Hundreds of warnings and alerts in the last 5 hours

[mfeodoroff]

We've been getting these warnings and errors generated by Avast for the last 5 hours (I have just come to work this morning and come across this). They appear on average one every minute! This seems to have started after the last virus definition update. I have paused the Standard Provider in the mean time to stop the message (we get warned via email

[SPHINX]: AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\Temp\gthrsvc\26a8_80c_2_G02_Tivoli_Storage_Manager_New_Release_TTUC2007%20.pdf failed, 00000005.

[SPHINX]: AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\Temp\gthrsvc\26a8_80c_2_G02_Tivoli_Storage_Manager_New_Release_TTUC2007%20.pdf (C:\WINDOWS\Temp\gthrsvc\26a8_80c_2_G02_Tivoli_Storage_Manager_New_Release_TTUC2007%20.pdf) returning error, 00000005.

[SPHINX]: AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\Temp\gthrsvc\flt9896_2060.eml failed, 00000005.


We also got this:

Warning: The number of notifications exceeded the defined threshold.
Current settings are: max. 100 messages in 60 minutes.

No notifications will be sent during the next 51 minutes.


Has anyone else seen a similar issue?

[DavidR]

Firstly I don't use the server version of avast , so hopefully someone that does can help with any avast server edition issues.

Well windows file system error 5 (00000005) is Access is denied.

So unless your Tivoli_Storage_Manager is protecting its files, etc. (which would appear strange in a temp folder), then I don't know why it is happening. I only know that when access is denied that isn't an issue that avast creates or can rectify.

As far as the notifications go I don't know if you can adjust the reporting sensitivity so this type of error doesn't trigger an email or if you would even want to do that as an AAVM error might be for a different reason than access denied.

I don't know if there is a setting in the server edition where you can increase the max number of notifications in the time period.

Or if all the emails are related to this temporary location and .pdf and .eml file types if you might want to exclude the scanning of .pdf and .eml files in that folder.

e.g. C:\WINDOWS\Temp\gthrsvc\*.pdf and C:\WINDOWS\Temp\gthrsvc\*.eml

But, you would have to ask why this scanning activity is kicked of, what is creating files in this temp folder ?

[mfeodoroff]

Thanks David.

I don't know why it started (the product has been installed for nearly two years) all of a sudden, but this server is our Exchange server and runs appropriate providers for that.  Excluding the c:\windows\temp\gathsvc folder in avast standard provider is probably a reasonable thing to do.  I'll take a look and see how it goes.

Cheers,
Mark

[DavidR]

You're welcome, happy hunting.

I would advise care when using the * wildcard and only exclude what you absolutely have to, if this just effects some file types in the c:\windows\temp\gathsvc folder then just use the examples I used previously as that wildcard will exclude all .pdf files and the second all .eml files rather than excluding the whole folder, though that may be what is needed as I doubt access denied would limit itself to just a couple of file types.

[mfeodoroff]

gathsvc directory emails have ceased (wildcarded the whole folder as I don't want avast interfering with the indexing service).  Now the emails have slowed, I can see these:

[SPHINX]: AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll (C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll) returning error, 00000005.

[SPHINX]: AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll failed, 00000005.

There have been pattern updates in the past that didn't handle PDFs very well.  I'll exlcude the C:\Program Files\Adobe\Acrobat 7.0\Reader\ folder as well until Awil tech support get back to me (at best tomorrow my local time in Oz).

Thanks for the tip David, at least I know most of the server is still protected.

Cheers,
Mark

[DavidR]

You're welcome.

I don't know if acrobat would protect its folder or that particular file and if not it may be some sort of general permissions problem, what that might be I don't really know I don't use any server as such.

However I notice the version of acrobat reader is very old (unless this is some server version which, I doubt) and as such has a number of vulnerabilities so now might be a time to consider updating to the latest version. You never know that might have an impact on permissions on acrobat files.

[mfeodoroff]

Yep...upgrading to v9 of reader at our scheduled outage next week.  Nothing's changed on this box (at all) for nearly a month (change control window), so it's strange to see permission problems start occuring.  I noticed another update was just released...I'll see if that makes any difference.

Cheers,
Mark

[Lisandro]

Wrong post. Sorry.

[DavidR]

Yep...upgrading to v9 of reader at our scheduled outage next week.  Nothing's changed on this box (at all) for nearly a month (change control window), so it's strange to see permission problems start occuring.  I noticed another update was just released...I'll see if that makes any difference.

Cheers,
Mark

I would check the sensitivity of the standard shield as ordinarily I wouldn't have though it would have scanned .pdf files on creation with it set to the default 'Normal' sensitivity, but 'High' would effectively scan 'all' created modified files.