Scanning results incorrect

[Tweakerz]

Ok, used Avast many years ago and recently decided to give it another go, one thing at the moment I dislike and am puzzled over and I am hopeful someone might shed some light on the subject. I have a spare drive seperate from the OS on which files are downloaded and stored, I excluded that area from being scanned... Ok, thing is when I attempt to scan an individual file via the right-click context menu Avast pops up and shows no time taken, no files scanned, no threat detected, everything shows as 0s in all areas. If I move that same file to the desktop or any non-excluded area and initiate a scan then it works as one would expect. In over 10 yrs and with a large number of different antivirus programs I have never seen one that you cannot exclude an area from being scanned in real-time via File System Shield as Avast names it and not still be capable of manually starting a scan. I was using Avira before and could exclude any location and still go there and scan individuals files as needed, this seems an oversight or a bug, either way it is not an ideal situation and really shouldn't occur. I am very hopeful this is not intentional or that makes it even worse, by any means thanks for reading and hopefully someone has some idea why Avast behaves in such a silly manner.

[XonXoff]

Hej Tweakerz !

I just gave a try on Avast! 5.0.594 / Windows XP: first excluding an entire folder, launched a scan in the parent folder that seemed to work as expected, went manually in the excluded folder using explorer, right-clicked on a random file, got the contextual menu, and scanned individually one of the files there using the contextual menu.
All worked perfectly (I must admit I did not wait for the first scan to complete, but it seemed to do his job well, and this was not your symptom).

Could you please tell more about your environment ? (proc / OS / Avast version)

[Tweakerz]

Hej Tweakerz !

I just gave a try on Avast! 5.0.594 / Windows XP: first excluding an entire folder, launched a scan in the parent folder that seemed to work as expected, went manually in the excluded folder using explorer, right-clicked on a random file, got the contextual menu, and scanned individually one of the files there using the contextual menu.
All worked perfectly (I must admit I did not wait for the first scan to complete, but it seemed to do his job well, and this was not your symptom).

Could you please tell more about your environment ? (proc / OS / Avast version)

Ok, I scanned and snagged screenies to better illustrate the problem. I am running Windows 7 Ultimate x64 on an Intel Core i7 with 6GB mem and other assorted go fast goodies and the latest version of Avast 5 which is 5.0.594. I've worked in IT for over 10 yrs and never had an antivirus behave in such a manner, honestly since Avast seems to include a Behavior Shield that doesn't do much if anything from what I've read and seems to detect less than Avira I am considering going back to Avira already. I am curious what MS will offer since in a few days they are releasing a major upgrade to their engine though. Anyways, ask what you'd like and I'll provide the answers and perhaps we can figure out why such a situation might occur.

Excluded folder scanned file via right-click and then scanned from desktop...

[DavidR]

The images you are displaying aren't on-access scans, which the file system shield exclusion handles. This is an on-demand scan which you initiated using ashQuick right click (or download manager call to ashQuick). The on-demand exclusions are handled by the avast Settings, Exclusions.

There are two different locations in the images shown - So the one that has been scanned isn't in the avast settings exclusions.

[Tweakerz]

I appreciate your reply David but I never said anything about On-Access scans, I said On Demand meaning when I start the scan or Demand them via Right-Clicking the said file. If you look in settings under Exclusions though you see a note that states: "Note: exclusions specified here will apply only to on-demand scans (manual and scheduled scans)." So you see my mistake was not realizing that the method of exclusion differs slightly. In settings you have to not place the desired locations in exclusions there but instead go into another location or sub-settings area if you will for File System Shield and from there exclude the desired locations...so I have worked out the problem but still find it a bit odd how the design is, it does make sense though to some degree to have such an option, it could have been setup in a few different ways but this one works, it just isn't what I'd normally expect. I've been dealing with little sleep and some medical problems as of late so I haven't been at my best admittedly and I simply overlooked the exact phrasing which had me setting things a bit backwards, now things are as they should be and I again thank you and XonXoff for your assistance. Now I guess it's just a matter of hoping that they make the Behavior Shield functional as it seems it never does anything, maybe it will, but reading and testing and watching reviews it seems to not do much currently...that and improved detections as KAV, GData, and Avira have much higher detection (especially important is 0 day threats to me to be specific about my meaning here). Anyways, thanks guys, it is much appreciated! 

