Author Topic: Avast and WPS Office Conflict(SOLVED)  (Read 16635 times)

0 Members and 1 Guest are viewing this topic.

Offline Spiritual2016

  • Sr. Member
  • ****
  • Posts: 348
Avast and WPS Office Conflict(SOLVED)
« on: March 16, 2017, 06:29:27 AM »
I opened my Word Processing Software (that I created and saved) and the following pop-up appeared:

Object: Http:\\cdn/adinall.com\js\ssp.\jsl (gZip) (Embedded)
Infection: HTMLScript-inf
Process: C:\Users\User\AppData\Local\Kingsoft\WPSOffice\10.2.0.5820\Office6\wps.exe


What is this HTMLScript-inf Infection?
« Last Edit: March 18, 2017, 10:23:22 PM by Spiritual2016 »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False Positive Detected
« Reply #1 on: March 16, 2017, 06:32:38 AM »
You can report a suspected FP here: https://www.avast.com/false-positive-file-form.php
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Spiritual2016

  • Sr. Member
  • ****
  • Posts: 348
Re: False Positive Detected
« Reply #2 on: March 16, 2017, 06:36:26 AM »
Asyn:

The false positive threat was listed under 'Notifications' but not in the Virus Vault.

I ran a Smart Scan and Malware Scan but no threats were detected.

I checked for Avast Updates but the latest ones were already installed.

I rebooted and opened the software again but it was not detected as a threat.

a) What is this Object threat and why wasn't anything placed in the Virus Vault?

b) Why did rebooting resolve the issue?


« Last Edit: March 16, 2017, 08:21:02 AM by Spiritual2016 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: False Positive Detected
« Reply #3 on: March 16, 2017, 08:11:40 AM »
Quote
Wps.exe is my Kingsoft Writer (Word Processing Program) so why did Avast recognize it as a threat?
It did not

this is detected:  Object: Http:\\cdn/adinall.com\js\ssp.\jsl (gZip) (Embedded)



Offline Spiritual2016

  • Sr. Member
  • ****
  • Posts: 348
Re: False Positive Detected
« Reply #4 on: March 16, 2017, 08:17:25 AM »
It seems to be a false positive.

What is this specific Object threat and why wasn't anything placed in the Virus Vault?

« Last Edit: March 16, 2017, 08:58:19 AM by Spiritual2016 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: False Positive Detected
« Reply #5 on: March 16, 2017, 08:28:21 AM »
What is that Object Path?
You tell me
Did you open a doc, does it containe that url

anyway the url is none working

Quote
a) What is this Object threat and why wasn't anything placed in the Virus Vault?
Did avast say blocked?





Offline Spiritual2016

  • Sr. Member
  • ****
  • Posts: 348
Re: False Positive Detected
« Reply #6 on: March 16, 2017, 08:37:19 AM »
Like I already stated, I opened my word processing software (WPS Writer), it was detected as a 'Threat Blocked,' and listed in notifications but not in the virus vault.

A Smart Scan and Malware scan did not detect anything and the latest versions of Avast and WPS Writer are installed.

I opened and closed WPS 10 times and Avast blocked as a threat once.
« Last Edit: March 16, 2017, 08:50:10 AM by Spiritual2016 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: False Positive Detected
« Reply #7 on: March 16, 2017, 08:53:24 AM »
HTML:Script-inf is a website infection, if avast say blocked then there will not be anything in the chest


Offline Spiritual2016

  • Sr. Member
  • ****
  • Posts: 348
Re: False Positive Detected
« Reply #8 on: March 16, 2017, 08:56:22 AM »
Pondus:

The pop-up appeared when I opened my word processing software so I do not know about it being a website infection. I only have my Hotmail page and the Avast Forum pages open.

Does the fact that it was 'Blocked' mean that there is no infection on my system and nothing to be concerned about?

If so, why is WPS still being detected as a threat periodically?
« Last Edit: March 16, 2017, 09:00:52 AM by Spiritual2016 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: False Positive Detected
« Reply #9 on: March 16, 2017, 08:59:47 AM »
Quote
Does the fact that it was 'Blocked' mean that there is no infection on my system and nothing to be concerned about?
Blocked means you slam the door in its face before it can enter


Quote
If so, why is WPS still being detected as a threat periodically?
With the same message?



