Avast for Mac - wanna beta-test the new engine?

[keithhmh]

(iMac 2.4GHz Intel core duo
OS 10.5.6 with Time Machine and Parallels)

It ran all night so I guess it got into recursion.

When I stopped it, it showed

"Scanned 7352681 items in 5857085 files, found 1 virus and 1385 warnings"

yet the detail window said

"1468 items,1411 unprocessed, 1468 shown, 0 selected "

The virus is reported as

Win32:Small-HUF [trj] on win2000.hdd.0. (my Parallels windows 2000 hard drive) yet nothing finds it when I do PC virus checks in the Parallels virtual system

The rest were

1 err 16 and several 42110, 42125, 42128 and then the rest 13

I hope this helps

[zilog]

(iMac 2.4GHz Intel core duo
OS 10.5.6 with Time Machine and Parallels)

It ran all night so I guess it got into recursion.

When I stopped it, it showed

"Scanned 7352681 items in 5857085 files, found 1 virus and 1385 warnings"

yet the detail window said

"1468 items,1411 unprocessed, 1468 shown, 0 selected "

The virus is reported as

Win32:Small-HUF [trj] on win2000.hdd.0. (my Parallels windows 2000 hard drive) yet nothing finds it when I do PC virus checks in the Parallels virtual system

The rest were

1 err 16 and several 42110, 42125, 42128 and then the rest 13

I hope this helps

Hallo, could you please specify, where the recursion occurs (you can look at the warnings pattern, what files repeated, and where they are located).
the recursion problem is strange, because we don't enter symlink-loops, and thus, this can't normally occur (and doesn't occur on our testing machines).

this, in the fact, still blocks the release, because it's a reported bud which can't be reproduced. detailed logile could be very helpful here
(http://public.avast.com/~cimbal/beta.html hints are still valid for this beta, thus, could you please try to get, at least, the simplest of all logs - that daemon-log, enabled using -m 0xffffffff -s somefile switches to the daemon?)

thanks in advance,
pc

[keithhmh]

Forgive me for asking what might seem to you what are stupid questions but here goes.

Where can i find the scan report files? I have run a single file scan since I ran the long overnight one. Does this mean I have overwritten the previous scan report or are they named by date/tiime/incremental no's

What is the daemon?

(the simplest of all logs - that daemon-log, enabled using -m 0xffffffff -s somefile switches to the daemon?)

I don't know what this means - tell  me what to type and where and I will do it

I will help in any way I can but you will have to accept I am not a knowledgable MAC user

Regards

Keith

[zilog]

Forgive me for asking what might seem to you what are stupid questions but here goes.

Where can i find the scan report files? I have run a single file scan since I ran the long overnight one. Does this mean I have overwritten the previous scan report or are they named by date/tiime/incremental no's

What is the daemon?

(the simplest of all logs - that daemon-log, enabled using -m 0xffffffff -s somefile switches to the daemon?)

I don't know what this means - tell  me what to type and where and I will do it

I will help in any way I can but you will have to accept I am not a knowledgable MAC user

Regards

Keith

Hallo,
avast for mac = gui stuff + scanning daemon. the daemon is responsible for all the virus recognition, unpacking (and in the forthcomming version also for incremental updates), while the gui does the visualisation for the user (the daemon itself is driven using custom socket-level protocol).

that com.avast.MacAvast.MAD (which was changed in this beta-test), is the mentioned daemon itself. what you see in the gui after scan, is a scan report (usually a veeery narrow subset of the whole information flow, produced by the daemon). what we need, is a detailed logfile. usable logfiles can be produced by both daemon and gui. but, because such files tend to contain plenty of detailed low-level informations and because they tend to grow to hundreds of megabytes, their generation is disabled, by default. some tweaking is necessary here:

1) - have avast! active (VPS 09xxxx-x should be written in the left upper corner)
2) - run terminal (applications, utilities, terminal utility), and type here (one looong line with enter at the end):
ps -laxwww|grep MAD|grep -v grep|tail -n 1|cut -d/ -f2-|(read a b c d e f g i j k l;echo DoQuit;read </dev/tty;/$a -v -m0xffffffff -s ~/avastlog $b "$c $d" $e "$f $g" $h $i $j $k $l)

3) if you enter the line correctly (each space is important), "DoQuit" will be printed. now, focus on avast!'s window, quit from menubar both avast and agent, then return to the terminal, and press enter. something like this should appear, otherwise go back to 1) and type the line again, correctly

