Author Topic: Removing AVAST! and Moving on!  (Read 37630 times)

0 Members and 1 Guest are viewing this topic.

Online polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 32617
  • malware fighter
Re: Removing AVAST! and Moving on!
« Reply #90 on: December 05, 2009, 12:49:03 AM »
Hi chachazero-tan,

And also these users forget that they have a treasure house of knowledge here in the avast forums waiting for them to keep them secure and a lot of expertise from the volunteers that give a lot of free time to help them whenever in a security predicament, but there are always those that will turn a blind eye to these facts, they do not realize how privileged they are, my friend,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Bellzemos

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 621
Re: Removing AVAST! and Moving on!
« Reply #91 on: December 05, 2009, 12:50:12 AM »
Like Bellzemos, I would like to know where that setting is? I run version 4.8 and always left the settings at default. Anyone have a better suggestion for an "average" user?

BTW, I lucked out also with no warnings or damage.

Thanks...
John in STL

I think that they ment it for the boot scan, because normal scan always asks you what to do with the infected file(s) if I'm correct. Can anyone verify that?

You can set "auto" to "ask" for the boot-scan if you follow this procedure:
http://www.digitalred.com/avast-boot-time.php

At point 5 you see that you can set it any way you prefer.
Intel Core i7 Q 740 @ 1.73 GHz, 6 GB RAM, Windows 7 Ultimate x64 SP1, Avast! Free Antivirus, Malwarebytes Anti-Malware (free version) and Sandboxie (paid version).

Offline thingie

  • Jr. Member
  • **
  • Posts: 30
  • Some guy
Re: Removing AVAST! and Moving on!
« Reply #92 on: December 05, 2009, 03:40:53 AM »
I must have really lucked out, or, maybe it's because I don't have my resident protection detection settings set to "anal", but it only tagged one file in spyware doctor, which I always assume is a false pos, since avast doesnt like SD too much.

I think my main complaint is the options it leaves you when it finds a positive.. namely, the "rename" option. I like having this option, actually, because it still allows me physical access to the file, without having to muck about in quarantine. The protocol is that it will simply add a .vir extension to the file, making it inaccessible.  What it doesn't mention is that if suspect file is regarded in DOS abbreviated syntax (i.e. SDCONT~1.DLL, as opposed to SDContextExt.dll) it will re-name the *entire file*. This can cause problems if you need to name it *back* to the original file name, especially since it never gave you the full name of the file to begin with, so you don't know what to change the filename back to.)

Of course, when I got the false positive, avast froze my explorer, so I couldn't actually get into the file system or a command prompt to find out what the full filename is. I actually had to go to the pctools forum and ask people what this file might be called.


Fortunately, the pctools user forum is as responsive as the avast forum, so I got an answer within minutes.


Im still sticking around for now. I have some pretty strict guidelines about where I throw my money, and some of those guidelines have to do with how strong the user forums are. Especially when it comes to response time, as well as communication with development. (i.e. do any of the mods talk to them, for instance.) Avast, pctools and zonelabs are all super good at this, which is why I stay with their products. (plus the fact that they are good products overall)


I think I speak for a lot of avast users out here that we like to know pretty much everything that is going on, and we have been around long enough to know better than to take any alert message from *any* security software for granted, because heuristics can cause false positives. As such, please... let us have better access to the file information.... please.. pretty please.. (especially since for users like myself, I always like to submit the suspect file to virustotal for a second opinion, so I need access.) Especially since, if the full path + filename was given in the alert box, (instead of C:\SPYWA~1\SDCONT~1.DLL) we might be more informed about whether or not its a good idea to quarantine the file, rename it, or leave it alone.

So, key word here being transparency.


Also, as much of a nightmare as this false pos was, thank god for the forums. As previously stated, one of the reasons I stick around.
« Last Edit: December 05, 2009, 04:06:53 AM by thingie »

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: Removing AVAST! and Moving on!
« Reply #93 on: December 05, 2009, 04:28:10 AM »
OOps I deleted some OA files

I caught the FPs virus on a computer and deleted some OA files

http://forum.avast.com/index.php?topic=51647.0

So I was in same position as users who got caught with the FP alerts. Being a tech I should know better, but I do these things. There's a lesson to be learnt. As davidR says 'you have none left' (say no more).

In this case I think it was hard on the average users. And I feel put out that I didn't post earlier, with my mind elsewhere, not knowing the extent of the threat. Afraid I'm in with the newbies on this one.

