Author Topic: Why is Avast SNOOPING through my files???  (Read 1135 times)

0 Members and 1 Guest are viewing this topic.

Offline Rekrul

  • Jr. Member
  • **
  • Posts: 42
Why is Avast SNOOPING through my files???
« on: February 08, 2020, 01:59:29 AM »
I do NOT have any automatic scans set. Avast is not set to take any automatic or scheduled actions other than updating the virus definitions. So why the hell does it SNOOP through all the files on my C: drive at least once a day???

Over the course of 2-3 minutes, Process Monitor caught Avast making over a million accesses to my C: drive. A small sampling of the files that it accessed;

C:\Program Files\URUSoft\Subtitle Workshop\Langs\Galego.lng
C:\Program Files\SumatraPDF\SumatraPDF.exe
C:\Program Files\Total Uninstall\Zeckensack's Glidewrapper 084c.tun
C:\Program Files\GIMP 2\share\gimp\2.0\help\en\images\filters\examples\color-taj-vinvert.jpg
C:\Program Files\Haali\MatroskaSplitter\uninstall.exe
C:\Program Files\Games\DarkXL\DarkXL\CoreWeapons_Mortar.as
C:\Program Files\Games\Eidos\Core\TOMBRAID\LEV0_3.3DF
C:\Program Files\Games\LucasArts\MotS\Resource\VIDEO\S5L3ECS.SAN
C:\Program Files\Games\Microsoft Games\Halo\CONTROLS\controls.dll
C:\Program Files\Handbrake\Caliburn.Micro.dll
C:\Program Files\Icon Snatcher\help\search.html
C:\Program Files\Ahead\Nero\NeEm2a.dll
C:\Program Files\IZArc\Skins\Kde-linux.bmp
C:\Documents and Settings\All Users\Start Menu\Programs\HECI
C:\Documents and Settings\All Users\Application Data\Adobe Systems, Inc Shared
C:\Documents and Settings\NetworkService\Application Data\Adobe Shockwave Player 12.0 Software

If there are no automatic or scheduled scans set, why is it looking at these files? Is it snooping through my drive for information it can sell to advertisers?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9336
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Why is Avast SNOOPING through my files???
« Reply #1 on: February 08, 2020, 08:33:52 AM »
You do realize it's an antivirus that scans things on-access? It doesn't have to be you executing or accessing the files. It can be Windows search, prefetch, Steam client doing updates, numerous things. avast! just intercepts access events and scans said files. There is nothing evil behind it and every antivirus will behave the same minus certain differences because they don't scan same scope of files and in exact same way.
Visit my webpage Angry Sheep Blog

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2775
  • Volunteer
Re: Why is Avast SNOOPING through my files???
« Reply #2 on: February 08, 2020, 04:22:32 PM »
Rej hit the nail on the head here.

I work in the (security) industry, and this is exactly what Avast! is doing, on-access scans. There is nothing abnormal about this activity. You'd be hard-pressed to find any reputable anti-virus that doesn't implement OAS. This activity is prevant in the Enterprise space as well. Applications like McAfee (ePO) will have OAS for emails, file access, downloads etc.

McAfee OAS: https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-5A870D4E-FFBB-4F32-866E-A0F26F327501.html
BitDefender OAS Troubleshoot > https://www.bitdefender.com/support/troubleshoot-on-access-scanning-in-bitdefender-endpoint-security-tools-for-linux-2329.html
Trendmicro >> https://docs.trendmicro.com/all/ent/tms/v2.5/en-us/tmtm_2.5_olh/on-demand_scan.htm
Kaspserky >> https://help.kaspersky.com/KS4Sharepoint/9.2/en-EN/72194.htm
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Offline bob3160

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 43710
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Why is Avast SNOOPING through my files???
« Reply #3 on: February 08, 2020, 10:31:53 PM »
The Coronavirus isn't the only new virus out there.
New security breaches happen constantly. The only way to stay protected,
is for your AV to scan and have access to every part of your system.
« Last Edit: February 08, 2020, 11:25:46 PM by bob3160 »
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1909 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.3.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2775
  • Volunteer
Re: Why is Avast SNOOPING through my files???
« Reply #4 on: February 08, 2020, 11:20:14 PM »
Bob, are you talking about the newest Coronavirus? Because 2019-nCoV is NOT SARS. The SARS infection happened back in '03, the newest one is yet to be officially named to my knowledge.

