So, being the nervous type, I tend to look at Avast shield activity from time to time. With the Behaviour Shield, there is usually no or very little activity unless something new is activated/executed. When Windows Defender is updated, there is a couple of hits relating to that. The times I’ve looked at the shield, this update has often been downloaded and installed long before, and I only see the last entry which seems benign (unfortunately I can’t remember the path). Just checking a little over an hour ago, I was slightly concerned when I saw this in the shield (wrote it down):
C:\Windows\Temp\7f420305-bb43-459c-b9e9-aaededacff.exe
Now, it wasn’t blocked or anything, just analyzed. I went to the Temp folder, and this being Vista, received a UAC-related pop-up asking me to confirm by clicking “Continue”, and there was a 500 kb or so tmp-file dated 13/11. It was auto-deleted before I got to see the exact file name, but I presume it was identical og related to the analyzed file.
This worried me somewhat. According to the Windows Update panel there hadn’t been a search for updates today. A minute or couple of minutes later later or so new entries appeared in the behaviour shield interface, similar to the ones I’m used to seeing when there has been a Windows Defender Update. When I checked the Windows Update panel again, this time it showed that there had been a search and installation, although dated a few minutes later than when I checked the Temp folder.
So, if anyone can tell at a quick glance whether or not this is something to worry about, I would appreciate it. I’ve since checked the Windows Defender and Update logs, and according to them, Windows\SoftwareDistribution is used, and there is mention of temporary file paths:
Deleted c:\9a5d0b7b1591f090e4d505\1.139.1681.0_to_1.139.1946.0_mpasdlta.vdm._p
Deleted c:\9a5d0b7b1591f090e4d505\mpasdlta.vdm
But nothing about the Temp folder. Is this strange or not? Is it likely that the Temp folder has also been used, even though the Update panel dated the update search differently? Maybe it always uses the Temp folder, and I just didn’t notice because I have always only seen the latest behaviour shield entry, after the entire update process is finished.
And finally, even if this is completely ordinary and nothing to worry about, have I compromised the security of the Temp folder by removing the “lock” when accessing it?
I’m going to run a boot-time scan now and probably a full file system scan later. I’d very much appreciate if some of you can spare the time to comment in the mean-time. Hopefully this is nothing.