Author Topic: Avast alerting behavior  (Read 7797 times)

0 Members and 1 Guest are viewing this topic.

Firebytes

  • Guest
Avast alerting behavior
« on: October 02, 2008, 05:15:27 PM »
Is the following behavior normal for Avast when alerting on a file -

I turned on Returnil's system protection and then I downloaded a keylogger to test if Avast would detect it. The webshield caught it right away and offered me the chance to abort the connection to the website. Since I was testing, I ignored the alert for a few moments and then answered the alert to stop the connection. I assumed that Avast would stop the file from downloading until I answered the alert one way or the other but the file had downloaded to my desktop by the time I answered the alert. Is that normal or should Avast have stopped the file download until the alert was answered?

Also, after the file was downloaded, Avast would alert on it if I either attempted to run it or if I right clicked the file and scanned it. That is to be expected, but Avast would also then alert on the file again when I either clicked send to chest or delete. Avast did delete the file or send the file to the chest, whichever I had specified, but it was alerting again while performing these actions like I was accessing the file anew. So, I would get the initial alert after scanning the file and then I would click send to chest. Avast would then immediately alert on the file again. It made it kind of confusing as to what the answer should be for the alert that followed the first one I had already answered. Is that normal behavior?

Offline Vladimyr

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Super(massive black hole) Poster
Re: Avast alerting behavior
« Reply #1 on: October 03, 2008, 03:21:29 AM »
Quick thought.
I'm no Returnil expert but my understanding is that it creates a virtual Windows session in a file in RAM and/or on the hard disk. avast! doesn't comprehend this so when it writes a suspect file to the chest, it is redetected as it is written into the virtual session file.
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Avast alerting behavior
« Reply #2 on: October 03, 2008, 01:51:15 PM »
I ignored the alert for a few moments and then answered the alert to stop the connection. I assumed that Avast would stop the file from downloading until I answered the alert one way or the other but the file had downloaded to my desktop by the time I answered the alert. Is that normal or should Avast have stopped the file download until the alert was answered?
The file starts to download until the specific string of a malware is detected. It could be at the end of the downloaded file. Anyway, file is not saved to disk due to WebShield blocking that requires user interaction.

Avast would also then alert on the file again when I either clicked send to chest or delete.
To click where? Into Windows Explorer?

Avast did delete the file or send the file to the chest, whichever I had specified, but it was alerting again while performing these actions like I was accessing the file anew. So, I would get the initial alert after scanning the file and then I would click send to chest. Avast would then immediately alert on the file again. It made it kind of confusing as to what the answer should be for the alert that followed the first one I had already answered. Is that normal behavior?
I'm not being able to figure out exactly the order of the events... but avast home does not have automated actions unless you've set Silent Mode in the advanced tab of providers settings.
Windows Explorer reads the file properties to display it, to right click it... so even doing nothing the file is being accessed.
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Avast alerting behavior
« Reply #3 on: October 03, 2008, 02:00:25 PM »
I've tested the behavior with a false positive detection:
http://forum.avast.com/index.php?topic=39098.0

Indeed, the message from WebShield is there...
Doing nothing the file is saved and caught by the ashQuick.exe after the download finished (Free Download Manager).
Windows Explorer caught the file when I open the folder to view it...

Now... I agree... something is cheesy here...
Isn't WebShield working on Vista?
The best things in life are free.

Firebytes

  • Guest
Re: Avast alerting behavior
« Reply #4 on: October 03, 2008, 04:31:39 PM »
@ Vladimyr

Returnil virtualizes the whole C drive, so as far as Avast knows it is writing to the real chest. Not saying it couldn't happen but I have never had any software not work right with Returnil.

@ Tech

The file was detected as soon as I started the download but it finished downloading anyway if I didn't interact with webshield's warning and abort the connection. I just figured Avast would pause the download until I answered the alert.

After the file was downloaded and then picked up by Avast and I said that Avast would alert again when I clicked "Send to chest" or "delete" I meant when I clicked to answer with what to do with the file in the alert window from Avast, not Windows Explorer.

Sorry if I am not explaining myself as well as I possibly could. Thanks for the responses.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Avast alerting behavior
« Reply #5 on: October 03, 2008, 04:39:06 PM »
I just figured Avast would pause the download until I answered the alert.
Me too. Something is wrong...
I could not only download the file, that it was saved in the hard disk... seems that WebShield is not working on Vista at all...
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89426
  • No support PMs thanks
Re: Avast alerting behavior
« Reply #6 on: October 03, 2008, 06:23:26 PM »
<snip>
@ Tech

The file was detected as soon as I started the download but it finished downloading anyway if I didn't interact with webshield's warning and abort the connection. I just figured Avast would pause the download until I answered the alert.

After the file was downloaded and then picked up by Avast and I said that Avast would alert again when I clicked "Send to chest" or "delete" I meant when I clicked to answer with what to do with the file in the alert window from Avast, not Windows Explorer.

Whilst the web shield technically stops the download, it stops it going to the temporary internet files (or browser cache), but it actually creates an unpNNNNNN.tmp (N being a sequence of numbers) file in the _avast4_ temp folder (actual location is dependant on system variables).

Now under normal circumstances the standard shield on Normal sensitivity, wouldn't alert on the creation of this .tmp file. I don't know if you bump the standard shield up to High it would scan this and alert.