They're related, but not the same.
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Offline bob3160

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 43710
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Why is Avast SNOOPING through my files???
« Reply #5 on: February 08, 2020, 11:26:23 PM »
Bob, are you talking about the newest Coronavirus? Because 2019-nCoV is NOT SARS. The SARS infection happened back in '03, the newest one is yet to be officially named to my knowledge.

They're related, but not the same.
Thanks, I've corrected my post. :)
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1909 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.3.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline Rekrul

  • Jr. Member
  • **
  • Posts: 42
Re: Why is Avast SNOOPING through my files???
« Reply #6 on: February 09, 2020, 05:04:16 AM »
You do realize it's an antivirus that scans things on-access? It doesn't have to be you executing or accessing the files. It can be Windows search, prefetch, Steam client doing updates, numerous things.

I don't have Steam or anything else installed that should be scanning my drive. Windows search shouldn't be doing anything on its own.

avast! just intercepts access events and scans said files. There is nothing evil behind it and every antivirus will behave the same minus certain differences because they don't scan same scope of files and in exact same way.

If Avast is just intercepting some other process scanning my drive, why doesn't that process show up in Process Monitor alongside Avast?

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2775
  • Volunteer
Re: Why is Avast SNOOPING through my files???
« Reply #7 on: February 09, 2020, 06:01:20 AM »
You do realize it's an antivirus that scans things on-access? It doesn't have to be you executing or accessing the files. It can be Windows search, prefetch, Steam client doing updates, numerous things.

I don't have Steam or anything else installed that should be scanning my drive. Windows search shouldn't be doing anything on its own.

avast! just intercepts access events and scans said files. There is nothing evil behind it and every antivirus will behave the same minus certain differences because they don't scan same scope of files and in exact same way.

If Avast is just intercepting some other process scanning my drive, why doesn't that process show up in Process Monitor alongside Avast?

You missed the point of Rej's clarification. Any time you open a file (images, exes, doc(x), ppt(x), etc) Avast! will scan it do make sure it's not doing anything malicious. Evidently, you don't know why Avast! would chose to scan documents... so let me point you in the right direction. Emotet, quite possibly the most prevalent piece of malware is spread using an exploitation in word documents. It's highly effective, extremely dangerous, and unfortunately for most users, they'd never think "Oh, that PNG or DOCX file could contain malware!".

https://blog.malwarebytes.com/detections/trojan-emotet/

The United Nations (yes, the UN) was recently hit with a cyber attack using none other then Emotet. Last confirmed report I had indicated 40+ core servers compromised in the attack.

https://www.forbes.com/sites/daveywinder/2020/01/30/united-nations-confirms-serious-cyberattack-with-42-core-servers-compromised/#ad03cb3633da

That is why Avast! is scanning documents/exe/images/dlls that are opened. This is perfectly normal behaviour for any antivirus. In fact, I'd say if it WASN'T doing it, I'd be suspicious.
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9336
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Why is Avast SNOOPING through my files???
« Reply #8 on: February 09, 2020, 05:16:42 PM »
You do realize it's an antivirus that scans things on-access? It doesn't have to be you executing or accessing the files. It can be Windows search, prefetch, Steam client doing updates, numerous things.

I don't have Steam or anything else installed that should be scanning my drive. Windows search shouldn't be doing anything on its own.

avast! just intercepts access events and scans said files. There is nothing evil behind it and every antivirus will behave the same minus certain differences because they don't scan same scope of files and in exact same way.

If Avast is just intercepting some other process scanning my drive, why doesn't that process show up in Process Monitor alongside Avast?

I just gave those as an example. Also Windows Search DOES things on its own. It's called Search Indexing. Processes are also often nested where you need to expand them to see what's really running. It can be bunch of things that trigger scanning. It can be Search Indexing, thumbnail generation or preview generation, updates, god knows what, it's hard to tell as there is always a lot going on inside OS. It could even be OS triggered event that invokes scanning. I can just say for certain it's nothing bad. All antiviruses do this. It's literally their job to keep an eye on files. Old days of daily scrubbing of drives with manually started scans are long gone, real-time scanning does that job done in, well, real-time as changes happen.
Visit my webpage Angry Sheep Blog