[DavidR]

You're welcome.

It was my reading between the lines when you mentioned the file system shield (which deals with on-access scans), so perhaps that was an error on my part.

I have never seen one that you cannot exclude an area from being scanned in real-time via File System Shield as Avast names it and not still be capable of manually starting a scan.

The problem as I see it (as an avast user, I don't work for avast), in having an exclusion that encompass on-access and on-demand scans. There may well be a case that you want to exclude a folder from on-demand scans (I have my samples folder excluded and by back-up images folder excluded, etc.). But in excluding a folder you are effectively putting a hole in your security if anything malicious was placed there you wouldn't want it to be run either intentionally or accidentally.

What I do know is that avast are very wary in regard to user security on exclusions, a point in case many advanced users wanted a button to click on the alert window so they could a) exclude a file from scans and b) allow it to run if considered an FP.

Avast felt that is too dangerous to have a single click option to ignore/exclude/run a malicious file by accident and that exclusion had to be a deliberate act; so it looks like this is further extended into the on-demand and on-access exclusion settings. If it was done in that single exclusions way the right click scan would be unable to scan any folder you had excluded and return the 0 files and 0 time window which is possibly more misleading.

I have been using avast for almost six and a half years now and have got used to this 'quirky' exclusion setup, it just took a little time at first

I might have missed it, but if you have a 64bit OS the behaviour shield although running doesn't have any rules at this point, but they will be developed as required.

A belated welcome to the forums.

[XonXoff]

Hi David and Tweakerz...

I had been too quick in my first try : I did not correctly set the exclusion in Avast.
As I don't like to not understand things, I have made one more try this morning, with a high level of cofeine in a cup just besides me.
I now have set properly and reproduced the behaviour Tweakerz is talking about (pfew !)

To disable or enable the right-click scan on a file in an excluded area is for me somehow a matter of choice, and I have no philosophical preference on this. The most important is that one knows how the soft behaves (but I understand Tweakerz : if you are used to something else, it might feel strange to encounter unusual ways of considering things)
However, I see two important things :
- behaviour have to be congruent (seems to follow a logic, not change behaviour from one version to the next except if explanations are given)
- behaviour have to be explained or self explanatory : I personnaly would prefer a clear sign saying "This right click scan is not allowed since YOU have excluded this area from scan" (with maybe a shortcut button to the settings)  instead of this somehow misleading 0 file / 0 byte table looking exactly the same as the table produced when a scan is effectively carried out and completed.

Tweakerz, I am interested in some explanations or reviews you mentioned about the behaviour shield.

[DavidR]

The avast Behaviour Shield is somewhat different to what others might associate with behaviour if you are comparing it to something like Threatfire. The major problem is one of interpretation as many things would fall into the general description of a behaviour blocker/shield, heuristics is another such general description which encompasses many such similar but different tools.

- avast! Behaviour Shield, general information from an interview Softpedia - Ondrej Vlcek

Ondrej Vlcek: The Behavior Shield that we shipped in version 5.0 is a new component that is going to be further developed moving forward. For example, in version 5.1, we will be adding more sensors that will allow for even finer-grain filtering.

For now, the Behaviour Shield is focused on exploits coming via typical mechanisms (browser, PDF reader, and flash vulnerabilities, for example). It also closely monitors all kernel-mode code (drivers) loaded into the operating system, and is able to detect zero-day rootkits.

[Tweakerz]

Thanks again guys...

