Author Topic: Avast scanning child executables every time  (Read 4926 times)

0 Members and 1 Guest are viewing this topic.

reesd

  • Guest
Avast scanning child executables every time
« on: August 26, 2011, 11:55:00 PM »
When a child executable is called from a parent executable (Process Create) Avast seems to be scanning the child executable and its DLLs every time without following any of its File System Shield rules:
  • It ignores the transient cache (scans every time)
  • It ignores the exclusion list (scans executables even if they are explicitly listed)
  • It doesn’t report the scan the File System Shield Report

One example I have of this is when git.exe being called from WebStorm.exe (an IDE written in Java). WebStorm calls git a lot (as it should), and every time Avast scans the git.exe file. I can see this in Process Monitor and I notice it in the fact that WebStorm keeps hanging when it tries to access git. But nothing is shown in the FileSystemShield report.

Attached is a CSV showing all the accessing going on in Process Monitor in just a few minutes. I can also share the Process Monitor logs with a support person if you like.

The only real-time shields I have enabled are File System Shield and Mail Shield. This is on Windows XP SP3.

d

PS,  A related thread is at http://forum.avast.com/index.php?topic=68692.


Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Avast scanning child executables every time
« Reply #1 on: August 27, 2011, 12:11:53 AM »
If you enabled the "OK files" to be stored in the FileSystem Shield's report to see what's being scanned, you need to restart the FileSystem Shield for the change to take effect. If the record isn't there even after that, then it's not really a scan that's going on.

Regarding the exclusions - what exactly did you put there? Is Z:\ a real drive?

reesd

  • Guest
Re: Avast scanning child executables every time
« Reply #2 on: August 27, 2011, 12:36:09 AM »
Thanks for the quick response!

If you enabled the "OK files" to be stored in the FileSystem Shield's report to see what's being scanned, you need to restart the FileSystem Shield for the change to take effect.

Yes, I have had "ok files" enabled for a long time so I can track what Avast spins its wheels on. It showing lots of other OKs so I know OK logging is working

If the record isn't there even after that, then it's not really a scan that's going on.

Regarding the exclusions - what exactly did you put there? Is Z:\ a real drive?

Yes, Z is a real drive. It a local, FAT32 partition. Nothing special to it. I mapped it to Z so its always at the bottom of the list.

I actually went and turned off all the shields, and I still see the AvastSvc.exe reading the git.exe every time I access it through WebStorm. So it seems to be Avast functionality that is not contained in any of the shields. Is there some type of process monitoring that isn't contained in the shields?

I don't think its related, but I'll add I have rootkit scan disabled also.

Thanks,
d

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Avast scanning child executables every time
« Reply #3 on: August 27, 2011, 12:55:10 AM »
Strange... if you had Behavior Shield enabled, and when it's a FAT32 drive, I would guess that might be it, but if it's the FileSystem Shield only...
If you disable the AutoSandbox, does it change anything?

reesd

  • Guest
Re: Avast scanning child executables every time
« Reply #4 on: August 28, 2011, 07:45:27 PM »
Strange... if you had Behavior Shield enabled, and when it's a FAT32 drive, I would guess that might be it, but if it's the FileSystem Shield only...
If you disable the AutoSandbox, does it change anything?

I unchecked AutoSandbox and it didn't seem to make a difference. Then I restarted the service and I stopped seeing the scanning of git.exe.

What is weird is to verify it was AutoSandbox I enabled it again and restarted the service. And I am still not seeing the git.exe scanning. So somehow restarting with autosandbox fixed it even after autosandbox was turned back on. Weird. Next time I restart my computer I will check to see if it comes back.

d

reesd

  • Guest
Re: Avast scanning child executables every time
« Reply #5 on: August 29, 2011, 11:11:59 PM »
Strange... if you had Behavior Shield enabled, and when it's a FAT32 drive, I would guess that might be it, but if it's the FileSystem Shield only...
If you disable the AutoSandbox, does it change anything?

I unchecked AutoSandbox and it didn't seem to make a difference. Then I restarted the service and I stopped seeing the scanning of git.exe.

What is weird is to verify it was AutoSandbox I enabled it again and restarted the service. And I am still not seeing the git.exe scanning. So somehow restarting with autosandbox fixed it even after autosandbox was turned back on.

After rebooting the problem is back even if autosandbox is turned off (before rebooting). I also continue to see the problem even if all the shields are disabled. So something is causing this problem that is not a shield and is not autosandbox.

I'll add that with all shield and autosandbox off I can see that the AvastSvc is scanning EXEs and DLLs as I launch programs. For WebStorm it seems to be the main EXE and most of its DLLs each time I launch it. For MS Word its PDFMOFFICEADDIN.DLL and Adist.dll (maybe the rest are in the persistent cache) each time I launch it. For Notepad++ it scans its EXE just the first time.

The only way I can stop this behavior is to stop the the AvastSvc service itself, which really isn't a good option. But one I may have to go with when doing active development until this is fixed or I find the time to try another AV option :/.

PS, If restart the avast service then this behavior seems to stop happening for a while, even if the shields are enabled. Rebooting the machine always brings back the behavior though.

Thanks,
dave
« Last Edit: August 29, 2011, 11:21:16 PM by reesd »