Author Topic: Quarantine and Exclusions not working  (Read 3391 times)

0 Members and 1 Guest are viewing this topic.

Offline OutbackMatt

  • Newbie
  • *
  • Posts: 8
Quarantine and Exclusions not working
« on: April 11, 2022, 01:21:23 PM »
I have multiple times, on many machines set a quarantine exception, and every time the file updates (most days) the file is detected again and I have to rescue it from Quarantine.

The file has the same name and is in the same location each time - how can I get a quarantine exception to work on this file?

I've also excluded that same file, and the holding folder using exclusions, but again every time the file updates it is caught again.
I've excluded my website where the file is upgraded from...

 

Offline OutbackMatt

  • Newbie
  • *
  • Posts: 8
Re: Quarantine and Exclusions not working
« Reply #1 on: April 22, 2022, 01:09:40 AM »
And now I've had cmd.exe be blocked for "IDP.Generic - Command line detection"

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88896
  • No support PMs thanks
Re: Quarantine and Exclusions not working
« Reply #2 on: April 22, 2022, 01:40:30 AM »
Screenshots of these alerts could help us to help you ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline OutbackMatt

  • Newbie
  • *
  • Posts: 8
Re: Quarantine and Exclusions not working
« Reply #3 on: April 25, 2022, 02:57:10 AM »
Sure,

One example. This is entirely repeatable.

Here is a screenshot showing how many times this file (same name in two separate locations) is caught by the Quarantine system
And secondly is a screenshot showing the exclusions

Offline OutbackMatt

  • Newbie
  • *
  • Posts: 8
Re: Quarantine and Exclusions not working
« Reply #4 on: April 25, 2022, 10:54:51 AM »
And this again

(Removed the exceptions for meshagent 4 times today)

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88896
  • No support PMs thanks
Re: Quarantine and Exclusions not working
« Reply #5 on: April 25, 2022, 04:22:11 PM »
If you have MeshAgent.exe in quarantine I suggest you submit it for analysis - see attached images.

Give brief details of the problem in the remarks section of the submission and I would suggest giving a link to this topic so they can also see the problem in detail.

That said the detection is on cmd.exe, presumably because it is being run by meshagent.exe, I certainly wouldn't recommend excluding cmd.exe

I also did a search on meshagent.exe - https://www.google.co.uk/search?q=meshagent.exe - and there are a lot of hits, some relating to malware.  This being just one - https://www.hybrid-analysis.com/sample/47cfbeb98ee6a141d4550c19be928625ef633d02d863f727ad08415408f2933c/6163ea9891e09e09784aade3

I have zero experience of meshagent or how it works  ?
But the IDP (Intrusion Protection Detection) Generic (generic signature rather than a specific signature), so it could be what it is doing could look like an Intrusion.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline OutbackMatt

  • Newbie
  • *
  • Posts: 8
Re: Quarantine and Exclusions not working
« Reply #6 on: April 26, 2022, 02:07:35 PM »
If you have MeshAgent.exe in quarantine I suggest you submit it for analysis - see attached images.
I have a number of times

I also did a search on meshagent.exe - https://www.google.co.uk/search?q=meshagent.exe - and there are a lot of hits, some relating to malware.  This being just one - https://www.hybrid-analysis.com/sample/47cfbeb98ee6a141d4550c19be928625ef633d02d863f727ad08415408f2933c/6163ea9891e09e09784aade3

I have zero experience of meshagent or how it works  ?
But the IDP (Intrusion Protection Detection) Generic (generic signature rather than a specific signature), so it could be what it is doing could look like an Intrusion.
I completely agree with your assessment, however I am trying to bypass the automatic deletion of this software. I can't force Avast to NOT delete this file. Each time I ask for the quarantined exe to be excluded, it is, only for the software to be quarantined again, sometimes only hours later.

This is a case of the tail wagging the dog - and Avast should stop doing that.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88896
  • No support PMs thanks
Re: Quarantine and Exclusions not working
« Reply #7 on: April 26, 2022, 06:04:45 PM »
I'm surprised that you haven't had a reply as yet.

As I suggested, did you ever give a link back to this topic as that probably has more information that a remarks window caters for and may help.

Unfortunately it is always going to be a fine balance with tools like this and I don't know why the exclusion doesn't work. 

That said, in a way I do have an idea as I don't think it is just the file name that is the problem, but its actions that are getting hit and an exclusion doesn't stop its actions being checked.  Which would appear to be why your image shows cmd.exe being alerted on, presumably because meshagent.exe calls it to perform actions.

I will try to draw some attention to this topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline kyle.w

  • Avast team
  • Newbie
  • *
  • Posts: 2
Re: Quarantine and Exclusions not working
« Reply #8 on: April 26, 2022, 07:09:01 PM »
False positive detections can usually be resolved via exclusions. Since cmd.exe is being detected, the exclusions need to be configured for the file that is triggering cmd to be ran. It may also be necessary to create a script exclusion for the commands being ran in cmd by the detected file. The file/s can also be sent to the Avast Virus Labs for whitelisting within the virus definitions.

I recommend reaching out to the Avast technical support team for assistance in creating the proper exclusions. https://www.avast.com/en-us/business-support-contact

The technical support team can also be contacted via the "contact support" button in your management console.