Alert on "<path>\<file>.exe | >[UPX]" - What does that mean?

[VanguardLH]

Windows XP Pro SP-3
Avast 6.0.1125

For the last  week, Avast has been alerting on the following file:

C:\Programs\WallWatcher\WallWatcher.exe

The program is not being loaded.  It occurs because iType (Microsoft's keyboard software) caches executables into some program list in its registry entry or when I try to just look at its properties in Windows Explorer.  Just trying to read the file generates Avast's malware popup.  What the alert popup says is:

Object: C:\Programs\WallWatcher\WallWatcher.exe|>[UPX]
Infection: Win32:Malware-gen
Process: (whatever happens to touch the .exe file)

The Object almost looks like the executable is getting piped and then redirected into whatever is UPX.  The only thing I found likely for UPX is the installer packager at http://upx.sourceforge.net/.  When I run the WallWatcher.exe file through VirusTotal.com, only Avast and Gdata say it's infected.  The rest gave it a clean vote.

I can't figure out why Avast is saying the object (presumably what is getting loaded into memory but is actually only being read) has "|>[UPX]" at the end.  I don't see that in Windows Explorer.  Figuring it might have something to do with alternate data streamns, I used Rekenwonder's Streams Explorer but it didn't show anything.  I don't understand Avast showing that string at the end of Object or what it means. 

Is there something in the NTFS file system that could be defining the executable differently so that the "|>[UPX]" can't be seen but gets used on loading the program?  When trying to load the file into a hex editor, I get "access denied" although permissions are okay on the file.  I did NOT let Avast quarantine the file and yet it appears to have removed access to this file, or that invisible string appendage is causing the problem.  I tried copying the file but the "|>[UPX]" alert followed to the new file.

When I right-click on the file (and get past Avast's alert) to look at its Properties, there is no Security tab.  What tabs show up make it appear this is a DOS-mode program, like a Memory tab where HMA memory mode for XMS is enabled by default and MS-DOS protected-mode (DPMI) is set to Auto, and the Program tab under Advanced lists the autoexec.nt and config.nt files used in a DOS shell.  I'm not so much concerned that this might be a 16-bit DOS-mode program than I am with whatever the "|>[UPX]" means in Avast's malware alert.

My guess from reading the upx.sourceforge.net site is the UPX is a packer used to compress executables into the .exe file and then decompress them to run.  So maybe Avast (and GData) chose to start false alerting on any programs that use the UPX executable packer.  To test, I went into Avast's File Shield settings and disabled the Self-extracting DOS Packers under the Packers category.  Didn't help.  Deselected the Self-extracting Win32 Packers option.  Avast's malware popup changed to:

Object: C:\Programs\WallWatcher\WallWatcher.exe|>[Emul]

Disabled NTFS Streams under Packers but got the same "|>[Emul]" alert from Avast.  Looks like Avast no longer likes the open source UPX executable packer used by some programs.  Despite that I have not allowed Avast to quarantine, delete, or block the .exe file, access to it is denied until I disable Avast.

[DFXBB]

The executable is compressed with UPX (http://upx.sourceforge.net/)
It has nothing to do with NTFS streams

[Milos]

Hello,
false positive will be fixed in next VPS update.

Milos

[VanguardLH]

In the meantime, and out of curiousity, how do I keep Avast from restricting access to the .exe file?  It wasn't blocked, deleted, or quarantined.  I'd click the "X" titlebar icon to close the popup malware alert because all choices were negative; i.e., none were for Ignore This Time or Ignore Always (put in exclusion list).  Do I add false alerted programs to Avast's exclusion list?

By the way, when a file is added to Avast's exclusion list, does it save a hash value for the file to know THAT file gets excluded and not a copy of it that might get modified later (by updates or malware)?  If so, and if I specify a folder instead of just a file, are hashes recorded for all the executable files in the folder (and recursively into all subfolders)?  If it's just a path rule then it seems to open a hole in security in that the excluded files could be modified and are no longer the ones you chose to excluded before.

[igor]

The "X" icon is equivalent to "Block" - that's why the access is restricted. So yes, if the FP hasn't been fixed already, you need to add the path to the FileSystem Shield's list of exclusions.

The list of exclusions is (intentionally, I'd say) just a path rule, no content matching is performed.

[VanguardLH]

The "X" icon is equivalent to "Block" - that's why the access is restricted.

