I have Winpatrol running on my System and Being Alerted of a Avast Emergency Updates Type Runonce at startup 3 so far in the last few days here’s the last one
d72679b3-ccec-4fde-9658-159e46796333.exe In setup/emupdate folder
Is Avast doing this? Or is it being Hacked?? I can not find any info on these files!!!
emupdate is a legitimate Avast process, but whether the individual “random name” files are legitimate depends on whether they are properly signed by Avast. I have yet to be convinced that this backdoor procedure doesn’t open up a possible security hole.
Interestly this morning there are two “random name” files in my emupdate folder, both Avast signed. One dated 28/12/2013 and the other 31/12/2013. A WinND5sum shows that they are identical (93f3fad76b9a38d19c4c6db46542089c)
Given that the PC is run each day for some considerable hours, it seems the emupdate process has been applied twice (since my last full reinstall), the same file (albeit with a change of name) has been downloaded twice (at my expense) and the process both times has failed to clean up. Not impressed !
There seems to be some confusion on what RunOnce actually means.
It doesn’t mean “run one time only”.
From Microsoft…
[i]“Run and RunOnce registry keys cause programs to run each time that a user logs on. The data value for a key is a command line.”
“By default, the value of a RunOnce key is deleted before the command line is run. You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs. Without the exclamation point prefix, if the RunOnce operation fails the associated program will not be asked to run the next time you start the computer.”[/i]
This example from a Windows XP SP3 box shows that the key was updated today, and by my observation, updated daily…
I think as long as we will not have a specific example about what really makes this legitimate process, we still have many posts about it.
Why avast has not yet spoken about it?
Pleasure?
No needed to know ?
Either you’ve read a lot into what people have reported here, and/or you have ultimate faith in Avast’s protection, and/or you just like living dangerously.
When the security software starts to act more like malware people really SHOULD notice.
But apparently this (relatively new) behavior is now becoming well-known and expected of Avast. I’ve had several copies of GUID-named executables show up and a RunOnce entry added since my last reboot several days ago. Seems a bit like overkill, but if you’re infected and this “emergency update” stuff saves your bacon I’m sure it will be a happy time.
Is ‘emergency update’ a delivery channel for software patches?
The use of random file names is a great nuisance. Is it a ‘subtle’ nudge in the direction of Avast Security Suite? I would say that the feature, as implemented, is a big put-off.
This description of Emergency Updater was posted in June 2012
That and the GUID-named executables are two different things. Maybe they’re related, but we haven’t had word on the latter and the linked article doesn’t cover it.
I didn’t get a definitive answer back then, and I don’t see any more clarity now… Is Vlk with Avast? One other member mentioned that he thought Vlk is the CTO, but there’s no solid indication (“Global Moderator, Serious Graphoman” doesn’t say much to me). Are only Avast team members moderators?
I first worked with Ondrej (aka vlk) during the Win Vista beta, working to get Avast running under Vista. He has been CTO for a long time, and remains so, to the best of my knowledge (and according to the web site). He definitely knows his stuff, so I have a very strong tendency to trust what he says.
Is this enough of a “solid indication”? (Oh, and jwoods link to the management team does show him as CTO of you need more :-))
It would probably be better if the Avast! employees would have show solid indication about who they are when they post here. With security software, especially, statements of those actually in-the-know vs. other folks’ observations can be quite important.