First computer I speculated supposed OA files and was wrong. I deleted that files that my OA needed. I have since disabled OA. I have added WinPatrol to fill the gap.

http://forum.avast.com/index.php?topic=51664.msg437254#msg437254

Virus hit in Programs - FPs thrown up amongst various programs, mine started with OA. Virus chest refuses to take file at same time Avast prompted me to Restart with scan. I took this option. I scan OA on Restart and got alert, so went to update with alert still showing on screen. Avast updated and I restarted then went to OA and scanned it and it came up clean.

My OA is premium so its paid.  Bit more to the reinstall than with the freeware, but done it before with OA.

I watched the boot time scan through so have good look at sequence. There seemed to be no FPs amongst the Windows files. I'm going to base a report on the threat and the first computer and post it on a thread.  http://forum.avast.com/index.php?topic=51664.msg437900#msg437900

I've returned the computer to best performance. still to run a full checkup. But no malware.
« Last Edit: December 05, 2009, 10:04:45 AM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline normishmael

  • Sr. Member
  • ****
  • Posts: 232
  • That is Not Dead, which can Eternal Lie.
Re: Removing AVAST! and Moving on!
« Reply #94 on: December 05, 2009, 05:58:44 AM »
@normishmael, As my comment wasn't directed at you it's really NOYFB.
 

Yeah,well I made it some of my FB.

We are not at the book burning stage yet.
comp1:Shadow Defender,sandboxie free,router,Kerio 2.1.5 .
comp2:Shadow Defender,Sandboxie free,Router/Kerio 2.1.5

Both XP Sp3

Offline Mele20

  • Full Member
  • ***
  • Posts: 104
  • I'm a llama!
Re: Removing AVAST! and Moving on!
« Reply #95 on: December 05, 2009, 09:25:37 AM »
Someone is confused here...

"Ignore" is there, it's just called "No action" or "Block".
Why couldn't you configure on-demand scanner differently than on-access one? Sure you can...


first, there's no confusion on my side, you're confused about my interpretation: although the interface itself would be somewhat confusing due to an  improper wording, it's not anymore once you've tested it with an Eicar file and seen what it does. To put it simply, the "ignore" command doesn't exist at all. Don't tell me how it was in V4, I have no idea anymore, I tested it once or twice ages ago with Eicar had one FP two years ago so...and no infection in the meantime.

 This said, you cannot assimilate "no action" to "ignore" or "block" to "no action" because this wording doesn't make any sense...not in "real" languages anyway  ;)
 Also, "no action" for manual scans gives you the option in the result panel to "do nothing" if you want, when "no action" when set in file system shield will block files automatically, so there's a major behavior difference. Give it a try  ;)

 Again, what's needed is a "real" ignore option, that as VLK suggested yesterday, could be called an "add to exclusion list" and avoid the pain of having to restore hundreds of FPs (from Chest, when it works...) in the case of an incident like yesterday. You seem to be very unwilling to add this "real ignore option" from the beginning of the beta testing, referring to dangerous fast clicks for noobs, sorry but we're running our own computers and I do not accept to be left with the choice between, sending to chest, block or delete. In the end the data is mine, and I wanna do what I want with it, especially when it can instantly save my system from being crippled with 10000 FPs... once numerous FPs are in Chest, restoring (again, when it works...) won't necessarily work, especially with systems files...>>> system lockups...reboot... system lockups again etc...etc...I'd rather avoid my system to break than having to attempt a repair through avast Chest sorry...
 It's been suggested to many yesterday to wait...no panic...wait and wait...attempt to restore from Chest...you must be kidding  ;D My system wasn't affected I got luck, but if it had happened, you seriously think I would have trusted a system composed with thousands of files restored from the Chest ??? I would have attempted a sys restore, and if not good enough or fail, reinstalled Windows + programs in no time and waited for the update correction before reinstalling avast. I would have lost two hours, not a minute more. Better than wasting the whole day looking for solutions on the forum.
 You know, unfortunately, a majority of the users who logged in to complain yesterday were people who don't have a freaking clue about how to run a computer. For many of them Windows was just broken (really broken) and they will have to pay someone to reinstall their OS. You'll be surprised: I won''t blame Avast for this. these guys must understand that buying a PC is not buying a TV...I guess they'll never make...this difference. Many of them just didn't catch that an FP slaughter was going on, and instead of dealing accordingly, they launched a full scan with Avast, or worse, a bootscan  ::) So may be you can help them, may be you can't, but in all case leave to those who know what a computer is the option to decide what to do when something's detected >>>> IGNORE OPTION... again, thanks.
 
 adding: a useless alternative to "send to chest" is this non-sense called "no action" blocking files for real time shields. How the hell do you unblock files then...again, the option doesn't exist...other then adding the whole system in the exclusion list may be...??? also, did you notice that once a file is sent to Chest, after a manual scan, it's just sent to Chest, but when it is by a real time shield, it leaves a zero byte file in the original location? why is that?