I do in fact run x64 for many reasons and have for many years now, also was a fan of XP x64 (didn't give me much comparability problems like most) and now Win 7 x64. I am glad things became clear enough that we could all understand what was happening and I now have a bit better understanding of the program. I like that x64 is more secure and from the information above it would seem the Behavior Shield does less with a 64 bit system than a 32 bit system, makes perfect sense. What I am really looking forward to is seeing Online Armor (recently aquired by Emsisoft) with a final release of there product for x64 based systems. I hope that Avast actually become more like OA or ThreatFire, in VM these two are VERY good at supplementing other security software. OA seems somewhat nicer than TF though to be honest. What I also found a nice supplement without any resource loss is a new more secure DNS service like OpenDNS or Comodo Secure DNS, it is called Sunbelt's ClearCloud and in testing it blocks several malicious web-pages (or their content) that would be considered 0 day threats. With any decent AV and something like OA and K9 combined with secure DNS you are fairly well protected, once Avast gets a little further along and improves their shields (especially for x64), their detections, and continues to add the benefits of "The Cloud" I think most anyones security needs should be well handled. Want one for the wishlist....it'd be RunSafer like OA or Sandbox like Kaspersky. ( I know of Sandboxie but if Avast could include such features (in the free version) that would be really great. I know the paid version has sandboxing but I recall that it wasn't really very effective so I can only imagine that'll improve, offering it in the free version though will probably allow it to develop faster as more will use/test and post about it.

Checkout the free DNS offering, testing it against Comodo and OpenDNS is without question is able to block many sites you might find on the Malware Domain List.
http://forums.clearclouddns.com/messageview.aspx?catid=247&threadid=5147&enterthread=y

If there was anything specific you wanted to know, ask, see, etc that I did not cover I'd be glad to discuss any of that further, just drop a line. Thank you both again, very nice to pop into a forum and get quality results.

[Lisandro]

I know the paid version has sandboxing but I recall that it wasn't really very effective

Why not?

[Tweakerz]

Why not? This is why......I'm not saying that currently it does not work properly, just that when I considered it not really that long ago it had some problems that left me a bit disappointed. Honestly I really want to find one app that can offer a really complete package, if Avast improves (mainly for x64) in all areas enough they might just come close to being top notch.

What I like/wish for is as follows:

Online Armor - RunSafer and Behavior abilities
Avira - Detection abilities
Kaspersky Internet Security - both Sandboxing and Detection (or GDATA for detections)

If Avast has or gets the sanbox working close to what Sandboxie offers, improves detections, certainly an improvement to Behavior analysis. Utilizing "the cloud" with their community based protection is great and should only improve.

Some reasons why not...(many if not all probably are now resolved actually)
http://remove-malware.com/announcements/avast-5-pro-sandbox-broken/
http://www.sandboxie.com/phpbb/viewtopic.php?t=7692

Mainly I feel it is x64 support and the sandbox for Avast is only for the pro version.

[Lisandro]

Thank Tweakerz.
Do you know if that vulnerabilities were already solved in the 5.0.594 version?

[GloobyGoob]

The avast! Sandbox had a few issues when it first came out but now it works fine.

[Tweakerz]

Since I am toying with the free version I haven't been able to test the sandboxing but I know that the Behavior Shield has some work to do yet, at least with x64. This info was provided by another member here and I haven't been able to trigger it even with Windows XP (x86 and not x64) so that will likely improve with time. I see that GG states it is now working, I'd be interested to know how it compares to Kaspersky and to Sandboxie if anyone can speak on it's abilities. Side note... I can say that Comodo has a really useless sandbox that is included with their free offering, Comodo has several nice offerings but their implementation of sandboxing fails miserably. I do want to state I am not bashing Avast in any way, I used to use it and suggest it to friends, family, and clients, right now I really want to because of the P2P and Web Shields mostly and eventually I hope the Behavior Shield too, just for now it seems to need a bit more polish before a nonpc literate person would really find it robust enough. I say this because it seems no matter what you give a client they'll always find a way to get infected! Adding K9 and ClearCloud alongside Avast and Malwarebytes and you get a pretty solid offering. Emsisoft is now offering their dual engine antimalware app which can be used with the Online Armor FireWall which is a VERY solid combo...sorry, got off on a bit of a rant I suppose, thanks again to everyone!

[GloobyGoob]

The Behavior Shield is going to be improved in version 5.1 (coming out late August/early September). I don't know how Sandboxie compares with avast's but I used both and think that avast's is easier to use. I made a video (link here) showing how avast sandbox would fare against various malware-infected sites with the shields turned off, if you want you can view that (it's rather lenghty though). Comodo takes a different approach. They sandbox only unknown files. Also, avast is going Cloud AV from what I've heard.

Edit: Fixed Typos