Boot-Scan Problem

[BRANDONN2008]

Every time I run a boot-scan, after it's done, I get an error message from windows saying something like "interactive logon process has failed" or something like that. After I close it, I only have a black screen and frozen cursor, and I have to hard boot the PC. This has been happening for a while, but didn't happen for a while since I've had Avast.

[ibell63]

I also have a Boot-Scan related problem.  Any time I choose to "Move Infected Files to the Chest", or "Move Infected Files", (with system files set to be ignored), I get an error about some sort of memory exception on reboot right after it starts scanning.  (The error only displays for about half a second, but I suppose I could try to get the error code for you.)

If I choose "Delete Infected Files" (ignoring system files), it works perfectly fine.

Running Windows 7 32-bit RTM on an Apple Macbook Pro with bootcamp.

[igor]

Please post the file <avast4>\Data\Log\aswBoot.log

[ibell63]

Attached is aswBoot.log

Unhandled Exception only occurs when set to move files to chest.

[igor]

Thanks for the log.
Unfortunatelly, it just says that the memory was corrupted somewhere... but not where and how. I'd really like to know more about it...

So, there were some infected files found during the scan, which you selected to Move [to Chest], right?
(I can't say from this log, it's stored elsewhere, in <avast4>\Data\Report\aswBoot.txt)

How many files were there infected? If only a few, could you send us those files (e.g. upload it to ftp://ftp.avast.com/incoming) - so that I can try to reproduce the problem?
Were they inside of an archive?

Thanks!

[ibell63]

There were no infected files found during the scan, I don't think the scan even really starts before the unhandled exception occurs and it quits.

The weird thing is that it works perfectly fine when I tell it to ignore infected files.  Also, I looked into the issue more and found that my partition map is set up for GUID partition table (Mac OS X requires it), and I am speculating that Avast! is having trouble with that vs. MBR.  What leads me to believe this is that this error occurs IMMEDIATELY after the boot scanner says it is scanning the MBR, which doesn't exist since it's GUID partition table.

For some reason, when I say to ignore infected files, it doesn't even go into the routine where it scans the MBR.

To put this in perspective, this all happens quickly and the boot scanner actually only runs for like 30 seconds before it quits. 15 seconds or so are spent just where it just says Avast antivirus .......... the other 15 seconds are spent doing what appears to be just preparing the scan, and it doesn't even get to the point where it says scanning all local disks.

I am currently running a thorough scan (with archive files) from within the GUI in windows just to make sure this isn't some malware causing problems.  I very highly doubt I have any malware as this is a very new installation (like 2 weeks old) and pretty much the first thing I did after I got windows 7 running was install Avast   , so I very highly doubt it's a malware problem.

Edit: Thorough scan is mostly complete and a few files have been reported as "Decompression bomb", namely, they are files related to the expansions for the game Fallout 3 (excellent game by the way).  The files are .bsa files.  I have another machine running Windows 7 32-bit using MBR that I can try soon.  If boot scan works from the get go, I will move a few of the .bsa files over and see if it still works, and play with the "scan archived files" switch as well.  This should isolate the issue.

On my Macbook Pro (GUID partition table), the "scan archived files" switch appears to have no effect on the situation, I have tried it in all situations.

Ian

[ibell63]

Ok, so when I was trying this a few times, I started to realize I was getting inconsistent results, and it wasn't working every time I picked "ignore infected files".

So...I had some free time on my hands (ok a lot of free time on my hands), and I figured this would be more constructive than playing Fallout 3, so I decided to try a lot of different combinations and see what worked.
Here's what I observed.

Try each three times.

All with Archive switch on:

Top: Ask for action, Bottom: unavailable

1. Scan Local Disks - Worked fine.
2. Scan Local Disks - Scan MBR - Unhandled exception.
3. Scan Local Disks - Scan MBR - Unhandled exception.

Top: Delete Infected File, Bottom: Ignore for system files

1. Scan Local Disks - Scan MBR - Unhandled exception.
2. Scan Local Disks - Scan MBR - Unhandled exception.
3. Scan Local Disks - Scan MBR - Unhandled exception.


Top: Delete Infected File, Bottom: Ask for confirmation

1. Scan Local Disks - Scan MBR - Unhandled exception.
2. Scan Local Disks - Scan MBR - Unhandled exception.
3. Scan Local Disks - Scan MBR - Quit before unhandled exception.