Offline Spiritual2016

  • Sr. Member
  • ****
  • Posts: 348
Re: False Positive Detected
« Reply #10 on: March 16, 2017, 09:02:26 AM »
Basically then, 'threat blocked' means that Avast did its job and there is no infection on my system-Correct?

The only webpages that are open are Hotmail and the Avast Forum but the threat blocked pop-up message did not appear on my browser-It was only appearing each time WPS was opened but it is not being displayed anymore

'If' the 'threat blocked' pop-up does keep appearing when opening WPS, what should I do?
« Last Edit: March 16, 2017, 09:11:19 AM by Spiritual2016 »

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: False Positive Detected
« Reply #11 on: March 16, 2017, 09:20:55 AM »
Hi,
First of all, the correct URL is cdn.adinall[.]com/js/ssp.js. I cannot resolve the host, so I cannot check the file itself, but it seems strange that it loads resources from these two (blocked) URLs:

chushoushijian[.]cn
dsp.jiaju933[.]com

Are you sure this is correct behaviour?

Offline Spiritual2016

  • Sr. Member
  • ****
  • Posts: 348
Re: False Positive Detected
« Reply #12 on: March 16, 2017, 09:40:26 AM »
HonzaZ-

To summarize: I opened my Word Processing Software (WPS) and the following pop-up appeared even before selecting a file that I created:

Object: Http:\\cdn/adinall.com\js\ssp.\jsl (gZip) (Embedded)
Infection: HTMLScript-inf
Process: C:\Users\User\AppData\Local\Kingsoft\WPSOffice\10.2.0.5820\Office6\wps.exe

A Smart Scan and Malware Scan did not detect anything, Avast and Avast and WPS are updated.

Follow-Up Questions:

a) 'If' a detected threat ever got into my system, what would the pop-up message state instead of 'Threat Blocked?'

b) Why did the VBS.Malware-gen infection in mid Feb (that affected all Avast users) and the IDP Generic infection (that I had in late Feb regarding the Gravis Dialer) get placed into the Virus Vault even though they were 'Blocked Threats' but this HTMLScript-inf infection, also a 'Blocked Threat,' was not placed in the Virus Vault?
« Last Edit: March 16, 2017, 09:52:04 AM by Spiritual2016 »

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: False Positive Detected
« Reply #13 on: March 16, 2017, 10:02:25 AM »
A Smart Scan and Malware Scan did not detect anything...
That is because the malicious file was blocked while being downloaded to your PC. There is no malicious file in your PC.

a) 'If' a detected threat ever got into my system, what would the pop-up message state instead of 'Threat Blocked?'
I am not the master of GUITM, but the message would be similar. Only the object wouldn't start with "http" but with "C:/" or something similar.

b) Why did the VBS.Malware-gen infection in mid Feb (that affected all Avast users) and the IDP Generic infection (that I had in late Feb regarding the Gravis Dialer) get placed into the Virus Vault even though they were 'Blocked Threats' but this HTMLScript-inf infection, also a 'Blocked Threat,' was not placed in the Virus Vault?
Once again, these are different files:
- If you have a file on your PC, and we detect it (by any detection), it goes to vault so you do not lose it.
- If you try to download a file to your PC, and we detect it (by any detection), the download is interrupted and the "part of the file that was already downloaded" is deleted. We are assuming here that if it was downloaded, there is no reason to fear about "losing" the file, as it can be easily downloaded again.

Offline Spiritual2016

  • Sr. Member
  • ****
  • Posts: 348
Re: False Positive Detected
« Reply #14 on: March 16, 2017, 08:06:58 PM »
HonZaz:

To Clarify:

a) What is HTMLScript-inf and why was it detected as a webpage threat when the pop-up appeared when opening my installed word processing program (the pop-up was not displayed on my browser?)

b) Since wps.exe 'is' a file on my computer and it was detected as a threat, why wasn't it placed in my Virus Vault?

c) Each time I open WPS, the 'Threat Block' message appears; Should I add it as an Exclusion? If so, how? If not, what step should I take?

d) In general, 'if' a detected threat ever got into my system, I understand that it would start with C:\ (not http') but what would the warning wording be instead of 'Threat Blocked?'