Author Topic: repeated reports after exception made  (Read 3633 times)

0 Members and 1 Guest are viewing this topic.

Offline v+willow

  • Newbie
  • *
  • Posts: 8
repeated reports after exception made
« on: August 24, 2020, 12:19:53 AM »
So I have been harrassed by Avast reporting IDP.GENERIC for a couple AHK (autohotkey) scripts that I have been using for years... although this started on a new computer, having a somewhat different configuration than former ones.

Observation 1: During the harrassments, I note that the mouse motion is extremely slow on-screen, making it easy to overshoot the target location (the Avast popup) and thus hard to quickly deal with the problem.

Observation 2: While telling Avast to make an exception for one of the scripts, it reports the other one. I don't think the scripts are interconnected, they do different things, but there is always this one, two sequence.

Observation 3: Although I make an exception, and Avast records the exception, the next time I restart, the reports will happen again.  Once per restart seems to be guaranteed, although it may be some hours between restart and first report.

Observation 4: The location of the script is on a network share that actually points to a folder on my local hard drive: net use d: \\computername\d  where d is a sharename pointing to a folder on one of my local hard drives (which is drive b:, but not is an SSD not a floppy drive).

Observaction 5: I noticed the exceptions were intact upon restart, and before Avast reports them again.  Just now I noticed that the exceptions are recorded both as d:\path-to-script  and  \\computername\d\path-to-script.  I'm not sure I noticed the 2nd entry before, but I can''t guarantee it wasn''t there, either. I was looking for one (actually two, one for each script) of the first form and found them.

Observation 6: When the report happened a few minutes ago, the Avast dialog popped up but only very tiny, with the word Avast. I waited a while, but the dialog never expanded size. I decided to restart, but the restart process runs a batch file which stalled because the script that is always first to be reported didn't exist in its usual place. What's more, it is not in the virus chest either. So we have data loss. (I do have a backup copy, but data loss is not a good feature). Maybe there is some secret place such files are placed in until the user chooses move to chest or create exception????

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: repeated reports after exception made
« Reply #1 on: August 24, 2020, 08:30:20 AM »
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline v+willow

  • Newbie
  • *
  • Posts: 8
Re: repeated reports after exception made
« Reply #2 on: August 27, 2020, 10:51:30 PM »
Observation 6 just recurred. Keyboard and mouse response now very slow, perhaps because, (I just had this idea) because the program being quarantined has a keyboard hook and a mouse hook (AutoHotKey).

But the tiny window that appears, barely large enough to say "avast", doesn't allow me to respond to the false positive report to mark it (again) as an exception.

Past experience tells me that if I reboot, I'll have to restore the file from backup, which is extremely annoying.. But if I don't, it seems my keyboard and mouse will be slow, which is extremely annoying.

Is this not a bug? How to report it, other than here, as a user of free avast?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: repeated reports after exception made
« Reply #3 on: August 28, 2020, 12:49:28 PM »
- Which Avast..? (Free/Pro/IS/Premium)
- Which version/build of Avast..?
- OS..? (32/64 Bit..? - which SP/Build..?)
- Other security related software installed..?
- Which AV(s) did you use before Avast..?
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline v+willow

  • Newbie
  • *
  • Posts: 8
Re: repeated reports after exception made
« Reply #4 on: August 28, 2020, 11:39:30 PM »
Both Avast and Windows autoupdate.

Free Avast, as mentioned just above.  20.6.2420 build 20.6.5495.588
virus defs: 200827-2

64-bit Windows 10 Pro.  version 2004 build 19041.450

Windows Defender seems to be part of Windows these days, and I haven't tried to disable it.

I've been using Avast for years, and never installed other AntiVirus on this new machine.

