Avast Needs Better 'Threat Detected' Options

[Duran]

Hello,

A recent virus update has marked an app a friend wrote with a Win32:Crypt-LPE [trj]. The app is from early 2009 and has up to this point shown no deviant behavior, nor would I expect any. The app was double checked with multiple system backup archives and is byte-for-byte identical. The app was submitted to Jotti and VirusTotal, two online virus checkers. Jotti reported 2 out of 20 scanners:

• Avast! - Win32:Crypt-LPE
• ClamAV - PUA.Packed.Themida-1

VirusTotal reported 3 out of 43 scanners:

• Avast - Win32:Crypt-LPE [Trj]
• ClamAV - PUA.Packed.Themida-1
• GData - Win32:Crypt-LPE

I'm convinced that the app is clean and that Avast is reporting a false positive. A report was sent and the app directory manually excluded. I have only one question:

Why doesn't Avast offer additional/better options in the threat detected pop-up?

I only have a choice of "Move to Chest", "Delete" or "Block". None of these are ideal. There should be a "Set Exclusion" option. There isn't even a 'Cancel' button. Heck, the pop-up window can't be re-sized to see all the information. The information can't be copied into the clipboard for further investigation to make an informed decision. All of these things combined arrogantly suggest that false positives are never possible.

[enigmista63]

Or say hello first to report that it is false positive test well and wait a few daily starting and re-check of total virus, even if you have an application installed on the PC for a long time, this does not mean you can not 'be attacked by a virus, if the virus finds a vulnerability 'within the application that can' be infettta. There are some applications that they have in both java and adobe flash player, component within these should always be updated to their latest version otherwise they become vulnerable to viruses, this is just my humble opinion.

[Duran]

As I mentioned, this time the app is safe. What I am concerned about is the lack of controls in the threat detected pop-up to alert Avast that a false positive was found. I suspect that may become even more important once the "Cloud" becomes cumulus and starts raining on a few parades.

[Duran]

Clearly the threat detected pop-up is not designed to handle false positives.

[Duran]

It appears that a recent virus update has fixed the false positive and I've removed the exclusion. However, the issue remains that the threat detected pop-up is badly in need of additional functionality so that it is capable of handling these situations.

[Lisandro]

However, the issue remains that the threat detected pop-up is badly in need of additional functionality so that it is capable of handling these situations.

No, that will be a security backdoor where users will allow what they shouldn't... There won't be this button.

[Duran]

A cancel button is a security backdoor? That would suggest that Avast has allowed the virus to run. I'm more interested in having the ability to have an additional drop-down option to manually set an exclusion. Such options as "Move to Chest", "Delete", "Block" and "Set Manual Exclusion". The "Set Manual Exclusion" would simply bring up the exclusion list where the user would have to fill in the details themselves. There is no danger to this, otherwise other popular anti-virus software wouldn't already include this ability.

Speaking of details; another improvement would allow the user to re-sized the threat detection pop-up so a user can see all of the details. Additionally, allow the user to copy the text into the clipboard for further investigation, thus allowing the user to make an informed decision. Perhaps a  link in the threat detection pop-up that takes the user to the Avast website to read a description of the often vague virus name. Other anti-virus software also do similar things.

I'm not saying that false positive make up anything more than a small percentage. Never the less, they do exist and Avast could handle them much better.

[Duran]

It's interesting to see that Avast has already implemented a similar option to handle false positives and it can be found when using the Sandbox.

For example, if you run ImgBurn, a perfectly safe disc burning program, Avast says ImgBurn "may be potentially unsafe". If you select "Open normally" from the "Action To Take" drop-down list and place a check mark next to "Remember my answer for this program", ImgBurn will automatically added ImgBurn to the Sandbox exclusion list.

Automatic is nice, but for added security I was suggesting a "Set Manual Exclusion" option. The drop-down option would take the user to the appropriate exclusion list in the settings. This way the user would have to make the decision themselves to manually enter the program into the exclusion list. But, yeah, automatic would work too.

[Gargamel360]

Thats because the autosandbox is not "positive" about anything.   It flags lots of stuff as suspicious, and they knew full well that it would produce a lot of "not-true-or-false" detections, so exclusion were made easier.

Whereas Avast!'s traditional shields are less prone to FP's.

You seem Web savvy enough, but making people enter manual exclusions is a bit of an PC IQ test....if you can't figure out how to manually exclude, then how can you figure out if something is a FP or not?  Its to protect people from themselves, something you might not need, but many do.  Methods like this will always annoy power users (sort of like UAC, but different), but try to see the good in it.  How many net noobs would just click "allow" and walk right into an infected site, because they want Avast!....till it gets between them and content they want.

[Pondus]

How many net noobs would just click "allow" and walk right into an infected site, because they want Avast!....till it gets between them and content they want.

+1 
how often do we see/hear this in the virus and worms section!....

"avast is blocking this website, say it has malware....i can assure you it is totally safe, how can i enter this site without avast blocking"

and when we check it..... infected from top to bottom

[Manitoban]

Have to agree with Duran. This lack of a "Take no action" option is a pet peeve of mine with avast 6 and 7.

[bruce_b]

I agree, Avast is flagging stuff that should not get flagged. Today it tried to tell me some file was a potential Rootkit
(I don't recall the exact file) and I can not find it in the virus chest. Avast was told to ignore it, as it was a file associated with the program Malwarebytes Antimalware (I know since that program is MBAM) and the file it thought was bad started with that.   

[Pondus]

I agree, Avast is flagging stuff that should not get flagged. Today it tried to tell me some file was a potential Rootkit
(I don't recall the exact file) and I can not find it in the virus chest. Avast was told to ignore it, as it was a file associated with the program Malwarebytes Antimalware (I know since that program is MBAM) and the file it thought was bad started with that.

If you have problems, there is a guide here

Section K - Set Exclusions for Malwarebytes' Anti-Malware in Avast! Antivirus 6 (Free, Pro and Internet Security):
http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=417798&#entry417798

[RejZoR]

Ppl in general have a bad habit of simply excluding stuff if it's detected as malware. Because they want to run it so badly. So no, exclusions inside detection popup won't be an option.