Author Topic: How to locate "suspicious" file?  (Read 7485 times)

0 Members and 1 Guest are viewing this topic.

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
How to locate "suspicious" file?
« on: May 15, 2011, 08:53:55 PM »
This morning while booting up I got warning from avast of a suspicious file and recommendation to report it to the Avast labs.  I unfortunately didn't make a note of the file name or location, and wasn't yet online (I have PPPoE DSL, and usually only connect when I'm using the internet).  The only two choices were to delete or ignore, so I gambled on the latter.

Once fully booted, I opened the avast interface, but couldn't find any reference to this in any of the reports or logs.  The graphical stats for the behavior shield did show 1 suspicious incident this morning, but no way (that I could find) to get details on it.

I did run a full system scan with avast immediately afterwards, also quick scans with SAS and MBAM, but nothing turned up.

Is there a way that I'm missing to retrieve this info, other than manually making a note if I should get such a warning?  Possibly a change to report/log settings?
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

MAG

  • Guest
Re: How to locate "suspicious" file?
« Reply #1 on: May 15, 2011, 09:04:21 PM »
I think it may be in a file called arpot.
Possibly at C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\arpot?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: How to locate "suspicious" file?
« Reply #2 on: May 15, 2011, 09:12:11 PM »
Yes, the file name is arpot.log in that folder, assuming it was an anti-rootkit alert, see example image.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re: How to locate "suspicious" file?
« Reply #3 on: May 15, 2011, 09:20:24 PM »
Thanks, mag.  I looked in the arpot folder and there's two files in it, one an INI and the other a DAT, both with the same file name and both modified this afternoon.

The DAT is obviously useless to me (might be useful to the avast labs?) ... I looked at the INI and nothing in it jumped out at me, other that it ended with 6 or 8 lines each beginning "Inline:_abnormal_termination"

Hopefully one of these years the behavior shield will become developed enough to include a log or report.  Till then, about all I can think of is to reboot and see if I get the warning again (and of course, write down the info it gives me).

Thanks again, and best.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

MAG

  • Guest
Re: How to locate "suspicious" file?
« Reply #4 on: May 15, 2011, 09:25:17 PM »


Hopefully one of these years the behavior shield will become developed enough to include a log or report.

There is a long thread that I started in similar vein a month or so ago - however it seems that, despite the graphical notification of BS alert, it is actually the rootkit scan after start-up that is flagging, as DavidR points out above.

In my case the arpot log was at least capable of identifying the file:
09/04/2011 10:20:44   Suspic Driver: \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25641\RapportCerberus_25641

« Last Edit: May 15, 2011, 09:32:56 PM by mag »

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re: How to locate "suspicious" file?
« Reply #5 on: May 15, 2011, 09:32:49 PM »
Yes, the file name is arpot.log in that folder, assuming it was an anti-rootkit alert, see example image.
Thanks, David, but I've got no such log.  Your screenshot does look like what I saw, so it's very likely we're talking about the same thing.  And though I waded through all of the Settings possibilities, plus all the Shields settings, I couldn't find any provision to turning that log on/off.

Possibly means time for a Repair, or even clean re-install?  I'll give the former a shot, since it's quick and easy.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re: How to locate "suspicious" file?
« Reply #6 on: May 15, 2011, 09:59:30 PM »
Update:  Just did a Repair and reboot, and no error this time.  No arpot.log either, but maybe that's only first created when there's something to report.

I took a second look at the stats, and apparently the same thing happened yesterday when first booting.  Funny I don't remember a warning from avast then ... it's not (I assume) like the update popup, which closes itself.

Whoops, just got the warning again, but at least I got the file's name and location this time:  \Windows\Sys32\Drivers\pctplfw.sys.  I'll google that. although the name suggests it's related to (or is supposed to make me think so) my PCTools firewall. Interestingly, still no arpot.log file, and the other two files I'd mentioned have disappeared from the arpot folder, which is now empty (except for empty Temp sub-folder).
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Jack 1000

  • Guest
Re: How to locate "suspicious" file?
« Reply #7 on: May 15, 2011, 09:59:36 PM »


Hopefully one of these years the behavior shield will become developed enough to include a log or report.

There is a long thread that I started in similar vein a month or so ago - however it seems that, despite the graphical notification of BS alert, it is actually the rootkit scan after start-up that is flagging, as DavidR points out above.

