question about deepscreen

[frankey999]

Just a quick question:

When avast sees a .exe running, the deepscreen pops up, and there is an abort button at the bottom.

What does the abort button do?  If you click it, does it abort the deepscan, and let the .exe keep running, or does it abort the .exe itself?

Thanks.

[DavidR]

Only an avast user, but my take on this, based only on logic/good practice and what avast has done in the past in related things.

I think that the abort would relate to the deepscreen scan and not the file. I would also expect deepscreen to be activated again if you try to run the file again.

In the past and now, if during a scan avast alerts or in the results of a scan you select do nothing/no action, then avast does nothing. The file remains in place, but avast won't let you run the suspect file. So my thoughts would be the same for the abort deepscreen.

However, these are only my thoughts and not avast! softwares.

Something that you might consider, enable the Hardened Mode and set it to Aggressive, this checks suspect files against an avast cloud database (if on that database, allowed to run) and it also gives you the option in the notification window to add this file to the exclusions. You have to be 100% sure it is clean before hitting this or you could be risking infection.

[frankey999]

I think that the abort would relate to the deepscreen scan and not the file. I would also expect deepscreen to be activated again if you try to run the file again.

Thanks for the response.  That worries me.

I actually didn't initiate the file, I went to a website and the .exe immediately started running, and the deepscan popped up.  I wasn't sure what to do, I wanted avast to terminate the file so I hit abort.  avast came back and said the file was ok, but I doubt that.  What kind of website runs an .exe when you get there?

I checked the site with virustotal and online scan, and that came back as malware site.  I was suspicious as soon as I got to the website, because the screen was full of garbage characters, so I suspected some kind of binary code hidden in the stream.  That's why I wanted to terminate the file as soon as deepscan popped.

I took your suggestion and enabled Hardening.

Is there a way for you terminate a file while it's in deepscan?

[DavidR]

Well the web shield (and inbuilt Network Shield) would have alerted if A) it was on the malicious sites list or B) if the web shield found the landing page to be infected.

So it is somewhat strange, if that .exe was downloaded from another site (driveby download) then that site too would have come in for scrutiny (as outlined above).

There may well be links on a page to .exe files and unless you select save as (rather than just click the link) or you could be actually running it rather than specifically downloading it. I think that the deepscreen would almost certainly pop of when running an executable directly. Now that would be regardless of if the file was infected or not.

The file should also have been scanned by the file system shield.

[frankey999]

I didn't click anything on the site, like I said it was just a bunch of garbage characters, and the .exe started as soon as I got there.  Actually, I got there through a re-direct from some other ad popup.

And when I checked through Virustotal and online scan, each of them only came back with 5 or 6 out of 30 saying it was a malware site, so I guess it's not 100% conclusive amongst the scanners.

But the fact that the page was only garbage characters tells me something.  The site name itself is also suspicious.

Anyway, I'm still wondering, is there any way to stop any .exe or script from running, once you get the deepscan popup?  Is there a way to shut down everything?

Thanks.

[DavidR]

Essentially you can't stop an executable from running; that said windows should also provide a security check dialogue window asking if you allow this .exe to run. This has come from a windows update some time ago which changed this setting to seek confirmation from the user.

Presumably you haven't got that update and it allows .exe files to be run - see this page that relates to disabling this feature and hopefully you shoulod be able to reinstate it, http://www.tomshardware.co.uk/forum/244142-45-disabling-windows-security-warnings.

That is what I mean by a driveby download, sites (can be hacked) and sometimes advertising banners (ads poisoning), etc. can redirect and load elements without any user interaction other than having visited a web site.

The web shield and network shield do provide an element of protection against this, the fact that they didn't alert is generally a good thing, as is the fact that the file system shield and deepscreen didn't find anything (but you did abort that).

[frankey999]

DavidR, thanks for all the info and help ...

I do have the popup that asks if I want to allow the .exe to run, and it does pop from time to time.  It did not this time, so perhaps it was a script.  Since I aborted deepscreen, I suppose whatever it was examining was then able to run, which doesn't sound good.  I did run MBAM but it found nothing.

Actually, the gist of my question, which was probably not worded correctly,  is there any way, after the deepscan has started, which is presumably before the .exe or script has started, to stop the .exe from running?  In other words, stop everything cold?  I don't see any buttons for that, so I assume there is no way, short of turning off the pc quickly enough.

I understand now what you mean by driveby - I clicked the original site, which popped an ad, which may have been hacked to send me to the other site.... interesting.

Thanks again.

[DavidR]

<snip>
Actually, the gist of my question, which was probably not worded correctly,  is there any way, after the deepscan has started, which is presumably before the .exe or script has started, to stop the .exe from running?  In other words, stop everything cold?  I don't see any buttons for that, so I assume there is no way, short of turning off the pc quickly enough.

I understand now what you mean by driveby - I clicked the original site, which popped an ad, which may have been hacked to send me to the other site.... interesting.

Thanks again.

As far as I'm aware there isn't a way to stop an .exe file that has already started, it is likely to be too quick. Task manager would be an option, but A) you have to launch task manager (not really fast enough), B) you would have to know the executables name and C) it may not even be listed.

Really the only good thing about this is that even though you aborted the DeepScreen, the file system shield should still be there as a last line of defence. Plus you would have had the Web Shield (including the integrated network shield and script shield) as primary lines of defence.

You're welcome.