An application is requesting access to a protected item

[REDACTED]

I've recently been seeing a Windows dialog window appear with the message "An application is requesting access to a protected item". The dialog window also contains an entry box to fill in a password, and a "Details" button. Clicking on the Details button displays:
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
This typically occurs once a day in the afternoon. Surprisingly this does *not* occur during the nightly scheduled full system scans.

Any ideas about how to address this or to find out what is the protected item that avastsvc is attempting to access would be most appreciated. This is really driving me nuts!

FYI I'm running Avast! Free 11.1.2241 with virus def 151127-0


               -jeff

[Eddy]

Please attach a screenshot of it to your next post.

[REDACTED]

This occurred again today at 3:33:00 PM EST. Applications that were running at the time were Chrome, Outlook Express and Windows Explorer. There is nothing in any of the event logs at or around 3:33pm. I was not at my computer at that time. Scheduled Tasks show nothing was scheduled to run during that timeframe.

The attached screenshots show:
av1: initial windows dialog
av2: after clicking on the "Details" button
av3: right-dragging the filepath to see the full filename
av4: after entering a bogus password in the initial window and clicking ok

Thanks for the help. Let me know if I can provide anything else.

                  -jeff

[REDACTED]

A bit more info: I noticed that at exactly 3:33:00pm Outlook Express was checking for new messages. I know this because today I set up Debut to do a screen capture video taking snapshots at 1 fps. I could see OE start the "authorizing" process when the dialog popped up at 3:33:00pm.

[Eddy]

It seems to me that something on your system is accessing a file/application that avast wants to scan, but safeguard is blocking avast from doing its job.

I was not at my computer at that time

It could be a screensaver wanted to run, the system wanted to go into sleep-mode or something like that.

[REDACTED]

It seems to me that something on your system is accessing a file/application that avast wants to scan, but safeguard is blocking avast from doing its job.

Agreed

It could be a screensaver wanted to run, the system wanted to go into sleep-mode or something like that.

I have no screensavers running and sleep-mode disabled. The computer is always on.

Obviously I need to find out what "protected item" avast is trying to access. Is there an avast log I can enable that records all it's real-time Active Protection file accesses? That might help. I could match up the time the popup occurs with the timestamp in the log. 

[Eddy]

Look at the file shield log file.
Looks to me that if there is anything, it could be found there.

[REDACTED]

Hi Eddy - There were no errors reported in the FileSystemShield log. The daily entries are all similar to this:

* Avast Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, November 30, 2015 10:33:38 AM

Infected items, Hard Errors, Soft Errors and Skipped Items are all enabled in the File System Shield reports settings. But it's strange that avast is not reporting this. 

I appreciate your help.

[DavidR]

I rather doubt that anything will show in the log - given what the OP said - as essentially the file shield didn't scan anything as it was blocked
Now confirmed

It would also depend on what the log settings are for the file shield as it only reports/records Infected items, Hard errors by default. I just wonder is this would be considered a hard error.

The only way I would suggest would be to include Soft errors, Skipped items and possibly OK items (but this last item would swamp the log). The log file could get quite large considering you may have to wait some time for a replication to occur.

[REDACTED]

It's strange. I do have  Infected items, Hard Errors, Soft Errors and Skipped Items enabled but the log entries only contain a start time (as below):

* Avast Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, November 30, 2015 10:33:38 AM

So this particular issue is not logged for some reason. Tomorrow I will add OK Items and see what happens. I also have Debug enabled. I'm not sure but am assuming those logs are located under the /log folder. But there are a lot of logs to go through and the info is really meant for developers, so end users like me are pretty lost trying to parse what's going on in there.

Thanks for the suggestions.

[Eddy]

A simple way is to tell safeguard to allow avast to scan and then see what it is scanning/has scanned.

[REDACTED]

Hi Eddy
What is the "safeguard" you refer to? I'm not familiar with that.
thanks

[DavidR]

Hi Eddy
What is the "safeguard" you refer to? I'm not familiar with that.
thanks

Its in your images, your system has a program or function (presumably called Protected Storage - safeguard) to protect certain areas that is stopping avast scanning those areas. You need to find its settings and add avastSvc.exe to its exclusions.

[REDACTED]

Hi David, Eddy

Thanks for the suggestion and clarifications. Try as I might, I cannot find any configuration UI for the Protected Storage service on my WindowsXp machine. I did find this description of the Protected Storage Service here: https://msdn.microsoft.com/en-us/library/aa939852(v=winembedded.5).aspx  which says that "There are no configurable settings for this component". So I'm at a loss on this angle.

However I found some other interesting info: today the "Protected Item" error dialog popped up at 11:29:02 am EST. I was looking through the Avast debug logs searching for any entries timestamped 11:29:02 or 16:29:02 GMT and found 4 files. I included excerpts from 2 of the files below (if you want to see more of a particular file, let me know):

Hns.log:
   2015.12.01 16:29:02 | SystemScore IQueryRecentWinSATAssessment creating failed: 0x80040154
   2015.12.01 16:29:02 | Start Scan: mode=record, type=2, depth=2, 0x00000230
   2015.12.01 16:29:02 | LoadEngine: using engine build
   2015.12.01 16:29:02 | LoadEngine: module=C:\Program Files\AVAST Software\Avast\defs\15113000\aswHds.dll version=10.0.0.42
   2015.12.01 16:29:02 | LoadEngine: successfully loaded engine of version 15113000
   2015.12.01 16:29:02 | RealConnectivityScanner: local connect
   2015.12.01 16:29:02 | RealConnectivityScanner: internet connect to 'http://www.msftncsi.com/ncsi.txt' status:200 result:2
   2015.12.01 16:29:02 | Start scanRouter()
   2015.12.01 16:29:02 | RealConnectivityScanner: local connect
   2015.12.01 16:29:02 | RealConnectivityScanner: internet connect to 'http://www.msftncsi.com/ncsi.txt' status:200 result:2
   2015.12.01 16:29:02 | Network adapter: 'Intel(R) 82567LF Gigabit Network Connection - Packet Scheduler Miniport', 1, 00247e6dc431

HnsFromUi_asw.hns.devices_1448996304.json:
   "device_status" : "vuln_scan_completed",
   "time" : "01/12/2015 11:29:02"
   "gateway_base_url" : "http://192.168.1.1:8080/",
   "ADAPTER_NAME" : "Intel(R) 82567LF Gigabit Network Connection - Packet Scheduler Miniport",
   "HTML_LOGIN_FORM_ACTION_0" : "http://192.168.1.1/cache/697866478/index.cgi",
   "HTML_LOGIN_FORM_INPUT_PASSWORD_NAME_0" : "passwd1",
   "HTML_LOGIN_FORM_INPUT_TEXT_NAME_0" : "user_name",
   
http://192.168.1.1 is my router's URL address. At the exact time the dialog popped up, these entries get logged.  Do you guys think this is anything?

ps, there was nothing logged in the /report/FileSystemShield.txt log.

Thanks again for the help.
      

[Eddy]

http://www.blackviper.com/windows-services/protected-storage/

I would disable the service and see what happens.
It is using a really old protection method anyway and MS is advising to use something else.