Offline v+willow

  • Newbie
  • *
  • Posts: 8
Re: repeated reports after exception made
« Reply #5 on: August 28, 2020, 11:46:22 PM »
Observation 7: in gathering the version info, I clicked to open the Avast window, and it came up, but didn't respond. So I right clicked the system tray icon, and chose About, and the window changed to choose about info, which I dutfully copied into my last reply. Then I couldn't close the about info window, so I tried update from the system tray, and got new virus definitions, but then still can't close the Avast / General / Update panel, or the main window behind it.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: repeated reports after exception made
« Reply #6 on: August 29, 2020, 05:36:06 AM »
Repair Avast:
1. Avast GUI -> Settings -> Troubleshooting
2. Click on 'REPAIR APP'.
3. Follow instructions.
4. Reboot.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline rocksteady

  • Super Poster
  • ***
  • Posts: 1533
Re: repeated reports after exception made
« Reply #7 on: August 29, 2020, 10:18:39 AM »
@Asyn
If the OP cannot open the UI properly then he will have little chance of doing a REPAIR APP via that route.

@v+willow
Instead:
Right click Windows icon>Apps and Features>select Avast Antivirus>Uninstall
From there you should see Repair App as an option.
Try that.

Offline v+willow

  • Newbie
  • *
  • Posts: 8
Re: repeated reports after exception made
« Reply #8 on: October 01, 2020, 12:39:04 AM »
I was traveling a while, so didn't get back to this right away, but Avast updated, which I hoped would help, and I got a message back saying AHK was reset in their system, and  I finally restored my program that was deleted by Avast at the time it put its tiny window on the screen. And then the alerts start again, I add the exception, but after a reboot, the alert happens again, and so I tell it to do the exception, etc.

Earlier, I'd get two in a row with different AHK scripts, but the recent ones are just for the one AHK script.  But why don't the exceptions stick past the reboot?

Offline v+willow

  • Newbie
  • *
  • Posts: 8
Re: repeated reports after exception made
« Reply #9 on: October 06, 2020, 03:08:18 AM »
Here's the dialog I get every day, claiming "It won't be scanned again", but every day I get an alert and have to re-create the already existing exception.

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 159
Re: repeated reports after exception made
« Reply #10 on: October 06, 2020, 12:26:19 PM »
Hi v+willow,

the detection should not occur again.

Could you please use our SupportTool.exe utility for collecting all important data for us. Tool should be present in this folder on your machine: c:\Program Files\Avast Software\Avast\SupportTool.exe. Here you can find some information how to use it: https://support.avast.com/en-eu/article/33/

Please share the File Id so we can check your logs.

Thanks,
PDI


Offline v+willow

  • Newbie
  • *
  • Posts: 8
Re: repeated reports after exception made
« Reply #11 on: October 06, 2020, 11:38:17 PM »
Today I thought to capture the "Threat blocked" dialog before clicking More Options and then Create Exception... just in case it has some useful information.

And then I saw your reply.  I don't have a ticket number.  The Support Tool is running, generating support file...

I guess this is the File ID:  E 1E 1F
Will attach screenshot of Support Tool in case the file name, which is longer, is also needed.

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 159
Re: repeated reports after exception made
« Reply #12 on: October 07, 2020, 03:23:29 PM »
Hi,

I found the package and I'll look on it.

Regards,
PDI

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 159
Re: repeated reports after exception made
« Reply #13 on: October 13, 2020, 12:23:42 PM »
Hi  v+willow,

we found a problem when the script is executed via mounted disk. The exclusion is created for the UNC path and the behavioral shield isn't able to verify the exclusion correctly. We are going to fix it in one of the next releases. Thanks for the report.

If it's possible for you to use the UNC path directly pls use it as a workaround.

Regards,
PDI

Offline v+willow

  • Newbie
  • *
  • Posts: 8
Re: repeated reports after exception made
« Reply #14 on: April 24, 2021, 12:56:09 AM »
So this problem did, indeed, go away for quite a while after a new version, but about 3 weeks ago (probably an even newer version) it came back.

I'm not exactly sure what changed to fix the problem, or what changed to unfix the problem.

I'm also not sure what you mean I should do when you say "If it's possible for you to use the UNC path directly".

Do you mean to launch the program by using the UNC path instead of the drive letter when the program is started?  And while that may make the exclusion stick better, why is my script, that I wrote (or modified, but which is stored in plain text on my computer, and has no devious effects), triggering a claim of being infected in the first place?  In other words, why do I need an exclusion in the first place?