Hello, I’ve been having some problems with Avast for the past 3-4 weeks.

File Shield blocks different applications at different times without any notification.
I checked all log files and can’t find any entry for that actions…

For example I can’t open “Command Prompt” because of File Shield locking cmd.exe process.
Sometimes blocks Media Player Classic (mpc-hc64.exe), SunsetScreen, Mkvcleaver…

Restarting the computer or kill and re-execute avastsvc.exe solves the problem,
but occurs later times again.

I don’t have any more details. I would appreciate it if other people who have this problem write answers.

My OS: Windows 7 Ultimate
My AV: Avast Free Latest Version

→ https://support.avast.com/en-ww/article/298/ (Blocked & Allowed apps)

What makes you think it’s specifically the File Shield? Does stopping it temporarily help?
How exactly does the blocking manifest? Can you e.g. copy the affected file somewhere else (while blocked), or even read access is prevented?
How often do you notice the problem? Is it frequent enough that you’d be able to record the session with Process Monitor, up to the point the problem appears? (if it’s really AvastSvc.exe locking the files, then a filter to “AvastSvc.exe” process name should be sufficient) The Process Monitor log could show us what piece of code actually opened the file.

Yes, it’s helps.

I captured Avastsvc.exe’s actions with Process Monitor.

https://drive.google.com/file/d/1WLIP7pOBRxfypkgoY3CzV7dXI70aZu4m/view?usp=sharing
https://www.virustotal.com/gui/file/0cd2a1b40052b2d4cd7fdae09d033a6101de50fc8897fa094f9cfface72ede5a/detection

So, during the “BeforeRestart” recording, what happened? The file mkvcleaver_x64_v0800.exe couldn’t be opened?
I’m afraid I don’t see anything suspicious in the log, there’s no file open that wouldn’t get closed (it could have happened before ProcMon was started, but if nothing touched that executable, there shouldn’t be any reason why Avast would scan it… or, theoretically, it could have been aswEngSrv.exe process, rather than AvastSvc.exe).

Maybe a better ProcMon recording would be to record everything - and once an executable starts to get locked, stop the recording, filter the log to that particular executable (in this case mkvcleaver_x64_v0800.exe?), keeping any processes that have accessed it, and then export the log.

Yes, I’ll send you more detailed log record when bug occurs.
Thanks for reply.

I uploaded non-filtered logs,
u can add filter rule with “Path” for contains “mkvcleaver”…

https://drive.google.com/file/d/1u48xBPfio46o_NZaEfWe9BJ5_CjNYlhV/view?usp=sharing
https://www.virustotal.com/gui/file/bec7bd7980ed0ff68c539055f4712a4f82c7372d066ff468779eb8f4240d2ec0/detection

I’m trying that today lets see if it works…

Thanks for the logs.
So, when you say a program cannot be opened, you mean that you start it and nothing happens… right? I’ve been assuming you get some kind of an error (access denied or so) - but such a case is not visible in the logs.

If it’s indeed the “nothing happens” case, it looks like the scan is somehow stuck and never ends.
When the problem appears again, can you please create a dump of the aswEngSrv.exe process and upload it? (you can do it from Process Explorer (rightclick / Create dump / Create Full Dump), or via ProcDump, or even via Task Manager)
Thanks.