Avast deleted half my main projects

[polonus]

Hi czardas,

Do not go against the advice given. Establish these possibilities of a residing infection of the USB stick. If that is ruled out consider the other options.
I know you are a great coder but try to avert your own assumptions and blind angles  until proven to be right. Openness from both sides will bring the desired evaluation results!
Furthermore there is something wrong with the site (http://urlquery.net/report.php?id=5319157), Suricata is not showing that IDS alert just for fun of it, loads of emerging threats rule developers work everyday to sieve the FPs out of there. So if all these possibilities are  being ruled out - and our malware removers will be too glad to help in that respect - you can come back and rightfully question avast's detection and how they treat heuristics. Something is not right from the header response data between that uri on that Internet AG server and the client. We have to rule that possibility out first.
I agree your project code is OK, but not how it lands here with that zip file...

polonus

[true indian]

You said that right right right Pol.Well done! Now if he turns a positive approach towards us it will be better. 

[czardas]

Hi czardas,

Do not go against the advice given. Establish these possibilities of a residing infection of the USB stick. If that is ruled out consider the other options.
I know you are a great coder but try to avert your own assumptions and blind angles  until proven to be right. Openness from both sides will bring the desired evaluation results!

This is a very fair comment. I'm not a great coder though, I'm still learning.

Furthermore there is something wrong with the site (http://urlquery.net/report.php?id=5319157), Suricata is not showing that IDS alert just for fun of it, loads of emerging threats rule developers work everyday to sieve the FPs out of there. So if all these possibilities are  being ruled out - and our malware removers will be too glad to help in that respect - you can come back and rightfully question avast's detection and how they treat heuristics. Something is not right from the header response data between that uri on that Internet AG server and the client. We have to rule that possibility out first.
I agree your project code is OK, but not how it lands here with that zip file...

polonus

If I am reading you right, are you saying the problem may have something to do with my host 1&1 Internet? I had no problems downloading this file previously.

Edit: The file was created with an older version of winzip. I was looking at JojoDiff. I'm not sure which two files you want me to test. Test the one downloaded with the original? I can test if the binaries are identical.

[polonus]

Hi czardas,
Let us go both the extra mile together to delve somewhat deeper to see what is really going on here.
I opened the link you gave at jsunpack and then I ran the copied contents of the zipfile code through Bintxt
and later saved that txt as zip file, see this attached file below and see that it is clean according to my scan here:
https://www.virustotal.com/en/file/b84719bfec48d38f8ce12064863270570ef503fb83d26d4486de5587d0a4500a/analysis/

Now alternately I scanned the live link you gave with Anubis and then we see this in the Device Control Communication:
unnamed file      0x00120028      2  This could perform File Modification and Destruction,
and is therefore considered possibly malware related,

This all could still stay in the false positive realm, but then also consider the insecurities I found on that uri with Asafaweb.
Excessive headers warning, clickjacking warning - all low hanging fruit data ready for "hacker/attacker Ltd" .
So see scan results here for that uri at Kundenserver with above insecurity flags:
https://asafaweb.com/Scan?Url=www.czardas.co.uk

Now I think we are near a conclusion, aren't we? Yes test the binairies against each other, please.

polonus

[czardas]

The following AutoIt test confirms the binaries of both the files to be identical.

Code: [Select]

Local $sFileName_1 = @ScriptDir & "/AutoMathEdit.zip"
Local $sFileName_2 = @ScriptDir & "/DETECTION TEST/AutoMathEdit.zip"

Local $hFile_1 = FileOpen($sFileName_1, 16)
If $hFile_1 = -1 Then
ConsoleWrite("Failed to open $hFile_1" & @LF)
Exit
EndIf

Local $dBinary_1 = FileRead($hFile_1)
If @error Then
FileClose($hFile_1)
ConsoleWrite("Failed to read $hFile_1" & @LF)
Exit
EndIf
FileClose($hFile_1)

Local $hFile_2 = FileOpen($sFileName_2, 16)
If $hFile_2 = -1 Then
ConsoleWrite("Failed to open $hFile_2" & @LF)
Exit
EndIf

Local $dBinary_2 = FileRead($hFile_2)
If @error Then
FileClose($hFile_2)
ConsoleWrite("Failed to read $hFile_2" & @LF)
Exit
EndIf
FileClose($hFile_2)

MsgBox(0, "Binaries are the same", $dBinary_1 = $dBinary_2)
I installed Malwarebytes and nothing was detected on the memory stick. Regarding the download problems, I'm wondering if I might be better off using 7zip.

[polonus]

See: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.czardas.co.uk%2Fdownloads%2FAutoMathEdit.zip&ref_sel=Google&ua_sel=ff
7Zip is what I use by default myself, a very good choice, as I am allowed to say so.
I have no direct explanation for the anomalies we have found.
They were found in post header response protocol of that particular website link, you provided the zip file on.
Of course the site should be hardenend against giving off too much excessive header info, etc.
Here for instance you learn how to do that: http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
It is just a question of the right configuration.

There are still an awful lot of websites that give away too much info to attackers
about server software version, installed 3rd party software, plug-ins etc.
The attacker(s) just have to look up the right vulnerabilites and
attack procedures and hoopla with even some php weaknesses,
they are granted an easy way in to do their mischief.
Pass this info on, because not too many webmasters are aware of these basics,
and too many sites become infested that way to infest unaware users.
Furthermore often lax and sloppy IT maintanance by hosters is responsible for this,
especially where money comes before security,

Stay safe and secure in the future is the wish of,

polonus

[czardas]

Hi polonus,

Thanks for all the time and effort you have invested in this. There appear to be some host related issues - in part responsible maybe. The information you provided was very insightful and needs looking into. Thanks for that.

