. 

You come here for help and then dont do as suggested and then keep complaining on and on.Stop it now.Better be civil and read before someone calls the forum police.