When avast! moves a file to the Chest during a scan (in the latest case, a false positive on “psexec” which I use), it changes the Modified Date on the folder. Then, when I restore it from the Chest, it changes the Modified Date on the folder AND the restored file.
How do I prevent that from happening?
Also, this ended up bringing another issue to light. When I restore a file from the chest, why is it not automatically excluded or why is there not an option to add it to the exclusions list? The same files keep getting caught for each scan. I have 40 or so files like psexec that I use for IT utilities and I don’t really feel I should have to type them all into the master exclusions list (since no other antivirus software requires that).
I’m assuming I just don’t know what I’m doing. Any help is appreciated.
No. I mean, avast! does not do that - if you do any change in a folder (such as deleting a file from there), Windows updates the timestamp of that folder - to reflect the last change.
Again - the change of the folder timestamp is done by Windows itself.
And yes, avast! does not preserve the timestamps of the files it moves to the Chest - so the timestamp of the file is changed.
You can’t. But of course, you are welcome to send the falsely identified files to virus@avast.com, preferably packed in a password-protected ZIP or RAR and with a “False alarm” subject.
The restore option is meant to be used after the false alarm is fixed - and there’s no reason to exclude the files at that moment, right?
There is nothing to stop you collating these tools in the one folder (as I do), imaginatively called avast-excludes and exclude that location and contents from scans, e.g. “c:\avast-excludes*” (without the quotes) or a location of your choice, this will exclude all files in that folder and any sub folders and their contents.
Add it to the exclusions lists: Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions (right click the avast ’ a ’ icon)
This saves you the hassle of inputting all 40 or so tools into exclusions, however, as Igor mentions you really should submit files you believe to be false detections as that will not only resolve the problem for you but also other avast users who might be using these tools.
Also I would say avast has a problem when it comes to tools like psexec as a tool can be used for good or evil.
With regard to the filestamp change, an EXE’s timestamp doesn’t change just from moving a file. I can pack and unpack with WinZip, encrypt it, etc. with other tools and the timestamp not change (again, for EXEs). It makes no sense for avast to change the stamp.
Thanks for the reminder about the Folder stamping - I had forgotten about that.
With regard to reporting psexec - it is already known. It’s a tool from Sysinternals (now owned by Microsoft) that’s in a suite of tools hackers also use in their viruses. avast should be flagging it. It’s similar to VNC - it should be flagged, but it’s honestly a false positive in most environments (since “false positives” are relative to an environment anyway) that should be easier to exclude than avast provides means to do.
With regard to the exclusions and the chest’s operations, that’s really pathetic. This is one of the most basic functions of every other antivirus software I’ve used (Trend, Symantec, Kapersky, etc.). I’m pretty impressed with avast overall, but there are a few things they just seemed to have completely missed the mark on.
Also, I do appreciate the potential workaround suggested with regard to placing these files in a single folder, but it isn’t realistic at all. One should not have to reorganize one’s directory and file structure to accomodate a poorly written design. So, I’ll go with another product on these workstations and use avast on the others.
It’s the other way round - avast! does not change the timestamp - it doesn’t preserve them (a special code would be needed for that). That’s why it’s changed when the file is recreated.
Yes, such a feature (preserving the timestamp) could be implemented, but I don’t think it’s very important.
I know what psexec is - what I was trying to say is that (as far as I know) avast! does not detect it on purpose. It’s possible that you have a different (older?) version of the tool… if you send us the files, I think the virus guys will remove the detection.
I’m specifically speaking about the ability to automatically have exclusions added from the Chest (via an acknowledgement during the restore of a file, via a right-click option that would apply to multiplte files, etc.). This way if you have a lot of files that you want to restore, you can restore them AND be sure they are excluded at the next scan (all in the same process) without a lot of extra tedious work. If you take a look at the other antivirus sytems, perhaps it will make more sense than my own poor attempt at an explanation :). It’s pretty common.
Igor:
I’m pretty confused about the file stamping and avast. Why would the timestamp change then? The date/time doesn’t change until avast does something with them. Also, as mentioned with the other issue, I haven’t had stamping issues when restoring with other antivirus systems (at least not that I ever remember). I just tested with one of my Trend Micro installs, and Trend doesn’t change the stamp on this file for me when it gets quarantined and released.
I have the latest version of psexec (actually, I have several versions - they all get caught). As long as I’ve used avast, it has caught this for me. I just happen to have 2 computers now that use quite a few more utilities than psexec (and multiple versions of each for historic compatibility) so it’s more tedious for me to exclude.
I’m happy to submit the file… However, I’m not sure that I agree it even SHOULD be excluded globally. A lot of malware authors use tools like psexec. The average home user should NOT have this tool on their system, so I feel it should be flagged as a concern. I just want an easier way to exclude it (similar to a feature other vendors already provide).
I see and share this wish with you.
The only ‘problem’ will be that an unadvertised user will mess the system restoring infected files and worse, adding it to the Exclusion List. The better will be avast correcting quickly the false positive (as they always do) and adding files with widcards into the Exclusion lists, maybe an entire folder, for instance.
“Moving file into avast! Chest” means creating a new, encrypted file in avast! folder (with the content based on the original file) and deleting the original file.
Restoring means recreating the original file and decrypting the content from avast! folder there.
So, unless specifically stored somewhere and reset on the newly created file (which is not the case right now), the timestamp changes on restoration - because the file is “created” from scratch.
Adding to the “exclusion list” when moving items from the chest should clearly not be “automatic”. A well phrased prompt to the user (with a “warning” of some kind making it clear the ramifications involved) giving the user the option to add to the exclusion list at the time of restoring would suffice.
This would add a great deal of convenience in situations where an item may be left as a threat as far as Avast is concerned but at the same time where there may be exceptions to the rule such as this example the user is offered the option at the time to simplify the procedure of exclusions.