Author Topic: Suspicious Files Found-Recommend Send to Lab, But Only Ignore or Delete Prompt!  (Read 7362 times)

0 Members and 1 Guest are viewing this topic.

Offline Jack 1000

  • Poster
  • *
  • Posts: 619
I just booted up my computer and came from a site that I have been visiting for the last eight years with no problems until now. hxxp://forums.techguy.org/  When I went to my Google home page, Avast said that it found suspicious files, and recommended that I send them to the lab for analysis.

However, the only options that were available to me were "Ignore" or "Delete" I did not know what to do so I choose Ignore.  My guess is that it came from a banner ad at hxxp://forums.techguy.org/

I used to get a message like this from Avast maybe once a year on version 5, with only an ignore or delete prompt.  Now I have the Sandbox set to Auto, so why didn't Avast Sandbox this suspicious file?  I will now do a full scan and see what it finds. (And Malware Bytes too.)  Will Report Back.

I will attach a JPG of what I saw on the screen as well.

Shoot!  I forgot that I lost the clipboard image when I copied the URL to the site in question for this message.  Running the scans now.

Jack
Avast 2014 -Windows XP (SP-3) and Malware Bytes Anti-Malware (Free Version)
1GB RAM

Offline SafeSurf

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5202
You may also want to send the url to:
Virus Total: http://www.virustotal.com/
URL Void: http://www.urlvoid.com/
Unmask Parasites: http://www.unmaskparasites.com/security-report/?page=servepics.com
Anubishttp://anubis.iseclab.org/?action=home

You can post link results here in the thread.

You may also want to run an Avast boot scan as well based on the results of your other scans.
Mac 10.9.4 /Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Premium)/ Mobile MBAM.

Offline Jack 1000

  • Poster
  • *
  • Posts: 619
Just did a Full Scan with PUP search on.  Nothing found.  I am going to do a Boot Scan with PUP's on too, just to see.

Jack
Avast 2014 -Windows XP (SP-3) and Malware Bytes Anti-Malware (Free Version)
1GB RAM

Offline Jack 1000

  • Poster
  • *
  • Posts: 619
Just did a Full Scan with PUP search on.  Nothing found.  I am going to do a Boot Scan with PUP's on too, just to see.

Jack

Nothing found on Boot Scan.  Full Malware Bytes Scan to follow,

Jack
Avast 2014 -Windows XP (SP-3) and Malware Bytes Anti-Malware (Free Version)
1GB RAM

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36755
Quote
However, the only options that were available to me were "Ignore" or "Delete" I did not know what to do so I choose Ignore.  My guess is that it came from a banner ad at hxxp://forums.techguy.org/
I dont think you will find anything....
This i guess came from the behavior shield, and it is not detected as malware but "suspicious"
so when you click send to avast lab and ignore, the file remain on you computer and a copy is sendt to avast lab for analysis..
IF they find it to be malicious they will add detection for it an it will be detected again, this time with a malware name

Offline Jack 1000

  • Poster
  • *
  • Posts: 619
Quote
However, the only options that were available to me were "Ignore" or "Delete" I did not know what to do so I choose Ignore.  My guess is that it came from a banner ad at hxxp://forums.techguy.org/
I dont think you will find anything....
This i guess came from the behavior shield, and it is not detected as malware but "suspicious"
so when you click send to avast lab and ignore, the file remain on you computer and a copy is sendt to avast lab for analysis..
IF they find it to be malicious they will add detection for it an it will be detected again, this time with a malware name

OK, just to close here.  Malware Bytes Full Scan found nothing.  I guess three questions from this:

1.) Why did I not get a send to virus lab as a choice in my responses?  (Only Ignore or Delete.)

2.) This has happened before, but like I said, extremely rare, (1-2 times a year) I scan and nothing is found.  What causes the Behavior Shield to behave and it seems to be "making something out of nothing."  In other words, where did this file go?  It was never found in the scans.  The message about the suspicious file said that it was determined by a heuristic analysis.  Is this a case of the Behavior Shield just being a bit too sensitive at times?

3.) How come Auto Sandbox didn't do anything here?

Jack
Avast 2014 -Windows XP (SP-3) and Malware Bytes Anti-Malware (Free Version)
1GB RAM

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2613
  • I can resist anything except temptation.
    • tex62
Quote
However, the only options that were available to me were "Ignore" or "Delete" I did not know what to do so I choose Ignore.  My guess is that it came from a banner ad at hxxp://forums.techguy.org/
I dont think you will find anything....
This i guess came from the behavior shield, and it is not detected as malware but "suspicious"
so when you click send to avast lab and ignore, the file remain on you computer and a copy is sendt to avast lab for analysis..
IF they find it to be malicious they will add detection for it an it will be detected again, this time with a malware name


OK, just to close here.  Malware Bytes Full Scan found nothing.  I guess three questions from this:

1.) Why did I not get a send to virus lab as a choice in my responses?  (Only Ignore or Delete.)

2.) This has happened before, but like I said, extremely rare, (1-2 times a year) I scan and nothing is found.  What causes the Behavior Shield to behave and it seems to be "making something out of nothing."  In other words, where did this file go?  It was never found in the scans.  The message about the suspicious file said that it was determined by a heuristic analysis.  Is this a case of the Behavior Shield just being a bit too sensitive at times?

3.) How come Auto Sandbox didn't do anything here?

Jack

Are you sure it was the behaviour shield that kicked in? The BS normally has the options "Deny and send to chest", "Deny and terminate prog", "Allow" etc...

"Ignore" is not something that sounds like BS.
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36755
Quote
1.) Why did I not get a send to virus lab as a choice in my responses?  (Only Ignore or Delete.)
was this the pop up you got ?  see screenshot from DavidR in reply #1 

http://forum.avast.com/index.php?topic=65985.0

as you can read at the top, the file will be sent to avast for analyis
i think this is from the antirootkit scan that happens 8min after boot....so it may be what you got also

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2613
  • I can resist anything except temptation.
    • tex62

i think this is from the antirootkit scan that happens 8min after boot....so it may be what you got also


I think that's much more likely. +1
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Jack 1000

  • Poster
  • *
  • Posts: 619
Quote
1.) Why did I not get a send to virus lab as a choice in my responses?  (Only Ignore or Delete.)
was this the pop up you got ?  see screenshot from DavidR in reply #1  

http://forum.avast.com/index.php?topic=65985.0

as you can read at the top, the file will be sent to avast for analysis
i think this is from the antirootkit scan that happens 8min after boot....so it may be what you got also

Yup.  That's exactly what I got.  And the only options were Ignore or Delete, even though the instructions recommended sending it to the virus lab, there was no response action to do that.

Jack

PS. One of our users Non, from Japan, in the other thread referenced above the same question I had:

(Note that he had the same issue with a Suspicious File and only two options, Ignore and Delete and asks:)

Quote
BTW can't avast add "Submit this file to virus lab" option on the dialog? Since dialog requests to do so, there should be some easy way to submit...

So I guess I would ask that some question.  Certainly something to consider for future builds.  It was also interesting to learn that he got this pop-up about once a year, same as me.  That is good that it is going to the lab, but this should be a specific action in the dialog box.  When I saw Ignore or Delete I had no idea what to do.  I will request this feature in any suggestions for a future build.  It would really help everybody!

Thanks all of you for your kind and generous help!

Jack  
 
 
« Last Edit: April 08, 2011, 12:12:48 PM by Jack 1000 »
Avast 2014 -Windows XP (SP-3) and Malware Bytes Anti-Malware (Free Version)
1GB RAM

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2613
  • I can resist anything except temptation.
    • tex62

Yup.  That's exactly what I got.  And the only options were Ignore or Delete, even though the instructions recommended sending it to the virus lab, there was no response action to do that.

Jack

The pop-up asks you to allow for sending it - not for your sending it.
That refers to the general settings, it is a bit misleading. AFAIK if you checked yes to join the Community on Avast setup, this includes the permission.
So the file has been sent automatically (since I presume you have opted to join the community)
« Last Edit: April 08, 2011, 12:05:21 PM by Zyndstoff »
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Jack 1000

  • Poster
  • *
  • Posts: 619

Yup.  That's exactly what I got.  And the only options were Ignore or Delete, even though the instructions recommended sending it to the virus lab, there was no response action to do that.

Jack

The pop-up asks you to allow for sending it - not for your sending it.
That refers to the general settings, it is a bit misleading. AFAIK if you checked yes to join the Community on Avast setup, this includes the permission.
So the file has been sent automatically (since I presume you have opted to join the community)

Yes, I participate in the community.  But I still think there should seriously be a "Submit to Virus Lab" as one of the choices! LOL!  OK, suppose I had clicked "Delete" instead of "Ignore", would the suspicious file have still gone to the lab?

Jack
Avast 2014 -Windows XP (SP-3) and Malware Bytes Anti-Malware (Free Version)
1GB RAM

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36755
Quote
OK, suppose I had clicked "Delete" instead of "Ignore", would the suspicious file have still gone to the lab?
as i understand it yes..and deleted from your comp
so if they dicovered that it is not malicious.......obs...to late....  :'(

Offline Jack 1000

  • Poster
  • *
  • Posts: 619
Quote
OK, suppose I had clicked "Delete" instead of "Ignore", would the suspicious file have still gone to the lab?
as i understand it yes..and deleted from your comp
so if they discovered that it is not malicious.......obs...to late....  :'(

Thanks!

Do you guys pretty much agree that not having a send to Virus Lab as a choice is confusing?  My concern is that the millions of people who don't know about this stuff will hit "Delete" and that is not always a good thing to do.  They think that "Ignore" under this Suspicious File Found format as it exists now, is going to let the file into their computer.

I think this is the option that Avast should take concerning dialog boxes for suspicious files in a program update:

Allow Avast to Send to the Virus Lab for Analysis (Choice 1)
Move to Virus Chest (Choice 2)


Check boxes for selecting one or both of them.  Suspicious files IMHO, should NOT have a delete option in a dialog box, because something good or needed might be removed from the system.

Only if there is a proven virus or threat, should Avast display a delete option in a dialog box.  But there should be a recommended action for most files of "Move to Chest." (Which is the automatic action by default now, if the auto check box is checked.)

Actually that suspicious file action screen is really the ONLY thing that I find confusing about Avast's actions and responses, which aside from that, are probably the clearest and most understandable of any security program!

Jack
« Last Edit: April 08, 2011, 01:04:36 PM by Jack 1000 »
Avast 2014 -Windows XP (SP-3) and Malware Bytes Anti-Malware (Free Version)
1GB RAM

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 66723
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Jack, if you take part in the avast! community, avast will know about it. ;)
Dont't worry,
asyn
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0