Author Topic: Avast! Pro 4.8.1335 - how to log deletions of suspicious files?  (Read 4355 times)

0 Members and 1 Guest are viewing this topic.

leighwardle

  • Guest
Hi all,

I am using Avast! Pro 4.8.1335 and Online Armor 3.5.0.20.

I believe Avast! sometimes deletes 5 of Online Armor's files immediately after I reboot.
Online Armor will not start - see: http://support.tallemu.com/vbforum/showthread.php?t=8751.
Each time this has happened I have reinstalled both Avast! Pro and Online Armor.

In some (but not all) of these episodes Avast! Pro has reported the 5 Online Armor files as suspicious, see:

I have always selected the "Ignore" button on this dialog.

I have used Avast! Pro's exclusion lists to exclude the 5 files explicitly and also the Online Armor program folder (using C:\Program Files\Tall Emu\Online Armor\*).

How can I log Avast! Pro's suspicious files incidents and deletions?

Regards,
Leigh


Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Avast! Pro 4.8.1335 - how to log deletions of suspicious files?
« Reply #1 on: June 21, 2009, 10:36:41 PM »
So, this window pops up only sometimes, or every time you reboot your machine?
It sort of looks like they Online Armor guys are doing some tricks to cloak (or protect) their services and drivers, and the avast rootkit scanner considers this as a sign of rootkit.

Have you tried the "Do not tell me about these files in the future" box?

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

leighwardle

  • Guest
Re: Avast! Pro 4.8.1335 - how to log deletions of suspicious files?
« Reply #2 on: June 22, 2009, 01:37:25 AM »
So, this window pops up only sometimes, or every time you reboot your machine?
It sort of looks like they Online Armor guys are doing some tricks to cloak (or protect) their services and drivers, and the avast rootkit scanner considers this as a sign of rootkit.

Have you tried the "Do not tell me about these files in the future" box?


Hi Vlk,

Thanks for your comments.

This window pops up only sometimes, not every time I reboot my machine.

What is bad is that the Online Armor files get deleted without any message from Avast!.

That is why I would like access to a log of Avast! Pro's suspicious files incidents and deletions?

Regards,
Leigh

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast! Pro 4.8.1335 - how to log deletions of suspicious files?
« Reply #3 on: June 22, 2009, 03:17:43 AM »
Well avast doesn't delete anything autonomously, avast scan and alerts to infection and you choose what action avast takes.

With the pro version of avast you can set up actions on how to deal with detections, so if you put delete as an option it could delete as you had given that as the option. However, I don't know if the anti-rootkit scan (which this was) conforms to those pre-set option in the pro version.

If you don't select delete than avast doesn't delete.

If avast detects something as infected then it will be in the avast log viewer, if it is in the anti-rootkit scan it is in the C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log log file, view it using notepad. At the bottom of that there is a summary of the scan, files scanned, infected, etc. This is only there until the next anti-rootkit scan (8 minutes after the next boot) when the new log overwrites it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

leighwardle

  • Guest
Re: Avast! Pro 4.8.1335 - how to log deletions of suspicious files?
« Reply #4 on: June 22, 2009, 09:46:16 AM »
Well avast doesn't delete anything autonomously, avast scan and alerts to infection and you choose what action avast takes.

With the pro version of avast you can set up actions on how to deal with detections, so if you put delete as an option it could delete as you had given that as the option. However, I don't know if the anti-rootkit scan (which this was) conforms to those pre-set option in the pro version.

If you don't select delete than avast doesn't delete.

If avast detects something as infected then it will be in the avast log viewer, if it is in the anti-rootkit scan it is in the C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log log file, view it using notepad. At the bottom of that there is a summary of the scan, files scanned, infected, etc. This is only there until the next anti-rootkit scan (8 minutes after the next boot) when the new log overwrites it.

Hi David,

Thanks for the feedback.

Regarding the aswAr.log log file, what is the significance of Hidden Services?, e.g. entries like

Code: [Select]
Service OAcat [C:\Program Files\Tall Emu\Online Armor\oacat.exe]  **HIDDEN**
Regards,
Leigh

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast! Pro 4.8.1335 - how to log deletions of suspicious files?
« Reply #5 on: June 22, 2009, 04:06:11 PM »
I think Vlk covers that in his post, Reply #1

There really shouldn't be any need to try and hide a service and many malware elements (rootkits) try to do this, which depending on eht service being hidden if it is from an unknown application then it is more suspicious.

Since this appear to be a part of the OA application, I would continue to send samples to avast in the hope that they analyse it and accept that it is good or you can as Vlk said select the "Do not tell me about these files in the future" box.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

spg SCOTT

  • Guest
Re: Avast! Pro 4.8.1335 - how to log deletions of suspicious files?
« Reply #6 on: June 22, 2009, 04:30:09 PM »
Hi Leighwardle,

From your other posts I understand you are using the BETA version of OA.

I use the released version and this service is not hidden, so I imagine it is only the BETA.

Perhaps you could contact those at OA and report this as a bug, alerting them to the fact that by hiding their services, they are being mistaken for rootkits and ask them to change this back to how it is now.

You could point them in the direction of the threads and see how they respond.

-Scott-

leighwardle

  • Guest
Re: Avast! Pro 4.8.1335 - how to log deletions of suspicious files?
« Reply #7 on: June 23, 2009, 01:33:45 AM »
I think Vlk covers that in his post, Reply #1

There really shouldn't be any need to try and hide a service and many malware elements (rootkits) try to do this, which depending on eht service being hidden if it is from an unknown application then it is more suspicious.

Since this appear to be a part of the OA application, I would continue to send samples to avast in the hope that they analyse it and accept that it is good or you can as Vlk said select the "Do not tell me about these files in the future" box.

Hi Leighwardle,

From your other posts I understand you are using the BETA version of OA.

I use the released version and this service is not hidden, so I imagine it is only the BETA.

Perhaps you could contact those at OA and report this as a bug, alerting them to the fact that by hiding their services, they are being mistaken for rootkits and ask them to change this back to how it is now.

You could point them in the direction of the threads and see how they respond.

-Scott-


Thanks David and Scott,

On your suggestion I have reported the OA 3.5.0.20 Hidden Service issue to the OA forum, see: http://support.tallemu.com/vbforum/showthread.php?t=8954.

Regards,
Leigh

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast! Pro 4.8.1335 - how to log deletions of suspicious files?
« Reply #8 on: June 23, 2009, 01:37:37 AM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security