Very odd warning...

[Jem]

Trying out Avast Free (6.0.1091). I'm getting this warning (as per screenshot). Why? The system is clean. Win 7 Pro x64.

[Pondus]

Why? The system is clean.

It does not say "infected" does it ? 

Suspicious = tending to cause or excite suspicion;  questionable: suspicious behavior. 

so needs more investigation....click OK and it will be sendt to avast lab for investigation
if malware, then they will add detection for it and give it a malware name

you may also run a scan with malwarebytes for a second opinion

[DavidR]

Trying out Avast Free (6.0.1091). I'm getting this warning (as per screenshot). Why? The system is clean. Win 7 Pro x64.

Yes very odd as that is the anti-rootkit scan (8 minutes after boot), which would be strange for explorer.exe, you were right to submit it to the labs.

Whilst the file name and location are legit, the actual file could be modified, but then I would expect a clear alert by the file system shield.

Do you have any strange startup entries that might be trying to use explorer ?

[Jem]

Trying out Avast Free (6.0.1091). I'm getting this warning (as per screenshot). Why? The system is clean. Win 7 Pro x64.

Yes very odd as that is the anti-rootkit scan (8 minutes after boot), which would be strange for explorer.exe, you were right to submit it to the labs.

Whilst the file name and location are legit, the actual file could be modified, but then I would expect a clear alert by the file system shield.

Do you have any strange startup entries that might be trying to use explorer ?

No, nothing in particular. Only thing I can think of is a small app that replaces the Win 7 start orb. Effectively that is modifying explorer I think. I'll turn that off and report back. Thanks David.

[George Yves]

Please, check your Windows folder. If I am not mistaken, the correct path should be C:\Windows\explorer.exe

It seems that your Avast is surprised to find explorer.exe in the wrong place.

[Jem]

Please, check your Windows folder. If I am not mistaken, the correct path should be C:\Windows\explorer.exe

It seems that your Avast is surprised to find explorer.exe in the wrong place.

See my reply to David above. It's my 'Start Orb Replacement App' - making a copy of the original explorer.exe in the Windows folder and sticking it in System32! Sorted. I'll just exclude the copy.

[George Yves]

See my reply to David above.

OK

[Jem]

See my reply to David above.

OK

But thanks! You pointing out the obvious (wrong location) confirmed my suspicion more quickly.

[Jem]

Just out of curiosity - if I choose the 'Do not tell me about these files in the future' option, where can I reverse that decision if I wanted to?

[Nesivos]

The Avast doing its job

Files with the name of explorer.exe have been known to be bad and nasty stuff.

[Jem]

The Avast doing its job

Files with the name of explorer.exe have been known to be bad and nasty stuff.

I agree that it's doing it's job, but in this case there was nothing bad or nasty here - just a deliberate copy of explorer.exe being made and copied to a different location in order to perform a small tweak.

[DavidR]

<snip>
Yes very odd as that is the anti-rootkit scan (8 minutes after boot), which would be strange for explorer.exe, you were right to submit it to the labs.

Whilst the file name and location are legit, the actual file could be modified, but then I would expect a clear alert by the file system shield.

Do you have any strange startup entries that might be trying to use explorer ?

No, nothing in particular. Only thing I can think of is a small app that replaces the Win 7 start orb. Effectively that is modifying explorer I think. I'll turn that off and report back. Thanks David.

Yes that would certainly be considered suspicious by avast in replacing/modifying explorer.exe.

Please, check your Windows folder. If I am not mistaken, the correct path should be C:\Windows\explorer.exe

It seems that your Avast is surprised to find explorer.exe in the wrong place.

Thanks George, I didn't check the location fully, assumption of it being in system32 being correct and we all know what happens when you assume

Just out of curiosity - if I choose the 'Do not tell me about these files in the future' option, where can I reverse that decision if I wanted to?

I always think that option is a bad one (having it available that is), as I prefer to know what is going on, plus as you say there doesn't appear to be an obvious means of reversal. But I think that it only refers to just that instance and not all different files, etc.

[Jack 1000]

I always think that option is a bad one (having it available that is), as I prefer to know what is going on, plus as you say there doesn't appear to be an obvious means of reversal. But I think that it only refers to just that instance and not all different files, etc.

I agree that having the option "Don't tell me about these types of files in the future" is bad.  Three questions from this:

1.) If a user were to check this for whatever reason, how could they uncheck it WITHOUT using the Restore Default Settings option?  Is there a way?

2.) If a user checks...."Don't tell me about these files in the future," would they still be submitted to the virus lab if Avast were to find something suspicious?

3.) If for some reason, a user choose not to participate in the Avast community, how would notification of suspicious files be handled?  Note that participation in the Avast community should always be checked when the program is installed.  This means that the instant Avast finds a threat, anonymous data is sent to Avast about it, so they can stop the threat with an update.

Jack

[DavidR]

1. I have basically said I don't know as there is no obvious setting in the UI and no customisations of the anti-rootkit scan.

2. Again I don't know (I'm just an avast user like yourself), but if the sending of the sample is a default option, then logic would say that shouldn't depend on the display of the alert window.

3. The avast community isn't just about the submission of suspicious files (as in this case), but information on files pinged by the behavior shield or autosandbox wouldn't be reported up the chain for further investigation/analysis improving detections, etc. for all avast users.

Detections made by the web shield on sites, that information wouldn't be uploaded/collated and once the numbers of web shield alerts on a site reach a tipping point and subsequently added to the network shield's malicious sites list.

So opting out of it is a bit like shooting yourself in the foot.