Behavior Shield settings don't work + IDP.Generic + uTorrent

Skakara · 2017-04-26T17:46:49.000Z

Today I tried to open a .torrent file and it didn’t open uTorrent client at all. I checked the install folder (%APPDATA%\uTorrent) and the uTorrent.exe file was 0 bytes. I kind of panicked at what was going on in my computer, faulty HD, malware, etc.? Few minutes went and I remembered to check the Avast Virus Chest, though nothing should be there because I have set the Avast settings so that nothing gets cleaned/quarantined/etc. without my consent (I have only File System & Behavior Shields installed). BUT, there it was, uTorrent.exe in Virus Chest, added on 23.4., with IDP.Generic as the cause.

I gather that the IDP refers to the Behavior Shield. I’ve set the “Please define how you would like to deal with suspicious program behavior” to “always ask”.

So why was uTorrent.exe silently quarantined?
Is it normal that a file that was quarantined is left in the file system as empty/0 bytes?

The reason I chose to try out the new Behavior Shield is that it offered an “always ask” setting. But it doesn’t work. So at least 50% of the shield settings do not work, dunno about the exclusions whether those work or not.

Using 17.3.2291 free version.

EDIT: I restored the file from the Virus Chest and ran VirusTotal scan, here’s the analysis. It’s a properly signed file (BitTorrent Inc, sha256RSA) so I don’t think that there’s anything wrong with it.

Also ran Avast explorer scan on the restored file and it doesn’t find anything wrong with the file. While at the same time, scanning in the Virus Chest always produces the IDP.Generic result. Same file but different results. What’s with that?

EDIT2: Currently running uTorrent and downloading, Avast doesn’t seem to mind it anymore? Weird.

mchain · 2017-04-26T23:39:03.000Z

See below for a detection you may have missed.

Sality: https://www.google.com/#q=sality+malware

One of the things you can get when you torrent. Please read:

Behavior shield is the latest technology from avast that is advanced enough to step beyond traditional virus definitions: https://blog.avast.com/behavior-shield-our-newest-behavioral-analysis-technology

Behavior Shield differentiates between what looks to be identical files, so be careful when you choose not to heed a detection, as above.

Skakara · 2017-04-27T11:03:39.000Z

mchain post:2:

One of the things you can get when you torrent.

Please. There’s nothing inherently wrong with P2P/torrenting. Don’t spread FUD.

The Sality detection is false positive, it’s by Invincea which seems to have a problem with this, there’s more of these with Invincea. Also the VirusTotal Invincea update in the analysis seem to be 2 weeks old. Also the uTorrent.exe is digitally signed so it’s not infected.

Just to be sure I scanned my comp with 4 different on-demand malware/rootkit scanners, nothing came up.

mchain post:2:

Behavior shield is the latest technology from avast that is advanced enough to step beyond traditional virus definitions: https://blog.avast.com/behavior-shield-our-newest-behavioral-analysis-technology

The user comments in that article does not paint a pretty picture.

Also, from the article: “Once it identifies something really fishy, it stops the action and reports the behavior to you, before any damage can be done.”

Which finally brings us back to the real issue in this topic:

I gather that the IDP refers to the Behavior Shield. I’ve set the “Please define how you would like to deal with suspicious program behavior” to “always ask”.

So why was uTorrent.exe silently quarantined?
Is it normal that a file that was quarantined is left in the file system as empty/0 bytes?

The reason I chose to try out the new Behavior Shield is that it offered an “always ask” setting. But it doesn’t work. So at least 50% of the shield settings do not work, dunno about the exclusions whether those work or not.

Also ran Avast explorer scan on the restored file and it doesn’t find anything wrong with the file. While at the same time, scanning in the Virus Chest always produces the IDP.Generic result. Same file but different results. What’s with that?

TrueIndian · 2017-04-27T14:19:33.000Z

The reason Behav. shield didnt like it is pretty evident considering its flagged as a PUA on Virustotal.So it seems avast is correct.

And this is the reason why people get infected because they trust their P2P rather than their antivirus.You may still submit the file to avast from virus chest as a false positive.

Skakara · 2017-04-27T14:32:41.000Z

No, not again, please stop this talk about the (VirusTotal) detections. It’s irrelevant to the issue at hand. Please. It’s always the same here in Avast forums…

Could Avast staff comment on the issues/questions I posed? Thank you.

TrueIndian · 2017-04-27T14:37:26.000Z

Skakara post:5:

No, not again, please stop this talk about the (VirusTotal) detections. It’s irrelevant to the issue at hand. Please. It’s always the same here in Avast forums…

Could Avast staff comment on the issues/questions I posed? Thank you.

I am sorry but we are telling you what is evident from VT.We are just trying to help nothing else.

Maybe someone from avast staff can help you out.What version of Bittorrent you use? That can help us figure out the problem

Skakara · 2017-04-27T14:39:36.000Z

I’m sorry but it’s very clear that you don’t understand the issue here at all. Please read my posts again carefully if you’re going to answer again. Thank you.

EDIT: The uTorrent version is irrelevant. Forget everything about uTorrent, it’s not the issue here! I added uTorrent and IDP.Generic detection to this topic just to be verbose from the start with the issue…

TrueIndian · 2017-04-27T14:43:00.000Z

Skakara post:7:

I’m sorry but it’s very clear that you don’t understand the issue here at all. Please read my posts again carefully if you’re going to answer again. Thank you.

EDIT: The uTorrent version is irrelevant. Forget everything about uTorrent, it’s not the issue here!