THANK YOU! I agree with every word in your post. You have explained it much better than I did.

I have an old, harmless file detected by both Avast and Avira (about 30% of scanners at VirusTotal detect it) as VBS.malware.gen. I use it like I would Eicar for testing purposes with the scanners that do detect it.  With Avast 5, if I right click scan it with the on demand scanner, I get options with "do nothing" as one of them. So, that is acceptable.

The real time scanner is the problem. If I try to open this same file, the real time scanner pops up and states that "Avast has blocked a file. No further action is necessary".   I have the File System Shield configured as Actions/Virus/No Action. Please explain to me how "BLOCK" is "No Action".  "Block" is an action! I don't want the file blocked. I want, in this case, for the scanner to IGNORE it. To make matters worse, after BLOCKING access to this file (even though I have No Action chosen), Avast tells me "No further action is necessary".  Well, heck, OF COURSE further action is necessary since I want the Shield to ignore the file so I can access it! I don't want to put it in exclusions. I want an IGNORE button! Ignore button could be temporary. With Avira ignore is just for while you are right there. If you leave the area and do something else and then come back to where the file is located Avira will alert again (this confuses newbies and average users and I must have answered dozens and dozens of posts about it their forum over the years). So, ignore doesn't have to be forever. I don't care if it is, or is only for a short while, but I want the OPTION of IGNORE ...at least for the time being.

When this current mess occured, I had File Shield configured on Actions to First "Ask" and if that failed then Second "Take No Action".  So, Avast rebooted with the bad definitions and beta 3 and immediately flagged HostsMan as a virus. OBVIOUSLY, ANYONE would know that was a False Positive. I had just started that computer after 4 days of no use. Avast did not object to HostsMan when I started the computer. I immediately did an an update of Avast which got me a program update to beta 3 and the bad definitions and Avast asked to reboot the computer. I allowed that and bam! HostsMan is now a trojan?! Well, of course, not! It had to be a FP. Yes, there was the slight possibility that Avast had not had a definition or heuristics to determine until now that HostsMan had a trojan but that was a very slight possibility and it was EXTREMELY likely that there was false detection of HostsMan.

So, I get a popup Asking what to do and I am given three options: move to chest, delete, or block! NONE of those, in this circumstance, was acceptable. Block is NOT ignore! Block would have kept HostsMan from running! That was UNACCEPTABLE. So, my choices were: Lose my hosts file or disable Avast both of which were unacceptable! Do you finally understand? Block is NOT ignore! I need IGNORE.

Avast has the same shortcoming that I and many others have complained about for years with Avira. I might be persuaded to use Exclusions in lieu of a missing Ignore button but Avast, like Avira, doesn't make that easy. Why is there no box on the "Ask" popup for me to check to have that file AUTOMATICALLY excluded? Avira's excuse is that the naive users might be harmed by such an option. Ugh. Make it slightly hidden then with a further click and a warning before one can check the box to automatically exclude the file.

As an aside, I NEVER put anything in quarantine. Why? Because many times antivirus applications screw up when restoring files. I had Avira recently put the files in MyPrivate Folder in quarantine. I had been helping someone in the forum and had changed my settings while helping them troubleshoot and I ran a rootkit scan with the altered settings forgetting I hadn't changed them back as I usually have them. So, all those files ended up in quarantine as an automatic action (which is what the user needing help had the setting at). When I went to restore them they restored as corrupted. Avira is not the first antivirus I have had that has messed up at sometime with restore from quarantine so I don't use it. I want BOTH IGNORE AND BLOCK OPTIONS.  I will choose block for anything I am unsure about and then will submit to VirusTotal/Jotti/etc and to the vendor. For something I know is not a virus/malware (like the VBS file or HostsMan) I will choose ignore so that I can USE the program!

