Author Topic: "File System Shield" Ignoring Main Exclusions  (Read 7333 times)

0 Members and 1 Guest are viewing this topic.

snarky

  • Guest
"File System Shield" Ignoring Main Exclusions
« on: April 12, 2010, 04:28:12 AM »
I'm using avast! Internet Security 5.0.462 on WinXP Pro SP3.

Problem 1:

The help file, under "Program Settings" > Exclusions, says this:

Quote
To exclude a location or file, first click the box where it says <enter path> and then either type the location or file to be excluded, or alternatively, click the "Browse" button, check the box next to the location or file to be excluded, then click "ok".

However, when I try browsing to a file, I find it impossible, as only folders are shown (no files).  I assume that the documentation is simply inaccurate.

Problem 2:

By manually adding the full path to individual EXE files, I have several programs included in the main list of exclusions.  According to the GUI and the help file, this should exclude these programs in the real-time components.  However, I found that adding these programs to the main exclusions has done nothing to prevent the programs from being caught by the "File System Shield".

It was only after adding the exact same paths to the "File System Shield" exclusion list that I was able to run these programs.  And since I used copy/paste, I know there is no typo.

Some example paths that are included in the main exclusions, which the "File System Shield" ignores and detects anyway:

C:\Program Files\NirSoft\LSASecretsView\LSASecretsView.exe
C:\Program Files\NirSoft\AsterWin IE\asterie.exe
C:\Program Files\Desktop Scout\dtsproc.dll

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: "File System Shield" Ignoring Main Exclusions
« Reply #1 on: April 12, 2010, 04:49:53 AM »
Quote from: snarky
However, I found that adding these programs to the main exclusions has done nothing to prevent the programs from being caught by the "File System Shield".

What do you mean being caught ?
If you mean avast is alerting on these files, you obviously believe the detection isn't good. If so then it is best to report the files to avast so that the detection can be checked and corrected as required.

Have you tried confirming the detection:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

- avast5 - Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.

- GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP if only those two detect it.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

~~~
Just how many exclusions have you got in the Settings, Exclusions and the File System Shield, Expert settings, Exclusions ?
The reason I ask is this has been seen where someone has had a high number of exclusions and appears to come up against some sort of limit.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

snarky

  • Guest
Re: "File System Shield" Ignoring Main Exclusions
« Reply #2 on: April 12, 2010, 04:53:37 AM »
I use a few programs that avast (correctly) categorizes as PUPs.  The EXE files I have added to the main exclusions are among these PUPs I have installed.  I've added them to the main list because I want avast to detect other PUPs (that is, PUPs I do not already have installed).

What I am saying is that even with the EXEs included in the main exclusions, the "File System Shield" is detecting these files when I try running the program.  I get alerts, and of course the program is not allowed to run.  That's what I would expect if these EXE paths were not in the main exclusion list.  But since the GUI and help file both say that the main list excludes the paths from the real-time components, it seems these alerts should not appear.

From the help file, under "Program Settings" > Exclusions:

Quote
It is possible to exclude certain locations, or even single files, from scanning, which means they will not be checked for viruses during any scan.

...

Keep in mind that any exclusions specified here apply to all scans (manual and scheduled) and also to the real-time shields.

So again, by way of just one example, I have the following path added to the main exclusion list, yet the real-time "File System Shield" will not let me run this program unless I also add the exact same path to the "File System Shield" exclusions:

C:\Program Files\NirSoft\AsterWin IE\asterie.exe
« Last Edit: April 12, 2010, 04:58:37 AM by snarky »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: "File System Shield" Ignoring Main Exclusions
« Reply #3 on: April 12, 2010, 05:16:21 AM »
Well I think that there is a subtle (undocumented) difference between the two exclusions, the main one in the avast settings to me seems more geared to on-demand scans as there are no R/W/E (read/write/execute) options like the file system shield (FSS) exclusions.

So when these files areas are scanned during routine on-demand scans they are inert, but having executed the file I honestly don't know if that subtle R/W/E difference means avast is going to scan it.

These are my personal thoughts on this which aren't supported by any documentation, so I don't know if this assumption is correct. So I believe the reference to real-time scan to be incorrect as I have had this happen when I was submitting a file to virustotal and I have my Suspect folder (where I place samples to be uploaded) excluded.

I also don't know if you have changed your FSS settings (Sensitivity) to scan for PUPs or not, the default is not to scan for PUPs.

That's me for the night, after 4am here.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

snarky

  • Guest
Re: "File System Shield" Ignoring Main Exclusions
« Reply #4 on: April 12, 2010, 05:24:28 AM »
But it's not just the documentation that says that the main exclusions also apply to the real-time components.  Under the main settings, in the Exclusions section, it says:

Quote
Note: exclusions specified here will apply to both on-demand scans (manual and scheduled scans) and to the real-time shields.

Sorry, but I don't see how this could mean anything but that the paths I add will be ignored by the "File System Shield" (and all the others).

snarky

  • Guest
Re: "File System Shield" Ignoring Main Exclusions
« Reply #5 on: April 12, 2010, 06:19:03 AM »
Perhaps the GUI and the docs should specify that the main exclusions apply to the reading/writing aspects of the real-time shields, but not to the execution aspect of the "File System Shield".

This is far from the only problem I've found with the docs, and I find it irritating and time-wasting to have to sort it all out through trial, error, and experimentation.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: "File System Shield" Ignoring Main Exclusions
« Reply #6 on: April 12, 2010, 07:26:33 AM »
The help file (and the in-product description) is wrong in this case.
We'll see what we can do to fix the problem.
If at first you don't succeed, then skydiving's not for you.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: "File System Shield" Ignoring Main Exclusions
« Reply #7 on: April 12, 2010, 04:09:55 PM »
But it's not just the documentation that says that the main exclusions also apply to the real-time components.  Under the main settings, in the Exclusions section, it says:

Quote
Note: exclusions specified here will apply to both on-demand scans (manual and scheduled scans) and to the real-time shields.

Sorry, but I don't see how this could mean anything but that the paths I add will be ignored by the "File System Shield" (and all the others).

This is what I meant by undocumented as it goes against personal experience. Now that Vlk has confirmed the docs and in-product description is wrong in this case it/they will hopefully be corrected soon.

I don't know if you previously used avast 4.8, but the exclusions actions pretty much mirror what they did in 4.8. The main avast settings, exclusions were for the on-demand scanners and the real-time exclusions were within the standard shield settings.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline rdsu

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 534
  • ...
Re: "File System Shield" Ignoring Main Exclusions
« Reply #8 on: April 25, 2010, 06:10:08 PM »
Any news about this?

I want that avast! don't scan a specific files by any shield.
Avast Free Antivirus: Web Shield & Home Network Security.