So once I install Avast, I no longer have full control over my own property.  I did not grant Avast ownerership of my computing platform.  Users should always retain control over their own property.  It is inappropriate for Avast to omit an option for a positive/passive action, like Ignore Once or Ignore Always (and add as an exclusion), and instead only provide negative/agressive actions (Move to Chest, Block, Delete).

So yes, if the FP hasn't been fixed already, you need to add the path to the FileSystem Shield's list of exclusions.

However, that requires users remember or record every malware prompt issued by Avast whether bogus (false positive) or not.  I *use* my computer for real tasks.  Security is something that operates in the background but should not interfere with my use of my property or my workflow.  Security is, at best, a nuisance you elect to incorporate.  If Avast is going to block something despite my choice, it should provide a list of those actions so I can undo them.  Yes, the log does permit choices under the Action column but go look at those actions available: Repair (that changes the file, not remove the block), Move to Chest (again removes access, not restore it), Delete (not appropriate if I'm trying to get Avast to ignore what it wants to do), and Do Nothing (does that actually remove the block - only to have Avast complain again later - or does it do nothing?).  I'm not sure users instinctively know to go look at a *log* to perform other actions on what the log reports.

Also, seeing that Avast did something in the past is not the same as me preventing Avast from doing it now or again later.  If Avast chose or was told to put something in quarantine, to delete (if not a permanent delete which, if it is permanent, should be informed to the user), or block something then there should remain choices available to the user to make a different decision - other than having to disable or uninstall Avast.  It's my property, not Avast's.  Telling me about suspect files or behavior and *helping* me to thwart them *if* I choose is not the same as being so aggressive as to yank control away from my property or what is on it.

If Avast, as it is now, blocks access to a file then there should be some means of removing that block - and also of finding out that Avast is blocking access.  If I had not been present when the alert dialog had been X'ed close or someone made the limited choice available in that dialog or I had X'ed the dialog or made a choice (but was busy with real work), the users has nothing inside of Avast to see what action it took and to make a different choice.  The log is not useful for determining on what Avast is blocking or why.  There could be dozens of entries for the same file but obviously Avast is only blocking access on the one file.  You can't go anywhere in Avast to see on what it is blocking access.  One workaround is to go look at the log, manually type out the entry (because Avast won't let you copy it from the log), and then go define exclusions.  Yeah, like I want to spend all that time on a *security* product that performs none of my real work (i.e., it is outside any workflow for why I have a computer).  You cannot right-click on a log entry to quickly and easily select an undo or alternate action but instead have to scroll rightward to the Actions column.  Another workaround is to disable or uninstall Avast when you need access to the file but obviously that removes all protection other than just the file to which you wanted access.  Defining exclusions works if you are willing to interrupt your work so that you know on what you want to exclude.  Finding out later that access is denied and to override it is a laborious, manual, and error prone task in Avast, especially considering how poorly designed is the dialog for defining exclusions (you can't navigate to a file but only to folders and the wildcarding can be incorrect, so the browser dialog is only useful for getting an initial string that you still have to manually edit).

By the way, for when Avast alerted on the suspect .exe file and blocked it when I X'ed the dialog (which [should] not logically be equated as making a selection from the Action drop-down list), the log shows the action performed was "Moved to chest" when that is NOT what happened.  The file was never moved to the chest.  The chest is empty, so I can't even go there to restore the file (its access) from the chest.  It's blocked but not in the chest so I can't unblock it - until I separately define an exclusion which requires manually copying something from the log unless, of course, I interrupt my real work to record alerts from Avast but, again, that's me manually copying down on what it alerted.  The Action column in the log is NOT what action *was* performed for the alert.  It shows a list of actions you can perform now but none of which is to remove the block.  It is a poor substitute for a right-click context menu for log entries but doesn't let you unblock anything or even copy the File Name field so you can paste it into an exclusion.

Apparently blocking and moving to chest are separate and distinct actions.  If the file had been moved to the chest, I could've restored [access to] it.  The file wasn't there.  So Avast blocked access to the file but doesn't give me a list where I can choose to unblock it (or to even know later what has been blocked by Avast).  Blocking is blind because YOU have to remember from the popups what to unblock with an exclusion.  Since Avast shows what it moved to its quarantine chest, there's no reason why it should hide on what it is currently blocking.  Not everyone has the luxury of interrupting their work to spend the time to address an alert on what *might* be a problem.  Sorry, but in my world, security does NOT get priority over other tasks.  If I was in the process of welding together, say, the frame for a flat bed trailer, I could care less that the postman came by to drop off some letter in the mailbox.  Security doesn't get priority over real work.  If it did, you'd never get your work done.  You'd be spending all your time on securing your host and so throttling it that you couldn't use your computer for anything else.

