Avast alerting behavior

Is the following behavior normal for Avast when alerting on a file -

I turned on Returnil’s system protection and then I downloaded a keylogger to test if Avast would detect it. The webshield caught it right away and offered me the chance to abort the connection to the website. Since I was testing, I ignored the alert for a few moments and then answered the alert to stop the connection. I assumed that Avast would stop the file from downloading until I answered the alert one way or the other but the file had downloaded to my desktop by the time I answered the alert. Is that normal or should Avast have stopped the file download until the alert was answered?

Also, after the file was downloaded, Avast would alert on it if I either attempted to run it or if I right clicked the file and scanned it. That is to be expected, but Avast would also then alert on the file again when I either clicked send to chest or delete. Avast did delete the file or send the file to the chest, whichever I had specified, but it was alerting again while performing these actions like I was accessing the file anew. So, I would get the initial alert after scanning the file and then I would click send to chest. Avast would then immediately alert on the file again. It made it kind of confusing as to what the answer should be for the alert that followed the first one I had already answered. Is that normal behavior?

Quick thought.
I’m no Returnil expert but my understanding is that it creates a virtual Windows session in a file in RAM and/or on the hard disk. avast! doesn’t comprehend this so when it writes a suspect file to the chest, it is redetected as it is written into the virtual session file.

The file starts to download until the specific string of a malware is detected. It could be at the end of the downloaded file. Anyway, file is not saved to disk due to WebShield blocking that requires user interaction.

To click where? Into Windows Explorer?

I’m not being able to figure out exactly the order of the events… but avast home does not have automated actions unless you’ve set Silent Mode in the advanced tab of providers settings.
Windows Explorer reads the file properties to display it, to right click it… so even doing nothing the file is being accessed.

I’ve tested the behavior with a false positive detection:
http://forum.avast.com/index.php?topic=39098.0

Indeed, the message from WebShield is there…
Doing nothing the file is saved and caught by the ashQuick.exe after the download finished (Free Download Manager).
Windows Explorer caught the file when I open the folder to view it…

Now… I agree… something is cheesy here…
Isn’t WebShield working on Vista?

@ Vladimyr

Returnil virtualizes the whole C drive, so as far as Avast knows it is writing to the real chest. Not saying it couldn’t happen but I have never had any software not work right with Returnil.

@ Tech

The file was detected as soon as I started the download but it finished downloading anyway if I didn’t interact with webshield’s warning and abort the connection. I just figured Avast would pause the download until I answered the alert.

After the file was downloaded and then picked up by Avast and I said that Avast would alert again when I clicked “Send to chest” or “delete” I meant when I clicked to answer with what to do with the file in the alert window from Avast, not Windows Explorer.

Sorry if I am not explaining myself as well as I possibly could. Thanks for the responses.

Me too. Something is wrong…
I could not only download the file, that it was saved in the hard disk… seems that WebShield is not working on Vista at all…

Whilst the web shield technically stops the download, it stops it going to the temporary internet files (or browser cache), but it actually creates an unpNNNNNN.tmp (N being a sequence of numbers) file in the avast4 temp folder (actual location is dependant on system variables).

Now under normal circumstances the standard shield on Normal sensitivity, wouldn’t alert on the creation of this .tmp file. I don’t know if you bump the standard shield up to High it would scan this and alert.

Now comes the bit which may cause the file doesn’t exist, when the web shield alert window is closed the unpNNNNNNNN.tmp file is automatically removed from the avast4 folder. So if you subsequently try to delete or move to the chest, that would fall over as the file is no longer there.

The key to this theory is if on a higher sensitivity the standard shield would scan these newly created .tmp files. However, I would have thought that avast wouldn’t scan the avast4 folder as there are likely to be unpacked suspect/infected files temporarily in that location.

So what sensitivity do you have the Standard Shield set to ?

I have XP Home with Avast’s standard shield set to normal.

Custom… only scanning files on open.

Then my theory shouldn’t happen where was the infected file found on your system ?
e.g. (C:\windows\system32\infected-file-name.xxx)
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

I also don’t use Virtualisation, are any of the settings, browser bookmarks/cache transferred to the real system ?

Not even for me… it’s weird… seems that Webshield alerts but does not block the download… can’t you test?

I downloaded the file to my desktop “C:\Documents and Settings*\Desktop” then ran a quick scan via right click. Sorry, I won’t have any logs of the activity unfortunately since I had enabled Returnil’s protection before downloading the file and have rebooted since then; which takes my computer back to the state it was in when I enabled the protection.

Nothing is saved on my real “C” drive while under Returnil’s protection. I can manually save things to either my “F” drive (USB stick) or Returnil’s virtual partition “Z” drive if I wish though, but I didn’t.

If you wish I can download the file again and try to get more information if you think it will help.

I’ve never had it happen, how do you think I capture web pages to upload to VT with the web shield enabled. I visit the suspect link with the web shield enabled and the alert pops up, I take no action visit the avast4 folder and copy the unp9999999.tmp file to my suspect folder.

At that point I abort the connection and I get no duplicate/second error and no file downloaded into the firefox browser cache, so I can’t test what doesn’t happen on my system.

OK that might put put a slightly different light on things. Now when I right click on a file and select save as (or save file as) my default location is downloads (original I know) no if you use either a download manager of in mu case firefox you get something like a placeholder file, filename.part as in this is part of the file that has been downloaded so far.