Top: Delete Infected File, Bottom: Allow delete or move

1. Scan Local Disks - Scan MBR - Unhandled exception.
2. Scan Local Disks - Scan MBR - Unhandled exception.
3. Scan Local Disks - Scan MBR - Unhandled exception.

Top: Ignore Infected File, Bottom: Unavailable

1. Scan Local Disks - Scan MBR - Unhandled exception.
2. Scan Local Disks - Scan MBR - Unhandled exception.
3. Scan Local Disks - Scan MBR - Unhandled exception.

Top: Move Infected File to chest, Bottom: Ignore for System files

1. Scan Local Disks - Scan MBR - Unhandled exception.
2. Scan Local Disks - Scan MBR - Unhandled exception.
3. Scan Local Disks - Scan MBR - Unhandled exception.

OK... Let's try this with Advanced Options disabled all together.

1. Scan Local Disks - Scan MBR - Unhandled exception.
2. Scan Local Disks - Scan MBR - Unhandled exception.
3. Scan Local Disks - Scan MBR - Unhandled exception.

Top: Repair Infected File, Bottom: Unavailable

1. Scan Local Disks - Scan MBR - Unhandled exception.

Ok... Just for good measure, let's just try a completely cold start with advanced options disabled.

1. Scan Local Disks - Worked fine!!
2. Scan Local Disks - Scan MBR - Unhandled exception.
3. Scan Local Disks - Scan MBR - "Finished Scanning - Continue with boot" (25 seconds in) - Frozen (Waited 5 Minutes) - Hit Esc, no response - Had to hard boot.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Ok, so I guess the logical conclusion to be drawn here is that settings really don't matter, and the only thing that can be substantiated is that this boot scanner only works with GUID partition table when for some reason or another it decides not to try to scan the non-existent MBR.

[igor]

You seem to have spent quite a while on it... thanks for that.
However, I'm afraid this doesn't say much more than the memory is corrupted somewhere during the scan... (which is too little to fix the problem).

I'd ask:
- does it help if you don't select all the disks to be scanned, but use C:\ instead? (or C:\;E:\ for both the disks)? Or even a single folder on C: drive?
- does it help if you check the option "Disable raw disk access in avast! boot-time scan" in avast! settings / Troubleshooting?

Thanks!

[ibell63]

Selecting Only C:// to be scanned worked perfectly, tried it 4 times in a row and it worked every time!

Now that I think about it, this may have been caused by apple's latest Bootcamp 3.0 drivers that came out with snow leopard. They added support for reading HFS+ (Mac OS X Extended) formatted disks.

Just for kicks, I decided to try to get the boot scanner to scan my E:// drive (HFS+), it took about 5 seconds and claimed it only had 93 files! This is certainly not correct as I have over 250 GB of data on that disk, and there have got to be over 100,000 files.  Also, when it scanned the E:// drive only, there was no unhandled exception and subsequent quit.

So I guess the issue is that the boot scanner doesn't have support for HFS+ formatted disks (which I wouldn't expect it to anyway).

Just to point out; my Mac OS X boot drive was not visible in Windows explorer or avast before the Bootcamp 3.0 update, but now it is visible in both.  Also, the boot scanner worked perfectly fine using the check all local disks option before Bootcamp 3.0.

Thanks! Maybe you could consider adding something to the code to detect and ignore HFS+ formatted disks? Or somehow incorporate HFS+ support (sounds like a very complex and difficult thing to do.) ?

I will be more than glad to help test any fix that might be implemented.

[igor]

If you select all local disks to be scanned, it's "expanded" into three areas:
1. MBR
2. C: partition
3. E: partition
So, if you select C:\ only, there's also the difference in MBR (not being scanned). While I find it rather strange that the problem could be there, it's also possible - especially on your kinda special configuration.

As for the E: partition - avast! scans whatever the operating system can see (or at least reports it can see). The NTFS (C:) partition is scanned in raw mode, i.e. with avast! own filesystem parsing, for the HFS+ partition it uses the operating system functions. So, whatever the system can see, it's scanned.
I cannot rule out the possibility that the boot-time scan is performed "too soon" - sooner than the full HFS+ support is loaded by the OS. On the other hand, I'd expect it either to work fully, or not be loaded yet at all; something in between (seeing only a few files) seems rather strange.


Btw, if you schedule a boot-time scan, it adds a line to the (multi-string) value BootExecute in the registry key
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
The "All local disks" area puts the argument /A:"*" into the command line.
You can put the "expanded" version of the areas there manually (by modifying the value in regedit); in your case it would be
/A:"*MBR0;C:\;E:\"