How does user files in virus chest work?

[AnnieMS]

I had a file in my download folder that I didn't remember downloading. I thought I could move it to the virus chest while I checked thru my notes for a memory jog. I followed the info in the help file and the file is listed in user files in virus chest, but it's still also in the download folder.

So, what did I do wrong? Also, can you get to the virus chest thru the enhanced user interface or only thru the simple user face?

[DavidR]

The User Files section, manual move to the chest doesn't work in the same way as for an avast detection and move to the chest.

e.g. add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 

From here it can be submitted for analysis to avast.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

You should be able to access the chest through both the SUI and EUI or directly using <avast4>ashChest.exe.

[AnnieMS]

Thanks DavidR
I had thought the user's file part of chest was like a quarantine where I could move a file that avast hadn't IDed as infected. Is the "infected files" part a quarantine where avast actually moves the files?

I'm not sure how to use chest if it doesn't actually move the file. I don't see what one can do to a file in chest other than send it to avast. I can "extract" - I guess that is for zipped-type files?- and I can get "properties" which aren't the same properties as rclicking the file in place. I guess it's mostly for pro's.

I put RootRepeal.exe in chest thinking I was moving the file to a quarantine folder so I wouldn't unintentionally doubleclick it while I tried to figure out where it came from. I discovered it when I downloaded RootRepeal.zip last week when, as far as I remember, I first read about the program. I couldn't find it in my download notes and when I googled "rootrepeal.exe" the only legit places I found downloaded rootrepeal in zip or rar - no exe. There was a bad file listed [a trojan, I think] in my "rootrepeal.exe" hits. 

The rclick properties of the exe file give the correct file version number for legit rootrepeal and the file size didn't match any given for the bad rootrepeal. A scan by VirusTotal had 4 suspicious ratings out of 40 scanners. F-secure rated it as "Suspicious:W32/Riskware!Online" and McAfee GW as "Heuristic. LooksLike. Win32.Suspicious.C!86". Rclick Avast and malwarebytes scans of the file were neg. Spybot won't scan it from the context menu - it activates the "do you want to run" box.

So I still don't know if it is a legit or a bad rootrepeal, but I'm just going to delete it before I accidentally doubleclick it. If I delete the file from chest will it shift delete it from its current folder?

With simple user view you can highlight the user files icon on the left and File > add.  I could view files in chest in the EUI but when I clicked on the user files icon on the left the chest menu was greyed out. When I clicked on the right side the menu was also apparently greyed out but today I clicked harder on the right side and the chest menu had the add option.

[DavidR]

It is a form of quarantine as it is within the avast chest, where files are encrypted and the name changed. Those files can't be accessed from the outside so they are in effect quarantined, but because it isn't moved their by a detection the original file has to be dealt with manually by the user.

The Move on a detection is quite correct avast moves the infected file from its original location into the chest. When you manually 'add' a suspicious file to the user files section you are just copying the original to the chest, so the actions are different and the original still exists.

Why would you put RootRepeal.exe in the chest (it is genuine anti-rootkit tool), if it is because you don't want to run it then remove it. How do you think that you run rootrepeal, you have to extract the executable file from within the zip or rar file, that is why you only see download sites indicating the download file is a zip/rar.

Generic/Suspicious/Heuristic detections are more prone to false positive and in this case I would say the detections are nothing short of paranoid heuristics.

Deletion from the chest does what it says on the tin, it deletes the file in the chest nothing else. Remember if this were a detection by avast and was moved to the chest this is the only location it would exist. Because you manually copied it to the user files section, a copy exists in the original location even if you delete the 'copy' in the chest.

I can't say about the EUI as I don't use it as I use the Home version which uses the SUI, but you have to first open the chest before you can access the different sections/files in the chest, you can't access them directly from the SUI (as I said I can't comment on the EUI).