The list of exclusions is (intentionally, I'd say) just a path rule, no content matching is performed.

Then it is a hazardous "feature".  If I choose to exclude a file, that's the only file in its current state that I want to exclude.  Obviously a process that replaces or modifies the file will result in a different file than I chose to exclude.  Similarly, if I specify a folder to exclude (something almost always needed for Nirsoft despite those are programs that I chose to install or deposit on my host), any process whether good or bad can deposit files in that folder and be excluded from inspection by Avast.  Alas, this is how exclusion works under many if not most security programs.  It's a huge gaping hole in the security program.  Any malware deposited over the file or in the folder is free to do whatever it wants.

When excluding files or folders in Avast, I'll have to find some other means of protecting the excluded files and folders since Avast isn't going to do that job.  Using hash rules in software restriction policy (SRP) rules might be doable but also laborious.

Thanks, Igor, for your help.  To clarify, the above are complaints with the product, not with you.

[Nesivos]

Curious

What kind of work do you do that requires Avast generating so many popups?

I am on two - three computers 10+ hours a day and get maybe one Avast Malware popup every three months.

[VanguardLH]

Curious
What kind of work do you do that requires Avast generating so many popups?
I am on two - three computers 10+ hours a day and get maybe one Avast Malware popup every three months.

I get few alerts from Avast.  Most have been from their Web Shield when web surfing.  But think about it: if you get few alerts, it's unlikely that you need to take care of the rare ones at the time they occur.  I don't know how you use your computer but mine are busy all the time.  Getting a security alert does NOT take priority over other real work in which I am currently engaged.  The popup won't stay around forever (and would get in my way if it did).  There is nothing in Avast to let me interrogate what it is blocking at a later time when I can elect to expend the time and effort to investigate their alert and what action they chose (which was NOT the action that I wanted).

You are using 2 computers.  What about someone that has a dozen of them in or by their desk?  They'd look pretty silly running around to check the hosts everytime they heard a beep.  You think it wise to interrupt your real work to go respond to security alerts which may or may not be bogus and that may or may not be critical?  If an alarm went off on your watch or Blackberry telling you a meeting was starting now while you were sitting on the toilet, would you really hike up your pants to leave without first wiping yourself?  Just because someone or something issues an alert doesn't mean you have to react immediately.  I'm not Pavlov trained.  I also don't interrupt more important work or be impolite during discussions because my cell phone happened to ring.  If you don't prioritize then someone or something else will do it for you.

Security alerts get low priority.  I finish my current tasks or wait until I get to an interruption point of *my* choosing before getting to the lower priority tasks.  If you let the low priority tasks determine your schedule, you'll never get the important stuff done. 

When you come back later to Avast to see on what it is currently blocking, were do YOU look?  The log won't tell you.  It records events, not a blocking list.  What's in the chest isn't all of what Avast is blocking access.  There are probably good reasons why Avast hides in the registry or in files on what it is blocking but that doesn't mean the information should be hidden in its UI.  It was after I elected to get back to Avast to see on what it was blocking that I realized the UI was incomplete or clumsy.

[Nesivos]

I mostly surf the net all over the world, hi tech, sports, news, politics and post a lot on certain websites.

However, I don't play any online games

I don't recall ever getting an Avast popup while surfing except for once and I have been using Avast for over a year.

The Avast popups I have gotten have either been torrent downloads or a rare popup from my nightly scan when I login the next morning.

However I don't recall getting popus from Avast while surfing the Net other than one time when I my Browser's security allowed me to get to a malicous website which Avast promptly blocked.

