Author Topic: File shield false alarm where normal scan does not  (Read 3713 times)

0 Members and 1 Guest are viewing this topic.

wraymogg

  • Guest
File shield false alarm where normal scan does not
« on: November 18, 2013, 12:55:51 PM »
Hello,

I wonder what is different in File shield than the normal scan. I set all the parameters to most aggressive scan in normal mode and nothing... On File shield will not let me copy a file after last update. It triggers a Win32:Evo-gen [Susp]. I think [Susp] comes from suspicion.

Well I configured File shield for 0 heuristics and it still triggers. The software is my own production in C++ compiled with Borland 5.0 and packed with Winlicense.

The issue is the most aggressive file scan is OK, where the file shield give false positive...

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88851
  • No support PMs thanks
Re: File shield false alarm where normal scan does not
« Reply #1 on: November 18, 2013, 02:50:18 PM »
What is the file name and location given for that detection ?

There are differences between an on-access scan, which may access the avast cloud for any details about this file. This wouldn't happen in an on-demand scan due to the volume of files being scanned. It also depends on what on-demand scan you are doing Quick, Full System Scan or Custom as it may not be checking those areas depending on the file type and location (hence my question).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

wraymogg

  • Guest
Re: File shield false alarm where normal scan does not
« Reply #2 on: November 21, 2013, 10:21:09 AM »
Hello,

OK here we go in more detail.

I compiled the .exe again in a clean directory with all shields up. Size was the intended one. I packed it with Winlicense. Size was unaltered with the previous one.

I took both .exe file and put them in a 'Tmp' directory.

I select a 'Select folder to scan'. On Settings i set 'Scan all files', on Sensitivity - 'Test whole files', i put Heuristics High, Use code emulation, Scan for PUP.

I hit Start - NO THREAT FOUND, so both my files protected .exe and unprotected .exe are OK. We just established they are not infected.

Then with all shields up, i try to copy both files from directory Tmp to Tmp2. SUCCESS. No shield trigger.

Then i try to copy them on network, on the server where the auto-update files resides. SUCCESS. No shield trigger.

When i try to copy from the network directory back to Tmp2, the unprotected file copies just fine, the Winlicense protected one triggers the Win32:Evo-gen [Susp].

Active Protection settings are all unchecked or off (Heuristics, Sensitivity, etc) so i guess it is from cloud. Sadly i cannot find an option to turn the cloud off.

So, the final verdict, the shield will trigger as a false positive ONLY when you want to copy that specific file from network to drive. Will not trigger for drive to drive or drive to network. Only for network to drive. I MD5 them, before and after the network copy, they are unaltered on network as are in the drive.



My temporary workaround is to exclude that directory from scan. Please fix this, i really like AVAST, but i cannot stay forever with my software excluded from scan. What if a real infection appears ?

Best regards
Vlad Popovici
« Last Edit: November 21, 2013, 10:40:44 AM by wraymogg »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: File shield false alarm where normal scan does not
« Reply #3 on: November 21, 2013, 10:35:04 AM »
Hello,

I wonder what is different in File shield than the normal scan. I set all the parameters to most aggressive scan in normal mode and nothing... On File shield will not let me copy a file after last update. It triggers a Win32:Evo-gen [Susp]. I think [Susp] comes from suspicion.

Well I configured File shield for 0 heuristics and it still triggers. The software is my own production in C++ compiled with Borland 5.0 and packed with Winlicense.

The issue is the most aggressive file scan is OK, where the file shield give false positive...
Hello,
Evo-gens are detected only OnAccess not during OnDemand scan. Send the files to virus@avast.com and put "False positive" to email subject.

Milos

wraymogg

  • Guest
Re: File shield false alarm where normal scan does not
« Reply #4 on: November 21, 2013, 11:09:26 AM »
Hello,

i make updates twice per week. If i just send you one file, it may trigger the next also.

This 'cloud' access is dumb, please tell me how to disable it. Let me tell you why:

After suspicious infection i guess it uploads into the cloud based on THE SUSPICION ONLY!!!!. My 'infected' file gets the shield trigger only based on name. If i take 'Biosol.exe' from network to drive and gets flagged as 'suspicion', after a while will trigger it for drive to drive too. If i just change the file name to Biosol_xxx.exe will NOT TRIGGER ANYMORE !!!! for drive to drive. So it gets triggered by file name only, please excuse me, but this is just dumb.

Good people, please give me the option to disable this half working 'cloud' access...

Regards,
Vlad Popovici

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: File shield false alarm where normal scan does not
« Reply #5 on: November 21, 2013, 12:07:25 PM »
Sorry, but that's nonsense - the name is irrelevant for the detection.
If the rename changes anything, then it would be a bug in the filesystem shield (related to the rename operation itself somehow - definitely unrelated to any cloud access), as the renamed file should be detected as well, of course.
« Last Edit: November 21, 2013, 12:22:42 PM by igor »

wraymogg

  • Guest
Re: File shield false alarm where normal scan does not
« Reply #6 on: November 21, 2013, 02:54:07 PM »
Hello,

it my be as well, but again simple reproducible test: one file triggers the shield on copy from one directory to another. I change its name, it will not trigger anymore. I did recorded a short video to prove that.

http://www.youtube.com/watch?v=-F8humaRwNU

After you watched the video, please notify me so i can delete it from YouTube, since i don't want to anti-advertise or something like that. I just want you, the support stuff, to see it exactly how it happens.

Beside this file name change non-sense my problem still persists. This Winlicense protected file triggers the shield. Other files protected the same way with the same Winlicense version will not trigger it. I recompiled the file with a lot of structural change and also i changed the way Winlicense protects the file (different virtual machine). It still triggers the shield.

EDIT:
Is not cloud related. I disabled the network connection and it does the same. I went to File System Shield Settings and cleared all the check boxes on Advanced, so no transient or persistent caching. I cleared all exclusions and I cleared the Virus Chest. Same result. It is like Avast! hates the name Biosol.exe :)...

Regards,
Vlad
« Last Edit: November 21, 2013, 03:12:13 PM by wraymogg »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: File shield false alarm where normal scan does not
« Reply #7 on: November 21, 2013, 08:56:35 PM »
Weird... I've sent the link to  couple of other developers, as I really don't have any explanation for this.
So when you cleared all the checkboxes on the Advanced page of File System Shield, you also unchecked the option "Optimize scanning during file copy operation", right?

wraymogg

  • Guest
Re: File shield false alarm where normal scan does not
« Reply #8 on: November 22, 2013, 07:54:03 PM »
Yes