Suspicious Operation

[rt18_uk]

Maybe I'm being silly here, but everytime I boot up my AVAST 4 Home edition it inevitably pops up a window (a white one similar to old 3.1 windows) stating "Standard Shield has detected a suspicious operation" and names a dll file from the AVAST directory. I get to choose YES, NO, or IGNORE, but it doesn't say what each of these options does, so i've tried them all but nothing different happens or prevents the problem.

Occassionally I get the same message but for a different dll file, for example when I run other programs (such as Corel DRAW 9). Is this the sign of a virus? I ran a complete Thorough Virus Scan of my entire system but it found nothing.

Any ideas?

Thanks in advance,
Richard

[igor]

The behavior blocker can be configured in the resident protection settings / Standard Shield / Blocker). If you have "Opening file for writing" enabled, it looks for files (the type is again configurable, I don't know your settings) being opened for write access. Unfortunatelly, some programs open the files for read+write access even when they don't intend to write there (yesterday, there was a similar topic; if you try to access "Properties" of a file, some microsoft library will do exactly this thing).

So, it is possible that you get such a warning, for example when you start some programs. You are not saying what operating system you have... it's a little strange that avast detected such an operation in itself (it shouldn't) - but it's possible that some third party library gets loaded, causing such behavior...
What OS do you have? What is the name of the DLL that's announced?

If you were getting these warnings out of nothing (if the computer was idle), then it would be really suspicious. When you're getting them when starting some program... well, hard to say, but it may not mean anything serious.

As for the buttons on the popup window - Yes means "allow the operation", No means "block the operation", and Ignore means "allow the operation and similar operations of the program in the same session".

I personally would rather recommend you to disable the "Open for writing" behavior blocker setting and rely on the rest of standard shield (maybe set executable extensions to be scanned on open). That would get rid of the warnings.

[rt18_uk]

Thanks for the response.

I have changed the settings from their default to prevent the 'open file for writing' check, so I don't expect it to question the action again.

For clarification, I can answer your questions...

I run Windows 98SE. The warning message appears about 30 seconds after boot-up, just as the skin files in AVAST4\Data\Skin\ are scanned. The message says an attempt to write to AVAST4\SETUP\SETIFACE.DLL has been intercepted. I still don't know why this is necessary, but it happens without fail everytime I log on (perhaps not now with the options changed).

I hope this information is useful to someone. I hope it isn't an as-yet-undi scovered virus or similar.

Thanks again,

Richard

[jdong]

No, it doesn't look like a Virus.

Perhaps Avast itself is the problem. Does Avast ask for write permissions when it doesn't need it

[PekkaP]

Exactly the same thing happens to me, SETIFACE.DLL at every login.  This started this morning after I updated the Avast program.   Also, it happens when I retry program update (even though it's up to date now).

Win98 SE, Avast 4 home.

Write blocking is on, and I rather like the feature.
Something in Avast is trying to change the skin, isn't it?  I've got the blue panel skin set.  Changing it to teak zeppelin, doesn't fix the problem and causes the "The system cannot find the file specified.  Cannot start incremental update." message as well.

I'll try Ignoring it for now, since it does seem like Avast is doing this to itself.

[kubecj]

SETIFACE.DLL is a vital part of install/upgrade/uninstall. If you've blocked its overwrite, none of the named actions will probably work now.

You have to copy latest setiXXXXXXXX.vpu file in directory avast4\setup to setiface.dll manually.

On the other hand, it's true that Avast does this too often...