Author Topic: Few Questions (Read 3363 times)

naren17 · « **on:** June 14, 2011, 02:28:33 PM »

I want to know when windows updates automatically downloads & installs updates, is scanned by FileShield or WebShield?

Avast's default action is Quarantine - Delete - No Action. But I have seen in the forum here users reporting Avast presented alert on threat detection with only 2 options, Allow & Delete, no Quarantine was there. These alerts are only when users change the default quarantine to ask or with the defaults too? And why there was no option to quarantine the detected threat?

Thanxx
Naren

DavidR · « **Reply #1 on:** June 14, 2011, 03:27:33 PM »

If windows update uses the http protocol then the web shield I guess would scan the http traffic and newly created files (even temp ones) would be scanned by the file system shield.

If there are only two options Ignore or Delete then I would say that this is the anti-rootkit scan 8 minutes after boot. Generally the Ignore one is only recommended if it is s Suspicious not confirmed rootkit detection. Delete is there for a positive detection, but personally I never consider deletion to be a good first option, you have none left. So first do no harm and investigation are always the first steps

Unfortunately your question is too general to give a specific answer.

(I don't believe any of the

naren17 · « **Reply #2 on:** June 14, 2011, 03:49:24 PM »

Even if it is a positive detection by Avast, there is always a chance of FP, so I think there should always be a Quarantine option with any threat detected.

Thanxx
Naren

Pondus · « **Reply #3 on:** June 14, 2011, 03:53:52 PM »

Quote

And why there was no option to quarantine the detected threat?

can you show us a specific case ?

naren17 · « **Reply #4 on:** June 14, 2011, 04:12:13 PM »

Quote from: Pondus on June 14, 2011, 03:53:52 PM

Quote
And why there was no option to quarantine the detected threat?
can you show us a specific case ?

I asked this coz I had seen few screenshots here in the forum with the users mentioning that no quarantine option was there for the detected threats. So just wanted to know. I dont remember in this huge forum where I had seen those screenshots. I will try finding...

Thanxx
Naren

DavidR · « **Reply #5 on:** June 14, 2011, 05:11:35 PM »

We need to know exactly what it is in relation to otherwise we can't give any detailed answer only our best guess. So we would need a reference to the images that you saw, but again I suspect this is the anti-rootkit scan, detecting something suspicious, see image example.

Since the anti-rootkit scan is using heuristic methods it doesn't really conform to the standard virus signature scan and isn't the same as the file system shield, so doesn't have the same options.

naren17 · « **Reply #6 on:** June 15, 2011, 09:43:43 AM »

Even if it is a rootkit scan there should be a quarantine. Though avast detected suspicious in the screenshot you have posted & the default is to ignore but I have seen screenshots where the default was to delete & I think it was related to something mbamswissarmy which was related to malwarebytes realtime thing so in that case instead of delete there should have been quarantine as you know quarantine is always better than deleting anything coz you can revert the action later after some verification.

Thanxx
Naren

Lisandro · « **Reply #7 on:** June 15, 2011, 01:18:59 PM »

Quote from: naren17 on June 15, 2011, 09:43:43 AM

Even if it is a rootkit scan there should be a quarantine. Though avast detected suspicious in the screenshot you have posted & the default is to ignore but I have seen screenshots where the default was to delete & I think it was related to something mbamswissarmy which was related to malwarebytes realtime thing so in that case instead of delete there should have been quarantine as you know quarantine is always better than deleting anything coz you can revert the action later after some verification.

If it is detected into memory blocks, for instance, there is no file, there is no meaning on quarantine it... If the option is not available is because it's not possible or reasonable. Trust avast team, they're not amateurs

Vladimyr · « **Reply #8 on:** June 15, 2011, 02:59:03 PM »

If I remember correctly the recommended action of the ant-rootkit module is dependent on the surety of the detection.

If it's an uncertain heuristic detection, the user prompt is "ignore (recommended)".

If it's a definite match, it comes up "delete (recommended)". Now in this case an FP would be deleted and this could be a headache for the user.

Of course it would be great to have a "move to chest" option but I can only conclude that it's not there because it's not viable. My guess is that it has something to do with the nature of rootkits and operational limitations within Windows itself. Let's say avast! detects a hidden rootkit driver. It's hard enough in the first place to remove/kill it without a causing a freeze or BSOD. it's another thing again to be able to kill it and simultaneously take a copy of an invisible process to put in the virus chest.

Lisandro · « **Reply #9 on:** June 15, 2011, 05:17:33 PM »

Some technical information from the avast virus lab guys will help here...

Author Topic: Few Questions (Read 3363 times)

naren17

Few Questions

DavidR

Re: Few Questions

naren17

Re: Few Questions

Pondus

Re: Few Questions

naren17

Re: Few Questions

DavidR

Re: Few Questions

naren17

Re: Few Questions

Lisandro

Re: Few Questions

Vladimyr

Re: Few Questions

Lisandro

Re: Few Questions