Avast Free didn't restore file from Virus Chest (and now it's gone)

Hi there!

I’m using Avast Free v. 19.3.2369 - build 19.3.4241.439 (release date March 11, 2019 4:36 AM) on Windows 10.

Avast detects several components from “CyberLink Media Suite 10” as false positives (which I already added as exceptions and sent for analysis).

Here’s the worst issue:

  • Avast moved to the Virus Chest the .exe for “CyberLink PowerProducer 5.5” (“C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe”).
  • I opened the Virus Chest and clicked “Restore and add exception”.
  • Avast said “It’s happy to be back”, and I could see it correctly added the exception.
  • Unfortunately, Virus Chest is now empty, the .exe file was NOT restored and it is nowhere to be found.

Having your files deleted (instead of protected) by your anti virus software is unacceptable. The restore process should be a simple file copy, verification and then deletion (or rollback in case of failure). There was no error message. There’s plenty of space on the drive (67 GB). The file is not in its original location, in the Virus Chest nor the Recycle Bin. There’s also no activity log in the Virus Chest (that I could find).

Does anyone know if the file can still be restored, and how? (I’m not so worried about restoring this specific file right now, but I’m worried Avast might delete any other random file forever, so if I could at least manually restore it I’d more at ease to continue to use Avast).

Have you rebooted your system ???

Thanks for the suggestion. I just did, yet nothing has changed: the file wasn’t restored to its original place and Virus Chest is still empty.

when avast detected it, what malware name was given … some kind of PUP ?

IIRC, it was “idp.generic”.

In “C:\Users\All Users\AVAST Software\Avast\log\Chest.log”, there is just this:

4/2/2019	12:07:10 PM	Error 5 in GetFileFromChestRpc

FWIW, Windows error 5 means “Access is denied.”

In “C:\Users\All Users\AVAST Software\Avast\log\autosandbox.log”, the relevant entries are these (notice near the end that “Producer.exe” was “marked as infected”):

4/2/2019 11:52:09 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\Media Suite\PS.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\Media Suite\PS.exe]
	[Reason: 0x00020000]
	 --> Result: Sandboxing (no custody)
	 --> Instrumentation: Instrumentation inside sandbox requested

4/2/2019 11:52:14 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\Media Suite\OLRSubmission\OLRStateCheck.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\Media Suite\OLRSubmission\OLRStateCheck.exe]
	[Reason: 0x00020000]
	 --> Result: Sandboxing (no custody)
	 --> Instrumentation: Instrumentation inside sandbox requested

4/2/2019 11:52:19 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\MediaShow6\MediaShow6.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\MediaShow6\MediaShow6.exe]
	[Reason: 0x00020000]
	 --> Result: Sandboxing (no custody)
	 --> Instrumentation: Instrumentation inside sandbox requested

4/2/2019 11:53:33 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\Media Suite\PS.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\Media Suite\PS.exe]
	[Reason: 0x00020000]
	 --> Result: Not sandboxing (because the file is in the exception list).

4/2/2019 11:53:58 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\Media Suite\CLUpdater.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\Media Suite\CLUpdater.exe]
	[Reason: 0x00020000]
	 --> Result: Sandboxing (no custody)
	 --> Instrumentation: Instrumentation inside sandbox requested

4/2/2019 11:57:16 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\MediaShow6\MediaShow6.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\MediaShow6\MediaShow6.exe]
	[Reason: 0x00020000]
	 --> Result: Not sandboxing (because the file is in the exception list).

4/2/2019 11:57:17 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\MediaShow6\OLRSubmission\OLRStateCheck.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\MediaShow6\OLRSubmission\OLRStateCheck.exe]
	[Reason: 0x00020000]
	 --> Result: Sandboxing (no custody)
	 --> Instrumentation: Instrumentation inside sandbox requested

4/2/2019 11:57:27 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\MediaShow6\subsys\BigBang\Runtime\CLUpdater.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\MediaShow6\subsys\BigBang\Runtime\CLUpdater.exe]
	[Reason: 0x00020000]
	 --> Result: Sandboxing (no custody)
	 --> Instrumentation: Instrumentation inside sandbox requested

4/2/2019 11:58:32 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\MediaShow6\subsys\BigBang\Runtime\CLUpdater.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\MediaShow6\subsys\BigBang\Runtime\CLUpdater.exe]
	[Reason: 0x00020000]
	 --> Result: Not sandboxing (because the file is in the exception list).

4/2/2019 11:58:46 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\MediaEspresso\MediaEspresso.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\MediaEspresso\MediaEspresso.exe]
	[Reason: 0x00020000]
	 --> Result: Sandboxing (no custody)
	 --> Instrumentation: Instrumentation inside sandbox requested

4/2/2019 11:58:50 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\MediaEspresso\OLRSubmission\OLRStateCheck.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\MediaEspresso\OLRSubmission\OLRStateCheck.exe]
	[Reason: 0x00020000]
	 --> Result: Sandboxing (no custody)
	 --> Instrumentation: Instrumentation inside sandbox requested

4/2/2019 11:59:01 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\MediaEspresso\subsys\BigBang\Runtime\CLUpdater.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\MediaEspresso\subsys\BigBang\Runtime\CLUpdater.exe]
	[Reason: 0x00020000]
	 --> Result: Sandboxing (no custody)
	 --> Instrumentation: Instrumentation inside sandbox requested

4/2/2019 11:59:41 AM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe]
	[Reason: 0x00020000]
	 --> Result: Sandboxing (file was marked as infected)
	 --> Instrumentation: Instrumentation inside sandbox requested

4/2/2019 12:07:41 PM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\Media Suite\OLRSubmission\OLRStateCheck.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\Media Suite\OLRSubmission\OLRStateCheck.exe]
	[Reason: 0x00020000]
	 --> Result: Not sandboxing (because the file is in the exception list).

4/2/2019 12:11:18 PM	Autosandbox candidate: C:\Program Files (x86)\CyberLink\MediaShow6\OLRSubmission\OLRStateCheck.exe
	[Source: ]
	[Opened by: C:\Program Files (x86)\CyberLink\MediaShow6\OLRSubmission\OLRStateCheck.exe]
	[Reason: 0x00020000]
	 --> Result: Not sandboxing (because the file is in the exception list).


In “C:\Users\All Users\AVAST Software\Avast\log\Cleaner.log”, there is just this:

Searching references (1/22): 1
	C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe
Done: 1/2 (direct)

File: C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe
Reference: HKLM(64):Software\Microsoft\Windows\CurrentVersion\App Paths\PowerProducer
Value: C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe
Result (1/22): 7: 1 259

File: C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe
Reference: HKLM(32):Software\Microsoft\Windows\CurrentVersion\App Paths\PowerProducer
Value: C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe
Result (1/22): 7: -1 2

File: C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe
Reference: HKLM(64):Software\Microsoft\Windows\CurrentVersion\App Paths\PowerProducer
Value: C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe
Result (2/22): 7: -1 3221225524

File: C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe
Reference: HKLM(32):Software\Microsoft\Windows\CurrentVersion\App Paths\PowerProducer
Value: C:\Program Files (x86)\CyberLink\PowerProducer\Producer.exe
Result (2/22): 7: -1 3221225524

I could not search some 17 other files (among 90 files in total) in the same folder, though (got “Permission denied” when greping them, even running as admin). I could not find any log via Avast GUI.

So it seems Avast Free users can’t get in contact with support, and this bug is doesn’t qualify for the bug bounty program either.

Does anyone know if (and how) I can report this bug properly?

You can submit a bug report in “About Avast”.

Thanks, Asyn!

You’re welcome.