Please give us an ignore button in ver 5. I would like to continue using Avast on at least one computer. I was impressed today when I read the blog and the lengthy explanation in the forum about the details of how this huge mess happened and why. I very much appreciate any vendor who is open and honest about mistakes and who pledges to keep the customers fully informed as to what actions are taken to prevent such problems in the future.  But I still have to have an ignore button!





« Last Edit: December 05, 2009, 09:34:18 AM by Mele20 »

Offline NAMOR

  • Jr. Member
  • **
  • Posts: 72
  • NAMOR
    • sLoWkIdSpLaYiNg.CoM
Re: Removing AVAST! and Moving on!
« Reply #96 on: December 05, 2009, 03:26:26 PM »
It is very unfortunate that this happened. Avast flagged our Point of Sale System as infected, we reinstalled the program and have dealt with it. Mistakes happen, no matter what software you use. This is not a reason to leave avast if you have been satisfied with it up until now. We still support avast and will continue to in the future.

hehe, Sophos deleted the exe files for our POS software last week. Luckily it was only related to one site. Why thier IT guy set it to delete is beyond me.
Windows 7 64bit + LUA + Full DEP + Avast Internet Security.

Offline xblade

  • Newbie
  • *
  • Posts: 12
Re: Removing AVAST! and Moving on!
« Reply #97 on: December 06, 2009, 04:57:34 PM »
Greetings I am new to the forum and like many here I was affected by the avast error, but not going to uninstall with more reason I stay with him, is that people Alwil not to let this happen again:)

It makes me laugh people who say they uninstalled avast and never use it again, but recently there is a problem with a Windows update that of a black screen and not see them writing that they will stop using windows, or the generic error host process for win32 services of xp

Excuse my English do not write very fluid, so I use the google translator xD

Offline cod head

  • Sr. Member
  • ****
  • Posts: 254
Re: Removing AVAST! and Moving on!
« Reply #98 on: December 06, 2009, 05:02:38 PM »
Nothing wrong with your English.A lot better than my Venezuelan.And I agree with what you say.
Win 7 Home Premium 64 bit,Avast Free,Superantspyware Free,Malwarebytes Pro Winpatrol Pro,Spywareblaster Free.

Offline Shiw Liang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1436
Re: Removing AVAST! and Moving on!
« Reply #99 on: December 07, 2009, 05:10:07 PM »
lol...lol actually I find it funny!
When I found so much viruses in my computer,my common sense told that it is impossible that there is so much virus!
I was totally sure about my pc's security with my avast,firewall and malwarebytes.
Well I was thinking yesterday not virus and now lots of viruses that was not normal and so I just ignore it!
Then after an update at my surprised things were fixed and when I went to the forum at my surprise it was an error made by one of awil software^^!

But whatever happen as soon as it can be forgiven I'll stay with avast!

By the way I suggest you not to use AVG!!!
It completely damaged my whole pc don't talk about software with its reboot removal arggghhh I can't even log in my computer it took me a lot a money to fix that thing!
« Last Edit: December 07, 2009, 05:45:37 PM by shiw liang »

Offline xblade

  • Newbie
  • *
  • Posts: 12
Re: Removing AVAST! and Moving on!
« Reply #100 on: December 07, 2009, 09:24:42 PM »
The same thought shiwa liang, should not be an expert to realize that it was a false positive , the problem was that as I have the beta version 5 is automatically sent to the Virus Chest, something which I do not like, hopefully corrected that in the final version

cod head thanks, at least the google translator does a good job xD

Saludos desde Venezuela :)

Offline grefra

  • Newbie
  • *
  • Posts: 1
Re: Removing AVAST! and Moving on!
« Reply #101 on: December 08, 2009, 10:09:21 PM »
I have been using Avast for years. I understand mistakes and this was a BIG one happen. I spent days fixing my computer. Uninstalled Spybot, Malwarebytes and several others. System restore was also corrupted. I finally took my computer back to when received with Dell Ghost.
Right now I am mad as hell at Avast, will give it a rest for a while, may try again later, but inexcusable and the hours it cost me will never be forgotten.

FF, IE8, xpsp2, duo, 2 gig.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83545
  • No support PMs thanks
Re: Removing AVAST! and Moving on!
« Reply #102 on: December 08, 2009, 11:31:03 PM »
The same thought shiwa liang, should not be an expert to realize that it was a false positive , the problem was that as I have the beta version 5 is automatically sent to the Virus Chest, something which I do not like, hopefully corrected that in the final version
<snip>

Well why not change the default settings on detection to Ask as the first option, that ability already exists in the 5.0 beta doesn't it.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.544/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro