Author Topic: You are Opening an App that may be Unsafe....  (Read 5046 times)

0 Members and 1 Guest are viewing this topic.

Offline jafTwo

  • Newbie
  • *
  • Posts: 11
You are Opening an App that may be Unsafe....
« on: May 01, 2011, 10:54:15 PM »
I've noticed the past couple of days that I'm getting a lot of these messages from Avast! on winXP X64 startup.  Most of the time it points to Microsoft IntelliType Pro (itype.exe) that is attempting to open a exe.  I ran a full scans with Avast!(latest program/updates, SuperAntiSpyware, and Malwarebytes, and other than a couple of tracker, which I deleted, nothing was found.

I reset to the default setting in Avast!, uninstalled Intellitype (using Revo Uninstaller Pro) and later downloaded a fresh copy of Intellitype -- still have the problem.

If I suspend itype.exe, I don't get as many warnings.

Also, if I go to properties and select the screen saver tab, I get the warning that points to one of the .exe screen savers, one I haven't opened in quite a while that I made myself.  The selected screen save is the one I use, which is "Blank."

Not sure what to try next.  Anyone ever have this type of problem?

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: You are Opening an App that may be Unsafe....
« Reply #1 on: May 01, 2011, 11:16:44 PM »
Not many people are running winXP X64

Using Revo Uninstaller Pro to modify your system could be hazardous to its health.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81786
  • No support PMs thanks
Re: You are Opening an App that may be Unsafe....
« Reply #2 on: May 01, 2011, 11:44:35 PM »
I've noticed the past couple of days that I'm getting a lot of these messages from Avast! on winXP X64 startup.  Most of the time it points to Microsoft IntelliType Pro (itype.exe) that is attempting to open a exe.  I ran a full scans with Avast!(latest program/updates, SuperAntiSpyware, and Malwarebytes, and other than a couple of tracker, which I deleted, nothing was found.

I reset to the default setting in Avast!, uninstalled Intellitype (using Revo Uninstaller Pro) and later downloaded a fresh copy of Intellitype -- still have the problem.

If I suspend itype.exe, I don't get as many warnings.
<snip>

OK lets get down to the serious points.

Which avast shield is it that is reporting that "You are Opening an App that may be Unsafe...." ?

Behavior Shield or the Autosandbox ?
I suspect the autosandbox, if it isn't digitally signed and its location and or what is launching it, etc. See image of an autosandbox notification.

If it is this you can change the action to open normally and check the Remember my answer for this program.

This assumes you are happy that it is in fact clean:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline jafTwo

  • Newbie
  • *
  • Posts: 11
Re: You are Opening an App that may be Unsafe....
« Reply #3 on: May 02, 2011, 01:23:23 AM »
Hi David,

Yes, it's the autosandbox. But if I select "open normally" and "remember setting", the next time I reboot, same thing.

Funny thing is, I always get sam2.exe flagged as trying to be opened by itype.  Sam2 is the Serious Sam 2 game, which I've had on thei computer for a couple years.  I installed it on another computer and then brought it over on a flash drive and did a binary compare and both were the same.  If I double click it to run the program, I don't get an error.  If I boot, I get the "itype trying to open....... sam2.exe" (and other exe files.

As I mentioned, this just started a few days ago.  I haven't added any new programs -- just seems like Avast! is suddenly seeing something it doesn't like.

The Virus Total scan showed two positives out of 41 (below)
-------------------------
Sam2.exe
Submission date:
2011-05-01 23:04:46 (UTC)
Current status:
finished
Result:
2/ 41 (4.9%)
   
VT Community
.....
Norman   6.07.07      2011.05.01   W32/Obfuscated.M!genr
.....
Rising   23.55.04.03   2011.04.29   Suspicious
.....
-------------------------
Since it scanned with Avast 4 & 5, and not 6, it may be something in the latest definitions.  In fact, when I went to upload the file for scanning, Avast! threw out the message with "Firefox 4 is trying to open......"

So it looks like a false positive with Avast! 6?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81786
  • No support PMs thanks
Re: You are Opening an App that may be Unsafe....
« Reply #4 on: May 02, 2011, 02:33:02 AM »
Well I don't use either itype or serious sam, so I wonder if there is a similar block on sam2.exe ?
Also see http://www.file.net/process/itype.exe.html for some general info on itype.exe.

Check out this file:
C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\autosandbox.log using notepad and see if there are any other entries.

It would also be worth checking this file also:
C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\BehaviorShield.txt and see if there are any other associated entries

I also don't see the relationship between itype.exe and sam2.exe, e.g. why it needs to open it.

Quote
itype.exe is a process belonging to Microsoft Intellitype Pro keyboard software. Disabling or enabling it is down to user preference.

Non-system processes like itype.exe originate from software you installed on your system. As most applications store data in your system's registry, it is likely that your registry has suffered fragmentation and accumulated harmful errors. It is recommended that you

Do you actually have one of those keyboards ?

So as the second paragraph mentions it might be installed by another application, perhaps serious sam, so the actual location of the itype.exe file might help determine if it is the system version or one installed/used by a third party application.
« Last Edit: May 02, 2011, 02:36:31 AM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline jafTwo

  • Newbie
  • *
  • Posts: 11
Re: You are Opening an App that may be Unsafe....
« Reply #5 on: May 02, 2011, 03:05:06 AM »
Hi David,

Yes, I have a Microsoft 4000 keyboard and have used itype for a few years with no problem.  And as I mentioned in my last post, when I uploaded sam2.exe to use the online virus checker, it identified Firefox (instead of itype) as the opening program.

Here's a list of files that Avast had problems with itype trying to open (from the autosandbox.log file):
splinter_cell_v1.2b_us_ca.exe
SpringValleyPets&Animals.exe
TeraCopy.exe
TextAloudMP3.exe
UVMapPro.exe
VideoBuilder.exe
vp3.exe
wallmast.exe
WaveMax.exe
ac.exe
Desert_1.scr
Sam2.exe
CuteReminder.exe
Audiotranscoder.exe
balabolka.exe

There are several hundred files listed for the past three days.  I have been using these files for at least one year and many for several.  I'm thinking itype may scan files that can be assigned to the configurable keys on the Microsoft keyboards.  I currently do not have any of the programs in the above list assigned to to my keyboard.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81786
  • No support PMs thanks
Re: You are Opening an App that may be Unsafe....
« Reply #6 on: May 02, 2011, 03:35:27 AM »
I think that itype.exe must be using some sort of hooking (a bit like a key logger).

You could try and exclude <full path>\itype.exe in the File System Shield (FSS), Expert settings, Exclusions, Copy and paste the full path into the window. The reason I suggest that is because the FSS is what starts the ball rolling in this.

I too think that there must have been something change in a definitions update as it is a bit strange for the activity to start like this.

I will try and draw some attention to this topic for it to be looked at by one of the avast team.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline jafTwo

  • Newbie
  • *
  • Posts: 11
Re: You are Opening an App that may be Unsafe....
« Reply #7 on: May 02, 2011, 05:13:20 AM »
Thanks!

Yes, I suspended itype and I quit getting the Avast message, but as mentioned, if I try to upload or scan one of those files, Avast jumps in with the same message.  So I suspect it's not a problem with itype, just shows up more with it for whatever reason.

I just went back and looked at my autosandbox.log file and of the several hundred entries, there were only two or three per day, usually terracopy.exe and cutereminder.exe.  But starting April 25, 2011, I started getting many, many entries, mostly exe tried to be opened by itype.

I keep my Avast defintions on auto but program updates on "tell me when one's available." So maybe 4/25 would be significant?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81786
  • No support PMs thanks
Re: You are Opening an App that may be Unsafe....
« Reply #8 on: May 02, 2011, 04:06:00 PM »
No problem, hopefully we will get some response (and hopefully resolution) about why it is being pinged.

Have you any idea what this itype.exe is meant to be doing, probably easier to say what functions you don't have when it is suspended ?
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline hectic-mmv

  • Moderator
  • Sr. Member
  • *
  • Posts: 218
Re: You are Opening an App that may be Unsafe....
« Reply #9 on: May 02, 2011, 04:24:40 PM »
Hi jafTwo,

please, what avast version do you have?

There is should be nothing wrong with file itype.exe. You are using Win XP64b, autosandbox and also sandbox are not supported there. Autosnx pop up window is the avast! issue. Please, can you disable autosnx in avast ui?(open avast ui | realtime shields | file system shield | expert settings | autosnx). Now the autosnx should be disabled.

I will check if there are other problems on other OS types with file itype.exe.

thanks a lot for reporting the problem,
Michal




Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81786
  • No support PMs thanks
Re: You are Opening an App that may be Unsafe....
« Reply #10 on: May 02, 2011, 04:56:04 PM »
Thanks for you input Michal.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline jafTwo

  • Newbie
  • *
  • Posts: 11
Re: You are Opening an App that may be Unsafe....
« Reply #11 on: May 02, 2011, 05:50:58 PM »
No problem, hopefully we will get some response (and hopefully resolution) about why it is being pinged.

Have you any idea what this itype.exe is meant to be doing, probably easier to say what functions you don't have when it is suspended ?

My keyboard has 5 buttons that I can assign to executable applications.  There also several buttons , like "Web/Home, Search, Mail, and Calculator" that are preset but can be reassigned.

I'm not sure why it has to scan my computer as it seems to be doing (according to the Avast! messages.)  It may have done that all the time and I just wasn't aware.  I don't see any options other than the key assignments, key repeat speed, etc.  Just the standard stuff.

Michal, my Avast Version
Program version:            6.0.1091
Virus definitions versions: 110502-0

I'm going to add itype to the trusted processes via the expert settings and see what happens.

Rebooting now ........



Offline jafTwo

  • Newbie
  • *
  • Posts: 11
Re: You are Opening an App that may be Unsafe....
« Reply #12 on: May 02, 2011, 06:35:22 PM »
Okay, setting itype as trusted seems to work.  No new log entries.

Yesterday, when I uploaded sam2.exe to Virus Total, Avast popped up the "attempting to open ..... " message and identified (correctly) the Firefox was attempting the open.  Today, it did not.  I guess I should take itype out of the trusted area and see what happens.  Maybe the latest virus definitions have changed things.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81786
  • No support PMs thanks
Re: You are Opening an App that may be Unsafe....
« Reply #13 on: May 02, 2011, 07:12:22 PM »
I suggest you do as suggested by Michal (one of the avast developers and whom I asked to look at this) and disable the autosandbox for now as he believes there is some incompatibility issue with Win XP 64bit and as such unsupported for now.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline jafTwo

  • Newbie
  • *
  • Posts: 11
Re: You are Opening an App that may be Unsafe....
« Reply #14 on: May 02, 2011, 07:30:59 PM »
I suggest you do as suggested by Michal (one of the avast developers and whom I asked to look at this) and disable the autosandbox for now as he believes there is some incompatibility issue with Win XP 64bit and as such unsupported for now.

Okay, I disabled autosandbox and will do a few reboots.

I don't know if it's my system or what, but it seems I have to reboot twice to get everything running.  Twice now I rebooted and only had the sound and safely remove hardware icons on the taskbar.  Another reboot and it's back to normal.  I'll see on this reboot what happens.