This is just too much!

[jvidal]

I'm gonna try to explain this in a clearer way.
Avast "finds" a virus in file X (which is not actually a virus, it's a FP). A window pops-up saying that file X is infected with something (usually it just has a "bad rep", according to someone (FileRep: malware is the detection). Another bogus detection might also appear (IDP.Generic or that damn "evo-gen" crap). Then, and this is the real problem, avast goes crazy and starts deleting other files. The first one, Winzip.exe, because the file X was inside a zip file when the bogus detection happened. Then, after that, avast just starts deleting other files A,B,C,D....etc that are located on other folders and have ABSOLUTELY NOTHING TO DO WITH FILE X. Also , these files are all 100% clean files, that have been used millions of times before, without avast detecting anything on them.

[bob3160]

Reported to Avast on another channel. Remember, this is the weekend.

[jvidal]

The critical issue here is WHY is avast doing this? Why? what triggers this erratic behavior?

Avast should just deal with the (alleged) infection and stop there (like it has always done!). Why does it go on to delete a lot of other, completely unrelated AND CLEAN FILES??? Files that have been used a million times in the past without any issues! And even if those files were some sort of malware or even false positives, why isn't there a notification to the user? they're just moved to the vault, but they DO NOT show up in the vault in AVAST UI, they cannot be recovered, except from a backup (and strangely enough, avast doesn't say ANYTHING when copying the files back from the backup)
This issue is absolutely critical and needs fixing ASAP!!!!!!

[ApoC]

Hello,

I checked the logs and detected file is the setup.exe and the detection come from the Avast!s cloud, this is the reason why there is no detection dialog and removal is triggered without prompting. Removal then removes all files installed by setup.exe. I passed this information to our viruslab for further setup.exe analysis. If it is confirmed as FP it will be reclassified in the cloud.

As workaroud you can add this file manually to exception list until the classification is changed.

[ApoC]

About the missing record in vault. From logs it looks like you turned the behavioral component down or restarted during the removal. Detection was triggered at 20:16:55,976 and behavioral engine received command to stop at 20:17:12,628. It is possible that in this case the result of removal is not written into database => not visible from the UI. If so, this is definitely the bug.

We will test this scenario ASAP.

Thank You for the logs file and Your cooperation.

[jvidal]

thanks, but like I said, why does avast start deleting other files THAT HAVE ABSOLUTELY NOTHING TO DO with the initial "infection"?
The files avast deleted were there BEFORE the alleged infection, they're completely unrelated.
And yes, I restarted the PC to avoid further damage!!!

That is the crucial issue here!

[Eddy]

Seems to me that all file related to setup.exe are removed, meaning also everything that setup is using including zip etc.
I can be wrong of course, but have patience as avast is looking into it.

[jvidal]

I can't, for the life of me, think what might programs like Gzdoom or MAME or other games/utilities/emulators I have on my drive might have to do with some program's installation. There's something VERY WRONG here.

Plus, if I open an (allegedly) infected file inside a zip file using winzip, avast should be smart enough to deal with the real infection and NOT DELETE winzip.exe!!!!!
it's like "killing the messenger"

[Eddy]

Guess you never programmed.
I have and still do and real strange things can happen if you make a real tiny mistake.

[jvidal]

programmer or not, just explain this to me:
Avast finds an (alleged) virus in a temp folder (opened from within a zip file).
Avast deleted the alleged infection and THEN it proceeds to delete winzip.exe and some other completely unrelated files on other folders (like MAME, GzDoom and others. Then, it goes to yet another folder and starts deleting other utilities. Those same files have NEVER EVER been detected as malware by avast before).
huh?

Oh and BTW, I have programmed in BASIC, Pascal, FORTRAN, C/C++, Visual Basic, even Scheme, for god's sake!
Oh, almost forgot: Assembler (Assembly) too.

[bob3160]

programmer or not, just explain this to me:
Avast finds an (alleged) virus in a temp folder (opened from within a zip file).
Avast deleted the alleged infection and THEN it proceeds to delete winzip.exe and some other completely unrelated files on other folders (like MAME, GzDoom and others. Then, it goes to yet another folder and starts deleting other utilities. Those same files have NEVER EVER been detected as malware by avast before).
huh?

Oh and BTW, I have programmed in BASIC, Pascal, FORTRAN, C/C++, Visual Basic, even Scheme, for god's sake!

You've already received a reply from Avast. As stated, they will be looking into this.
Eddy can't speak for Avast. At this point, you'll need to wait till Avast has had a chance to get to the bottom of this.

[Eddy]

As I don't have the source code that avast is using, I only told what could be happening.

And as I said, avast is looking into it so have patience.

[jvidal]

I just hope you guys @avast can fix this nightmare once and for all. This started happening with version 17.2. It didn't happen before and I've been using avast for several years!

[Eddy]

ApoC is from avast.

Bob and I are not.

[ApoC]

Hello jvidal,

today we marked the setup.exe in the cloud as clean. I also noticed your removed  winzip is very old one with already expired digital certificate and I hardly suggest the upgrade. The certificated is also marked as mixed on our side (there is some PUP signed with it) so it is not trusted. This is the most probably the reason why it was removed together with setup.exe and this is also the reason why all other not digitally signed software unpacked by winzip was removed.