Today I tried to open a .torrent file and it didn’t open uTorrent client at all. I checked the install folder (%APPDATA%\uTorrent) and the uTorrent.exe file was 0 bytes. I kind of panicked at what was going on in my computer, faulty HD, malware, etc.? Few minutes went and I remembered to check the Avast Virus Chest, though nothing should be there because I have set the Avast settings so that nothing gets cleaned/quarantined/etc. without my consent (I have only File System & Behavior Shields installed). BUT, there it was, uTorrent.exe in Virus Chest, added on 23.4., with IDP.Generic as the cause.
I gather that the IDP refers to the Behavior Shield. I’ve set the “Please define how you would like to deal with suspicious program behavior” to “always ask”.
So why was uTorrent.exe silently quarantined?
Is it normal that a file that was quarantined is left in the file system as empty/0 bytes?
The reason I chose to try out the new Behavior Shield is that it offered an “always ask” setting. But it doesn’t work. So at least 50% of the shield settings do not work, dunno about the exclusions whether those work or not.
Using 17.3.2291 free version.
EDIT: I restored the file from the Virus Chest and ran VirusTotal scan, here’s the analysis. It’s a properly signed file (BitTorrent Inc, sha256RSA) so I don’t think that there’s anything wrong with it.
Also ran Avast explorer scan on the restored file and it doesn’t find anything wrong with the file. While at the same time, scanning in the Virus Chest always produces the IDP.Generic result. Same file but different results. What’s with that?
EDIT2: Currently running uTorrent and downloading, Avast doesn’t seem to mind it anymore? Weird.
Please. There’s nothing inherently wrong with P2P/torrenting. Don’t spread FUD.
The Sality detection is false positive, it’s by Invincea which seems to have a problem with this, there’s more of these with Invincea. Also the VirusTotal Invincea update in the analysis seem to be 2 weeks old. Also the uTorrent.exe is digitally signed so it’s not infected.
Just to be sure I scanned my comp with 4 different on-demand malware/rootkit scanners, nothing came up.
The user comments in that article does not paint a pretty picture.
Also, from the article: “Once it identifies something really fishy, it stops the action and reports the behavior to you, before any damage can be done.”
Which finally brings us back to the real issue in this topic:
I gather that the IDP refers to the Behavior Shield. I’ve set the “Please define how you would like to deal with suspicious program behavior” to “always ask”.
So why was uTorrent.exe silently quarantined?
Is it normal that a file that was quarantined is left in the file system as empty/0 bytes?
The reason I chose to try out the new Behavior Shield is that it offered an “always ask” setting. But it doesn’t work. So at least 50% of the shield settings do not work, dunno about the exclusions whether those work or not.
Also ran Avast explorer scan on the restored file and it doesn’t find anything wrong with the file. While at the same time, scanning in the Virus Chest always produces the IDP.Generic result. Same file but different results. What’s with that?
The reason Behav. shield didnt like it is pretty evident considering its flagged as a PUA on Virustotal.So it seems avast is correct.
And this is the reason why people get infected because they trust their P2P rather than their antivirus.You may still submit the file to avast from virus chest as a false positive.
No, not again, please stop this talk about the (VirusTotal) detections. It’s irrelevant to the issue at hand. Please. It’s always the same here in Avast forums…
Could Avast staff comment on the issues/questions I posed? Thank you.
I’m sorry but it’s very clear that you don’t understand the issue here at all. Please read my posts again carefully if you’re going to answer again. Thank you.
EDIT: The uTorrent version is irrelevant. Forget everything about uTorrent, it’s not the issue here! I added uTorrent and IDP.Generic detection to this topic just to be verbose from the start with the issue…
I gather that the IDP refers to the Behavior Shield. I’ve set the “Please define how you would like to deal with suspicious program behavior” to “always ask”.
So why was uTorrent.exe silently quarantined?
Is it normal that a file that was quarantined is left in the file system as empty/0 bytes?
Also ran Avast explorer scan on the restored file and it doesn’t find anything wrong with the file. While at the same time, scanning in the Virus Chest always produces the IDP.Generic result. Same file but different results. What’s with that?
could you be so kind and put the content of the C:\ProgramData\AVAST Software\Avast\log into the archive and send it to us for analysis? Without the logs is hard to say what went wrong.
Also C:\ProgramData\AVAST Software\Avast\avast5.ini would be helpful.
The reason why there was a file with zero length is probably because the file utorrent.exe was downloaded from internet and all downloaded files has the attached alternative data stream (zone identifier). Alternative data stream can not exist without the file and because the alternative data stream was not found to be infected we “healed” only the file content resulting in zero file length.
I’m sorry but I’m not ready to send you all those 70+ files. Were you after some specific log files? I searched for “uTorrent” matches from all the log files but none was found.
But you agree that Avast Behavior Shield should have not silently quarantined the file when the “always ask” is set?
No. Like I wrote, the quarantined file, uTorrent.exe, was from install folder, it was not downloaded, nor it was auto-updated by uTorrent. Still, I double checked from batch with “dir /r” command and there’s no alternate data streams present. And I went even further, in “clean” VirtualBox Win8, I installed the same uTorrent version (I’ve a copy of all installers of the programs I use) there and again checked with “dir /r” command and there’s no alternate data streams present. So it’s not that.
Could you answer this also: Also ran Avast explorer scan on the restored file and it doesn’t find anything wrong with the file. While at the same time, scanning in the Virus Chest always produces the IDP.Generic result. Same file but different results. What’s with that?
EDIT: BTW. I see that your forum is still affected by that “post vanishes when submitted” horrible bug, it’s been years already (I vaguely remember that in some topic I investigated and posted the results why it happens but nothing has been done to it). Fortunately I have a habit of copy+c every message I write before submitting.
About the 0 bytes file; just had a thought of what might have caused it. The uTorrent program might have been running when the silent quarantine happened. I’m not 100% sure because I was, as usual, heavily multi-tasking. There might be a chance that a torrent that I downloaded was fully loaded and I had set it to pause, and then the program just sat running, doing nothing, no torrents downloading, but at some point somehow Avast decided to silently close it & quarantine it without me noticing. I don’t “torrent” a lot, and if the torrent I was downloading was already ready, there’s a chance that I might not have noticed uTorrent silently closing.
as I stated before, the only possible way how to end up with 0 bytes file is that in time of removal there was some ADS stream attached to the file. If you do not want to send the whole log directory I would like ask you to pick at least these log files:
idp*.log
secapi.log
removal.log
I just installed Avast Premium on my brand new laptop with Windows 10. The Behavior Shield will not turn on… AT ALL. I click it to turn it on, and immediately it turns back off, and then I get a warning that some shields are not turned on, leaving my vulnerable to virus attacks. WTH???
Your issue isn’t really related to this topic but now you’re here you could try rebooting your system a couple of times and see if that fixes it, next step is to run a repair and reboot if the first suggestion doesn’t work.
I’ve got to say I am really not impressed with Avast or some of the Avast support comments I have read regarding getting Avast to play nicely with uTorrent.
With the greatest respect, could someone post a simple guide on how to get uTorrent working on Windows 10 with Avast Antivirus.
Stop hiding behind its the OOC’s because its not, its the rigid security of Avast which although I welcome in the main, if I want to use uTorrent that’s my choice and my human right.
I’ve made exceptions to the Appdata folder containing uTorrent, and the firewall settings appear OK.
So come on Admins, if you’re that confident its not avast, I’m calling you out. Post a video of how to get it working please otherwise I won’t be renewing my subscription and suspect others will follow.
Its about flexibility and choice. (And personal freedoms but hey ho)