[igor]

Well, I admit I didn't read the whole essay, so I might have skipped something, but a few points:
- you do have control over your computer - e.g. by using the exclusion list. The fact that excluding a file is a bit harder than just clicking a button is intentional.
- the block is a one time operation (possibly with a short caching, but not permanent like moving to chest) - if you restart the computer, or only stop the FileSystem Shield and then start it again, the block is gone (though it will probably be detected again, unless the FP has been fixed or the file excluded)
- if the log says that the file was moved to chest, yet a different action was chosen, then it should be fixed, of course
- FPs should be fixed quickly by the virus lab; the list of exclusions is used by many people to avoid scanning of unnecessary items (or at least they think they're unnecessary) to speed up scanning; verifying hashes wouldn't make sense in that case, as it would most likely be slower than the scanning itself.
- if we're talking about executables, you can set the FileSystem Shield exclusion so that it applies to execution only, and not to writing. This way, the modification (e.g. a replacement by a malicious file) would be detected.

[VanguardLH]

- you do have control over your computer - e.g. by using the exclusion list. The fact that excluding a file is a bit harder than just clicking a button is intentional.

But you also cannot right-click or otherwise copy the object on which Avast alerted.  You have to manually copy down the path and filename which is obviously error prone.  Nor can you use their browse dialog to point at the file since it only lets you select folders.  It isn't just that the procedure is made difficult but also rather convoluted and entirely manual.  The process is belated is that you don't get a choice at the time of the alert.  You have to expend further time and effort. 

This is like, yes, you still maintain ownership of your vehicle after it has been towed but you'll have to go to the nuisance of getting another ride to go pick it up from their lot.  Possible?  Yes.  Rational or with conception towards ease-of-use?  No.  Do you really continue using something that is more difficult to use than something else equally as good?  I like Avast but nuisances can amass to a point where the user just has to go somewhere else if they don't want excessive interference with the use of their property.

- the block is a one time operation (possibly with a short caching, but not permanent like moving to chest)

That I didn't realize.  So you're saying if Avast blocks access to a file (and it's not in the quarantine chest) that I have to do a reboot to regain access to it?  Hmm, that would explain why on every reboot I was seeing Avast complain again about this same false positive.  I did find out that disabling Avast got rid of the block but running Avast continously disabled would defeat the purpose for its installation.  So the unauthorized (or unintentional) block is a per-Windows session or per-login block and that's why it is probably not discoverable inside of Avast's UI.  Okay, but that doesn't mean that I still don't want to see on what Avast is blocking while I'm using my computer.  Guess that's a feature request: let me see what you're blocking now.

Too bad Avast doesn't give me an option in their alert dialog that lets me Ignore Once or Ignore Always (where the later adds an exclusion).  When presented with the limited and negative options available in their popup, and with none of them what I want, I X'ed the dialog to close it but nowhere does Avast announce that this results in a default action of blocked.

- if the log says that the file was moved to chest, yet a different action was chosen, then it should be fixed, of course

Actually that was because I thought the log was really reporting what event happened and what action was performed.  That's not the case.  The Action field is a drop-down list of what action you want to perform NOW, not what got performed when the event got recorded in the log and what action was performed back then.

- FPs should be fixed quickly by the virus lab; the list of exclusions is used by many people to avoid scanning of unnecessary items (or at least they think they're unnecessary) to speed up scanning; verifying hashes wouldn't make sense in that case, as it would most likely be slower than the scanning itself.

That applies only when scanning; i.e., during an on-demand scan.  There is no continual scanning of files by the on-access scanner (due to the impact in responsiveness and usability of the host) yet this exclusion list is used by both the on-access (real-time) and on-demand scanners.  Adding an item to the exclusion list is not just about speeding up an initiated or scheduled scan (on-demand).  It's also used to keep the on-access scanner from alerting on files the user is or will be accessing or using.

- if we're talking about executables, you can set the FileSystem Shield exclusion so that it applies to execution only, and not to writing. This way, the modification (e.g. a replacement by a malicious file) would be detected.

I don't see how that would help with the exclusion list.  For now, it looks like I have to use SRPs (software restriction policies) to allow reading from a folder or file but not writing to it.  I can define hash rules for an SRP and there is no speed penalty.  Alas, hash SRPs only apply against files, not against all files currently in a folder (and its subfolders).  The problem with SRPs is that you can decide whether to block or allow on a file but not on non-existing files that show up later in a folder (that you've excluded in Avast).  Looks like I need some additional security software to let me have better control over what I exclude from Avast.

In continuing to use Avast, I'll have to get used to this hodge-podge mechanism of manually adding exclusions (by looking in different places in the UI) and of having to disable and reenable Avast when I find it is blocking access to a file that isn't identified in a block list within Avast.

Thanks for replying.