Author Topic: Shield Events in SOA Scan Log?  (Read 4932 times)

0 Members and 1 Guest are viewing this topic.

Offline KDibble

  • Sr. Member
  • ****
  • Posts: 229
Shield Events in SOA Scan Log?
« on: July 01, 2014, 05:23:54 PM »
Using SOA 1.3.3.35 on Windows 7 Ultimate 32-bit.

I asked about this in Viruses and Worms originally because Avast apparently detected a Windows Update session on a Windows 7 workstation as a false-positive "rootkit". I accept that this was a false positive. But there is a related problem.

The SOA reported this event in the Scan Log, not in the Shield Log. However, I did not run any "scheduled" or "manual" scans on the workstation. Boot scans are not turned on in the SOA. I simply ran Windows Update, and Avast reported a "rootkit"--and did so, by the way, without popping up any warning window on the workstation, even though such pop-ups are turned on in the SOA.

The File System Shield is turned on, and I know it "scans" files when they are opened, etc. But I would expect anything the File System Shield detects to appear in the Shield Log, not in the Scan Log.

My question is: Is it appropriate for File System malware detection events to appear in the Scan Log? If not, then is Avast performing "scheduled" or "manual" scans on the workstation even though no such scans are turned on in the SOA?

I've attached a png image of the Scan Log for your information.

Thanks for any help.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76017
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Shield Events in SOA Scan Log?
« Reply #1 on: July 01, 2014, 05:41:30 PM »
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline KDibble

  • Sr. Member
  • ****
  • Posts: 229
Re: Shield Events in SOA Scan Log?
« Reply #2 on: July 01, 2014, 05:47:39 PM »
Thank you.

But... will upgrading fix my specific problem? I don't see anything in the information provided that indicates this.


Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76017
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Shield Events in SOA Scan Log?
« Reply #3 on: July 01, 2014, 05:50:31 PM »
1. Thank you.
2. But... will upgrading fix my specific problem?
1. You're welcome.
2. IDK, but for further help you should be at the latest version.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline KDibble

  • Sr. Member
  • ****
  • Posts: 229
Re: Shield Events in SOA Scan Log?
« Reply #4 on: July 01, 2014, 06:07:41 PM »
Thank you again.

However, I don't upgrade software unless I am sure the upgrade won't break something I depend on.

I will wait for someone who is knowledgeable about this to answer the question: Should events detected by the File System Shield appear in the SOA Scan Log, or not? It seems like a simple enough question.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76017
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Shield Events in SOA Scan Log?
« Reply #5 on: July 01, 2014, 06:23:19 PM »
I will wait for someone who is knowledgeable about this to answer the question: Should events detected by the File System Shield appear in the SOA Scan Log, or not? It seems like a simple enough question.
OK, no problem.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Avosec-UK

  • Avosec Technical Support
  • Avast Reseller
  • Sr. Member
  • *
  • Posts: 296
    • Avosec
Re: Shield Events in SOA Scan Log?
« Reply #6 on: July 02, 2014, 10:28:43 AM »
Thank you again.

However, I don't upgrade software unless I am sure the upgrade won't break something I depend on.

I will wait for someone who is knowledgeable about this to answer the question: Should events detected by the File System Shield appear in the SOA Scan Log, or not? It seems like a simple enough question.
No it shouldn't.

What's the client version?

Offline KDibble

  • Sr. Member
  • ****
  • Posts: 229
Re: Shield Events in SOA Scan Log?
« Reply #7 on: July 02, 2014, 04:19:32 PM »
On the machine where I first reported this, Program version 8.0.1603. Definition version on that machine was 140630-0 when this happened last week. (Automatic program updates are turned off in the SOA, because I had a serious issue with the move from 7.x to 8.x and I no longer allow program updates until they are tested.)

However, this morning I saw another instance of this. SOA Scan log reported three instances of:

\AppData\Roaming\DigitalSites\UpdateProc\UpdateTask.exe

on a workstation (same Program version 8.0.1603; newer definition version, 140702-0, as expected). Again, there are no "scans" scheduled in the SOA, and no manual scan was run on that machine at the time of the report. I assume the File Shield was responsible for this report, but, again, I expect File Shield reports to appear in the SOA Shield Report, not in the Scan Report.

Thanks.

Offline Avosec-UK

  • Avosec Technical Support
  • Avast Reseller
  • Sr. Member
  • *
  • Posts: 296
    • Avosec
Re: Shield Events in SOA Scan Log?
« Reply #8 on: July 02, 2014, 04:30:44 PM »
I was thinking that it could be an older version of the client..

Could you try with the EICAR test-virus? Try with both HTTP and HTTPS links.

Offline KDibble

  • Sr. Member
  • ****
  • Posts: 229
Re: Shield Events in SOA Scan Log?
« Reply #9 on: July 02, 2014, 04:55:02 PM »
Eicar events show up in the Shield Log (for Web Shield) as I would expect. Does that mean anything?

However, I was only able to get an http: version. I can't find an https: version. The only reference to https I was able to find was at:

https://www.fortiguard.com/antivirus/eicartest.html

However, downloading the test file from there redirects to an http: address.

Thanks.

Offline Avosec-UK

  • Avosec Technical Support
  • Avast Reseller
  • Sr. Member
  • *
  • Posts: 296
    • Avosec
Re: Shield Events in SOA Scan Log?
« Reply #10 on: July 03, 2014, 10:36:05 AM »
Here is the link: hXXps://secure.eicar.org/eicar.com

Or disable the WebShield temporary and download from the http url.

Offline KDibble

  • Sr. Member
  • ****
  • Posts: 229
Re: Shield Events in SOA Scan Log?
« Reply #11 on: July 03, 2014, 03:50:15 PM »
Thank you. That one worked. The attempt to save the file triggered the File Shield, the save was blocked, and the event was noted in the SOA Shield Log. It did not appear in the SOA Scan Log.

So the system performs properly some of the time.

It is still not performing properly all of the time.

I will be on vacation for a week and will come back to look at this when I return. Thanks for your help.