In my case the arpot log was at least capable of identifying the file:
09/04/2011 10:20:44   Suspic Driver: \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25641\RapportCerberus_25641

Yup,

I get that message about once a year.  The wording should be better and/or the options should be more.  Its the Behavior Shield completing it's surface root kit scan, and after 8-minutes, it reports that suspicious file with an Ignore or Delete option. Nothing else, saying to allow the files to be set to the Virus Lab for analysis.  I still say that the Delete Options should NOT be there for a suspicious file.

Oh and another thing that I want to ask about this annual issue.  Why doesn't the Sandbox kick in if set to Auto or Ask for a prompt on what to do?  I thought the whole point of the Sandbox is to have a quarantined special place to isolate suspicious files?  Should that Behavior Shield notice of the suspicious file be prompted to go in the Sandbox for "Ask?"  Or a notification pop-up that the file is going into the Sandbox on auto?  The only time you should see the message you are seeing, would be if you don't have sandbox turned on.

90% of the time, the shield is good, but it just seems that there is this sensitivity that from time to time is generating what, I won't call it a BS alert.  But it seems to be a false positive thing.  If this Behavior issue came up as a Sandbox situation as it should, it would be better than it is now, and I almost wouldn't care if when that Behavior Shield thing came up, it was treated as a sandbox situation.  However, as it stands now, the verbiage on "Ignore" or "Delete" for a suspicious file is too confusing.

This issue needs to be studied by the engineers and improved in future Avast updates.

Jack


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: How to locate "suspicious" file?
« Reply #8 on: May 15, 2011, 10:37:58 PM »
Yes, the file name is arpot.log in that folder, assuming it was an anti-rootkit alert, see example image.
Thanks, David, but I've got no such log.  Your screenshot does look like what I saw, so it's very likely we're talking about the same thing. 
<snip>

That file is in the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log folder.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re: How to locate "suspicious" file?
« Reply #9 on: May 15, 2011, 10:47:20 PM »
Just submitted the file over at Jotti and it came back 100 percent green/OK.

It wasn't clear from Jack's post whether the apparently long-term intermittent problem always involves this file, or is a more or less random glitch in the rootkit scan.  If the latter, there's probably not much point submitting this file to avast as a FP.

Wonder if the send-to-support thing for this thread would help any, if it hasn't already been done?

Oh, and David, you posted while I was typing this ... I don't have arpot.log there either.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: How to locate "suspicious" file?
« Reply #10 on: May 15, 2011, 11:54:08 PM »
I wouldn't expect it to be detected at Jotti or VirusTotal as the rootkit scan isn't doing a standard scan. So neither they or avast would find this during a conventional scan.

The rootkit check in a very simplistic explanation, compares what windows APIs say is running against what is actually running. Those hidden would require further checking and would either be considered suspect or a certain rootkit.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jack 1000

  • Guest
Re: How to locate "suspicious" file?
« Reply #11 on: May 16, 2011, 12:28:45 AM »
Quote
It wasn't clear from Jack's post whether the apparently long-term intermittent problem always involves this file, or is a more or less random glitch in the rootkit scan.  If the latter, there's probably not much point submitting this file to avast as a FP.

Oh and for the record.  This issue goes all the way back to Avast 5, and remains in Avast 6.  The thing is it happens so rarely, but purists may find it annoying enough.  I think it's a very small bug in the root kit/behavior shield scan aspect of the program that is generating this rare response.

Thank you for your post Mike.  For the record, I am not sure of the cause of this rare occurrence.  I think its a program bug that Avast just has not been able to pin down because of its rarity.  But the options for Ignore or Delete are certainly not a bug, and I think that this issue needs to be improved.

Jack

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re: How to locate "suspicious" file?
« Reply #12 on: May 16, 2011, 01:28:58 AM »
I just clicked the "send to support" link for this, for whatever good that might do.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Jack 1000

  • Guest
Re: How to locate "suspicious" file?
« Reply #13 on: May 16, 2011, 11:44:24 PM »
I just clicked the "send to support" link for this, for whatever good that might do.

Hi Mike,

What do you mean the "Send to Support Link?"  When I get that Suspicious File message once a year, all it gives me is "Ignore" or "Delete" for options in Avast.

Jack

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: How to locate "suspicious" file?
« Reply #14 on: May 17, 2011, 12:47:27 AM »
It is a forum option, nothing to do with an avast alert. The idea being to try and draw support attention to a topic.

Personally I don't believe it is working, previously it brought up a form you had to complete and send. Now it just takes you to the forum home page.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security