I will notify someone from avast to take a look.I did read your post.

Skakara · 2017-04-27T14:43:25.000Z

Thank you very much!

Here’s the “beef” of this topic once again:

I gather that the IDP refers to the Behavior Shield. I’ve set the “Please define how you would like to deal with suspicious program behavior” to “always ask”.

So why was uTorrent.exe silently quarantined?
Is it normal that a file that was quarantined is left in the file system as empty/0 bytes?

Also ran Avast explorer scan on the restored file and it doesn’t find anything wrong with the file. While at the same time, scanning in the Virus Chest always produces the IDP.Generic result. Same file but different results. What’s with that?

ApoC · 2017-04-27T14:53:39.000Z

Hello Skakara,

could you be so kind and put the content of the C:\ProgramData\AVAST Software\Avast\log into the archive and send it to us for analysis? Without the logs is hard to say what went wrong.

Also C:\ProgramData\AVAST Software\Avast\avast5.ini would be helpful.

The reason why there was a file with zero length is probably because the file utorrent.exe was downloaded from internet and all downloaded files has the attached alternative data stream (zone identifier). Alternative data stream can not exist without the file and because the alternative data stream was not found to be infected we “healed” only the file content resulting in zero file length.

Best regards.

Skakara · 2017-04-27T15:34:34.000Z

ApoC post:10:

could you be so kind and put the content of the C:\ProgramData\AVAST Software\Avast\log into the archive and send it to us for analysis? Without the logs is hard to say what went wrong.

I’m sorry but I’m not ready to send you all those 70+ files. Were you after some specific log files? I searched for “uTorrent” matches from all the log files but none was found.

But you agree that Avast Behavior Shield should have not silently quarantined the file when the “always ask” is set?

ApoC post:10:

The reason why there was a file with zero length is probably because the file utorrent.exe was downloaded from internet and all downloaded files has the attached alternative data stream (zone identifier). Alternative data stream can not exist without the file and because the alternative data stream was not found to be infected we “healed” only the file content resulting in zero file length.

No. Like I wrote, the quarantined file, uTorrent.exe, was from install folder, it was not downloaded, nor it was auto-updated by uTorrent. Still, I double checked from batch with “dir /r” command and there’s no alternate data streams present. And I went even further, in “clean” VirtualBox Win8, I installed the same uTorrent version (I’ve a copy of all installers of the programs I use) there and again checked with “dir /r” command and there’s no alternate data streams present. So it’s not that.

Could you answer this also: Also ran Avast explorer scan on the restored file and it doesn’t find anything wrong with the file. While at the same time, scanning in the Virus Chest always produces the IDP.Generic result. Same file but different results. What’s with that?

EDIT: BTW. I see that your forum is still affected by that “post vanishes when submitted” horrible bug, it’s been years already (I vaguely remember that in some topic I investigated and posted the results why it happens but nothing has been done to it). Fortunately I have a habit of copy+c every message I write before submitting.

Skakara · 2017-04-27T15:48:41.000Z

About the 0 bytes file; just had a thought of what might have caused it. The uTorrent program might have been running when the silent quarantine happened. I’m not 100% sure because I was, as usual, heavily multi-tasking. There might be a chance that a torrent that I downloaded was fully loaded and I had set it to pause, and then the program just sat running, doing nothing, no torrents downloading, but at some point somehow Avast decided to silently close it & quarantine it without me noticing. I don’t “torrent” a lot, and if the torrent I was downloading was already ready, there’s a chance that I might not have noticed uTorrent silently closing.

@ApoC: Could that explain the 0 bytes file?

ApoC · 2017-04-28T08:00:14.000Z

Hi,

as I stated before, the only possible way how to end up with 0 bytes file is that in time of removal there was some ADS stream attached to the file. If you do not want to send the whole log directory I would like ask you to pick at least these log files:
idp*.log
secapi.log
removal.log

and

C:\ProgramData\AVAST Software\Avast\avast5.ini

Thank You

system · 2017-07-16T14:10:51.000Z

I just installed Avast Premium on my brand new laptop with Windows 10. The Behavior Shield will not turn on… AT ALL. I click it to turn it on, and immediately it turns back off, and then I get a warning that some shields are not turned on, leaving my vulnerable to virus attacks. WTH???

CraigB · 2017-07-16T14:17:48.000Z

harleychick49 post:14:

I just installed Avast Premium on my brand new laptop with Windows 10. The Behavior Shield will not turn on… AT ALL. I click it to turn it on, and immediately it turns back off, and then I get a warning that some shields are not turned on, leaving my vulnerable to virus attacks. WTH???

Your issue isn’t really related to this topic but now you’re here you could try rebooting your system a couple of times and see if that fixes it, next step is to run a repair and reboot if the first suggestion doesn’t work.

system · 2018-05-11T11:36:24.000Z

I’ve got to say I am really not impressed with Avast or some of the Avast support comments I have read regarding getting Avast to play nicely with uTorrent.

With the greatest respect, could someone post a simple guide on how to get uTorrent working on Windows 10 with Avast Antivirus.

Stop hiding behind its the OOC’s because its not, its the rigid security of Avast which although I welcome in the main, if I want to use uTorrent that’s my choice and my human right.

I’ve made exceptions to the Appdata folder containing uTorrent, and the firewall settings appear OK.

So come on Admins, if you’re that confident its not avast, I’m calling you out. Post a video of how to get it working please otherwise I won’t be renewing my subscription and suspect others will follow.

Its about flexibility and choice. (And personal freedoms but hey ho)

Announcements