Now I'm still unsure of how to proceed with Avast. I would like to keep my computer protected while I continue my work. I have often had issues with compiled AutoIt scripts throwing false positives, but I've never been prevented from relocating files and creating backups of my work until now.

I think it would be counter-productive of me to submit a FP report every time I compile a script. Most of my PE files are tests on my local machine and never get uploaded to the internet. Also I can't wait for a detection update every time I wish to run a test.

If something can be done to give me back control over my computer without having to turn off my AV, I would be most grateful. If in some way I can provide information to help make this easier, I would be happy to do so. I used to get advised to run unknown programs in Sandbox. I always ticked remember the setting and ran programs I trusted normally. Now I don't seem to be able to do any of these things for some reason.

I still have version 8.0.1489 of Avast running and have received no detection updates for two days. I am worried what might happen if I now update the program.

[Anacunga]

To be honest: that behaviour (default action set to "delete if quarantine is not possible") is something I complain for years!

The first thing I have to do when having finished installing Avast! entirely (before doing anything else) is disabling Avast! and spoiling lots of time to control and set about 20 settings to "1st. action (anything but NOT delete), 2nd action (anything but NOT delete), 3rd action (anything but NOT delete)"

I really cannot understand why Avast! insists on having "delete" by default – and adapting that always takes much, much time you have to be prepared for. So for installing Avast you'll mandatorily have to count 10 to 15 minuts for ONE PC – just because all these settings take time.

There are so many possiblities to NOT need to set "delete by default" without "decreasing security-level for dummies".

– There should be AT LEAST an option while installing to select "fail safe for dummies" (may be selected by default), ev. "for advanced users", and mandatorily "for specialists and developers" actions schemes (don't know how you'll name them).

It is obvious that only in "for specialists and developers", NO action can be set to "delete". I would propose following action schemes:

– "fail save for dummies": 1st action: repair – 2nd action: move to chest – 3rd action: delete
– "for advanced users": 1st action: repair – 2nd action: move to chest – 3rd action: ask
– "for specialists and developers": 1st action: ask – 2nd action: move to chest – 3rd action: no action

This selection has to be done WHILE INSTALLING (between the doubleclick on the installer and the begin of install process)!

Next thing is to have a "general setting" (when all is installed) so that you can – at any time when the software is installed – set ALL THE ACTIONS (where applicable – three step action settings) to the same you want; instead of having to change about 20 settings to "1st action/2nd action/3rd action" each separately, you can set a "general" setting that takes that pattern for all!

SO PLEASE AVAST! INTRODUCE AN EASIER WAY TO NOT BEING FORCED TO ACCEPT DELETE AS PART OF THE DEFAULT ACTIONS!!!

Same thing is with reports: WHY is it necessary to set 8 report patterns separately if I want to have ALL in the same way (I want the soft errors and skipped files). Why is there no "general setting" for all – that these general settings can override all the individual settings (that still remain configurable as individual settings).

Btw: YOU ARE DOING THAT PATTERN (GENERAL SETTING) with the packers: you have to select ONLY ONCE to select ALL Packers, and this option is taken also for all other sub-options. So why aren't you doing that (general setting for all) also for reports – and (very important) for the action settings?

[true indian]

czardes,updating program version is not going to hurt the virus database.If there is a false positive just report it to virus@avast.com and in a few minutes to 1 day detection is removed. 

[jefferson sant]

Do you recommend I post a link to this thread in the FP forum? Well I did anyway.

Topic Link: http://forum.avast.com/index.php?topic=134854.0

avast! does not block "czardas.co.uk"
relation the file
It will be fixed in next VPS update.

Thank Milos.

[czardas]

I have updated the program and Sandbox is back again. That's a releif. From reading other posts I was beginning to think the feature had been removed. I also seem to be able to move my PE files around again without them getting flagged. Of course I took precautions making sure I had made all important backups first (not knowing if my settings would remain the same). Now I also can download the file, which will be updated in due course - it is an unfinished program released for assessment purposes. I use it all the time in its unfinished state - hmm.

I apologize if I said some negative things about Avast. I was alarmed at what happened on friday. In a way I have learned some interesting things, but it was also a bit like having hiccups. Making my own file integrity verification utility is now on my ToDo list.

Thank you!

[jefferson sant]

Do not worry
do not thank me
I thank the staff avast team
for the great work to help out
sometimes when it is not resolved until run after.
I'm here to try to resolve anyway.

[polonus]

Hi czardas,

Good we could help you get to where you wanted to go.
Always code with security in mind
and use these known regular expressions to detect and check what needs checking.
Like /((\%3C)|<)((\%2F)|\)* to find tags to check on!
I wish you many a secure string.
Good you found your way here to our avast! support forums,
and I hope you will come here more often to join our ranks.

polonus aka Damian

[czardas]

I meant to also thank the Avast Dev team, and polonus, you've been a great help. I'm not a regexp guru by any stretch of the imagination, but I think they're really cool to learn. Is that regular expression PCRE?

[polonus]

Hi czardas,

They are HTML-URL and come all nicely lined up here from the SANS reading room, http://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-applications-log-files-2074?show=detecting-attacks-web-applications-log-files-2074&cat=logging  Author Roger Meyer
Just look up the perl compatibility,

pol