Now comes the bit which may cause the file doesn't exist, when the web shield alert window is closed the unpNNNNNNNN.tmp file is automatically removed from the _avast4_ folder. So if you subsequently try to delete or move to the chest, that would fall over as the file is no longer there.

The key to this theory is if on a higher sensitivity the standard shield would scan these newly created .tmp files. However, I would have thought that avast wouldn't scan the _avast4_ folder as there are likely to be unpacked suspect/infected files temporarily in that location.

So what sensitivity do you have the Standard Shield set to ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Firebytes

  • Guest
Re: Avast alerting behavior
« Reply #7 on: October 03, 2008, 10:47:26 PM »
I have XP Home with Avast's standard shield set to normal.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Avast alerting behavior
« Reply #8 on: October 04, 2008, 12:19:25 AM »
So what sensitivity do you have the Standard Shield set to ?
Custom... only scanning files on open.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89426
  • No support PMs thanks
Re: Avast alerting behavior
« Reply #9 on: October 04, 2008, 01:15:16 AM »
I have XP Home with Avast's standard shield set to normal.

Then my theory shouldn't happen where was the infected file found on your system ?
e.g. (C:\windows\system32\infected-file-name.xxx) 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

I also don't use Virtualisation, are any of the settings, browser bookmarks/cache transferred to the real system ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Avast alerting behavior
« Reply #10 on: October 04, 2008, 01:22:57 AM »
Then my theory shouldn't happen
Not even for me... it's weird... seems that Webshield alerts but does not block the download... can't you test?
The best things in life are free.

Firebytes

  • Guest
Re: Avast alerting behavior
« Reply #11 on: October 04, 2008, 01:58:28 AM »
Then my theory shouldn't happen where was the infected file found on your system ?
e.g. (C:\windows\system32\infected-file-name.xxx) 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

I also don't use Virtualisation, are any of the settings, browser bookmarks/cache transferred to the real system ?

I downloaded the file to my desktop "C:\Documents and Settings\*\Desktop" then ran a quick scan via right click. Sorry, I won't have any logs of the activity unfortunately since I had enabled Returnil's protection before downloading the file and have rebooted since then; which takes my computer back to the state it was in when I enabled the protection.

Nothing is saved on my real "C" drive while under Returnil's protection. I can manually save things to either my "F" drive (USB stick) or Returnil's virtual partition "Z" drive if I wish though, but I didn't.

If you wish I can download the file again and try to get more information if you think it will help.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89426
  • No support PMs thanks
Re: Avast alerting behavior
« Reply #12 on: October 04, 2008, 02:07:54 AM »
Then my theory shouldn't happen
Not even for me... it's weird... seems that Webshield alerts but does not block the download... can't you test?

I've never had it happen, how do you think I capture web pages to upload to VT with the web shield enabled. I visit the suspect link with the web shield enabled and the alert pops up, I take no action visit the _avast4_ folder and copy the unp9999999.tmp file to my suspect folder.

At that point I abort the connection and I get no duplicate/second error and no file downloaded into the firefox browser cache, so I can't test what doesn't happen on my system.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89426
  • No support PMs thanks
Re: Avast alerting behavior
« Reply #13 on: October 04, 2008, 02:22:48 AM »
<snip>
I downloaded the file to my desktop "C:\Documents and Settings\*\Desktop" then ran a quick scan via right click. Sorry, I won't have any logs of the activity unfortunately since I had enabled Returnil's protection before downloading the file and have rebooted since then; which takes my computer back to the state it was in when I enabled the protection.

Nothing is saved on my real "C" drive while under Returnil's protection. I can manually save things to either my "F" drive (USB stick) or Returnil's virtual partition "Z" drive if I wish though, but I didn't.

If you wish I can download the file again and try to get more information if you think it will help.

OK that might put put a slightly different light on things. Now when I right click on a file and select save as (or save file as) my default location is downloads (original I know) no if you use either a download manager of in mu case firefox you get something like a placeholder file, filename.part as in this is part of the file that has been downloaded so far.

The web shield I would imagine is also creating the unp999999.tmp file and that is what is alerted on, the unp file, now what is in the download buffer, etc. may complete the filename.part (now becomes filename.exe) in the location you chose to download the file so it may be at that point the newly created file is detected by the standard shield.

This is once again supposition on my part but logically possible if the file is one that the standard shield would scan on creation, e.g. executable/dangerous file types.

You could try the download again and monitor what is going on a) c:\windows\temp\_avast4_ if that is you temp folder location b) if there is a placeholder style file created in the download location (your desktop, you would only see this in explorer, c) the avast log viewer Infected Files section or d) the C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log file.

The last bit (c, d) should show both alerts the web URL and the HDD location and file name.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Avast alerting behavior
« Reply #14 on: October 04, 2008, 03:24:56 AM »
This is nothing new ...

I have reported in this forum in the past my experience that if a download alert from the Webshield is simply ignored then the download completes.

It seems to me that avast cannot "suspend" the activity of the browser - it is simply scanning that activity and alerting the user.  The only step it seems that avast is designed to take is either to abort the connection (if the user so chooses and the connection is still active) or to allow the download to continue. If the download completes before you take action then you are relying on:

a download completion scan (if your browser supports it)

-or-

the Standard Shield on accessing the downloaded file.