Version of daemon: 0.0.80-beta
Datapath to 400.vps: '/Users/pavelcimbal/Library/Application Support/com.avast.MacAvast'
Workspace directory: '/private/var/tmp/folders.501/TemporaryItems/com.avast.MacAvast.DAEMONWD'
License file: ''
Packers set: 0x1FFFFFFF
Scan flags: 0x01800000
Recurse depth: 32
Connection timeout: 300s
VPS version: 081217-0 17.12.2008
VPS reload: on request
Scanlog file: '/Users/pavelcimbal/avastlog', mask 0xFFFFFFFF
Running mode: foreground
Listening interfaces: unix:/Users/pavelcimbal/Library/Application Support/com.avast.MacAvast/socket
Engine ready, listening on sockets

4) run avast! again, and launch the scan. in the fact, you have spawned your own replacement of the daemon, and gui should adopt it without trying to run its own daemon instance. just have a look to your home directory - file avastlog should be there, and should grow. this is the file we want (compress it using zip or similar tool, to get reasonable size of the log, at least under ~100MB).

You will get rid of this logging later, simply by quitting both avast and daemon (your tweaked instance will be killed, and next time, gui will start its own normal version as usually).

regards,
pc

... i hope, it's simplified enough to be understandable and reproducible

[keithhmh]

Hi,

I ran the test and the log is 800mB (I ran it for about 4 hours before I stoped it). I compressed it and it  is still 21mB. Your attach file facility doesn't allow zip files  nor files  > 200kB. Can you email me with an email address that I can send it to (or is there another way?)

When I stopped it, it reported "Scanned 3578686 items in 2870578 files, found 2 viruses and 988 warnings"
The detail lines below said " 1021 items, 1002 unprocessed, 1021 shown"
Why does one say 988 and the other say 1021 ?

Note, the viruses are the 2 you asked me to create in my other thread - how do I get rid of them now?

[igor]

There's an anonymous FTP (with write-only access) at ftp://ftp.avast.com/incoming
- it's possible to upload the log there.
Thanks.

[zilog]

Hi,

I ran the test and the log is 800mB (I ran it for about 4 hours before I stoped it). I compressed it and it  is still 21mB. Your attach file facility doesn't allow zip files  nor files  > 200kB. Can you email me with an email address that I can send it to (or is there another way?)

When I stopped it, it reported "Scanned 3578686 items in 2870578 files, found 2 viruses and 988 warnings"
The detail lines below said " 1021 items, 1002 unprocessed, 1021 shown"
Why does one say 988 and the other say 1021 ?

Note, the viruses are the 2 you asked me to create in my other thread - how do I get rid of them now?

thanks for the log, let me know when it would be available at the ftp.
those two "echo-made-viruses" are harmless, just delete them, or ignore them .
what's an "item" for the gui isn't item for engine, and vice-versa, that's the reason. item for gui is (roughly said) "what has an icon in finder", for the scanner it's "what's a particular, maybe embedded, file".

regards,
pc

[keithhmh]

Sorry guys but as I said you have to spell it out exactly (I have never uploaded anything on a Mac before).

What do I have to do/type to upload the file

[keithhmh]

Hi

I spent some time on Google and came to realise that I had to download an ftp package (I assume that is true and there is nothing that comes with my imac). I downloaded "onebutton ftp" and although I think I did all the right things, I couldn't see the file in /incoming. Is that because I don't have privilages to do so or did it not get transmitted. Is there a better ftp package?

[igor]

Yes, as I wrote, there's write-only access there - so you can't see any file there, not even the one you've just uploaded.
The avastlog.zip file is there - but it has only 5426335 bytes, i.e. it doesn't seem to be complete.
Can you try to reupload, please?
Thanks.

[keithhmh]

Did it work that time and does it help

[zilog]

Did it work that time and does it help

Hallo Keith,
thanks a lot for the full-log, received, analysed, did help, and now we know an answer:

it's NOT futile cycling in a loop, just, you have so much TimeMachine snapshots in the /Volumes directory, that their scanning would take a lot of time to complete (each snapshot is available here as full filesystem-snapshot, and thus, was scanned, as requested).

With the presence of TimeMachine volumes, doing full scan (= really full scan through all mounted volumes, and thus, also through all "exported" time-snapshots) is probably not what users would want to - so, we'll bypass this step, by default, and it would remain accessible only per-request (in other words, path "/Volumes/Time Machine Backups" would be never searched into, unless one of its subdirectories is specified). This should work for most users.

Also, one minor flaw was found in the logging format, and will be corrected too. Thanks for your effort.

Best regards,
pc