The web shield I would imagine is also creating the unp999999.tmp file and that is what is alerted on, the unp file, now what is in the download buffer, etc. may complete the filename.part (now becomes filename.exe) in the location you chose to download the file so it may be at that point the newly created file is detected by the standard shield.

This is once again supposition on my part but logically possible if the file is one that the standard shield would scan on creation, e.g. executable/dangerous file types.

You could try the download again and monitor what is going on a) c:\windows\temp_avast4_ if that is you temp folder location b) if there is a placeholder style file created in the download location (your desktop, you would only see this in explorer, c) the avast log viewer Infected Files section or d) the C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log file.

The last bit (c, d) should show both alerts the web URL and the HDD location and file name.

This is nothing new …

I have reported in this forum in the past my experience that if a download alert from the Webshield is simply ignored then the download completes.

It seems to me that avast cannot “suspend” the activity of the browser - it is simply scanning that activity and alerting the user. The only step it seems that avast is designed to take is either to abort the connection (if the user so chooses and the connection is still active) or to allow the download to continue. If the download completes before you take action then you are relying on:

a download completion scan (if your browser supports it)

-or-

the Standard Shield on accessing the downloaded file.

OK, I did some more testing and this time I carefully read each pop-up, etc., that Avast generated. I found out I was in error on a few points. Please forgive a long post but I wanted to clear up my errors and provide as much detailed info as I could about why I came to my earlier conclusions and was concerned about whether Avast was behaving as it should. Here is what all I found out:

Malware sample downloaded with Webshield ON:
When I attempt to download the installer file to my desktop Webshield detects it and Avast does pause the download until I take action. However, a placeholder for the malware installer file is put on my desktop at this time. Next I click to abort the connection and the malware program then appears to finish downloading to the desktop, complete with it’s correct icon. This is what made me think earlier that the program was able to download correctly despite Webshield. The entire program is not downloaded though. The file size is smaller than the malware file’s size if downloaded unhindered with Webshield off. Also, if I attempt to run the malware file I am told that the file is corrupted. Avast also does not now alert on the file when “right click” scanned. So, Webshield neutralized the file after all, at least in my experience with this file. Maybe if alanrf is correct some files do manage to download correctly past the webshield. This one didn’t.

Malware sample downloaded with Webshield OFF:
When I download the malware installer file to my desktop and then “right click” scan it, Avast detects the file as Win32:Rootkit-gen [Rtk]. I click “Move to chest”. A second or two later Avast pops up and again states Win32:Rootkit-gen [Rtk] was found. I again click “Move to chest”. A second or two later Avast again pops up but this time states “Win32:Trojan-gen {Other}” was found. I again click “Move to chest”. After a second or so a smaller window pops up and states, with some text cut off that (The system cannot find the file specified Cannot process "C:\Documents and Settings[i]username[/i]\Desktop[i]malware.exe[/i]{sys}\drivers{code:HideStringFunction}…). I click OK and then another pop-up states (The system cannot find the file specified Cannot process "C:\Documents and Settings[i]username[/i]\Desktop[i]malware.exe[/i]\msk.dll"file). I click OK and the Avast scanner completes and states that 3 infected files were found. (Avast catches the file as well if I just attempt to run it as opposed to “right click” scanning it.)

Due to me not taking the time to carefully read everything the first time, all the seperate alerts and then the pop-ups stating that the file could not be found made me think Avast had alerted more than once on the single installer file and then could not find it to move it to the chest because I had already sent it there on the first alert. A look in the Avast log shows however that the three alerts were for three seperate files within the malware’s installer. Why I got the pop-ups aout not being able to find the files though, I still do not understand. Anyway, here is what the log showed for the file descriptions of the three detections:

Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C\Documents and Settings[i]username[/i]\Desktop[i]malware.exe[/i]{win}{code:MyFileName}\msk.exe” file

Sign of “Win32:Rootkit-gen [Rtk]” has been found in "C\Documents and Settings[i]username[/i]\Desktop[i]malware.exe[/i]{sys}\drivers{code:HideStringFunction}…

Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C\Documents and Settings[i]username[/i]\Desktop[i]malware.exe[/i]\msk.dll” file

Sorry for the earlier confusion when I thought Avast Webshield was failing to stop the file from downloading and when I thought it was detecting one file several times. I wasn’t taking the time to read as carefully as I should have earlier and I wasn’t thinking about more than one file in the installer, etc. So, basically Avast is acting as I would expect with the exception of the pop-ups about not finding the file. If nothing else I learned a thing or two from all this. I hope someone else did too.

edited to add two lines I had forgotten in the post earlier and to state here that “malware.exe” in the file path is of course not the real name of the file I was using to test :wink:

Yes where there are multiple alerts in an installer (exe archive) then avast would generate multiple alerts, but it would first halt all action on the first alert, when that is dealt with the next would alert and the next, etc.

The problem as I see it is if in the first alert the complete file is moved to the chest or deleted, etc. and action you chose in subsequent alerts would fail as the installation file is no longer there.

I think the main thing is as you say the web shield isn’t failing and the malware isn’t getting off the hook and allowed to run.

The virus alert dialog indeed does suspend the download - otherwise, it would be almost useless.
For an explanation of the phenomenon, please see here:

Edited.
Post moved to Evangelists’ forum.