Competency of AVAST?

Get a cup of joe, this is going to be long.

I’ve been using AVAST for about 3 years now, and until recently, I thought it was better than the invention of sliced bread. However, now I question AVAST’s competency. Why? Let me explain.

This year, I started to learn C#/Visual Basic in Visual Studio after programming on Borland’s CBuilder Pro since 1995 (I’ve programmed in one form or another for almost 40 years, both professionally and non-professionally). A few months ago, I wrote a program that accessed Access databases, and I got the error Win32:Evo [Susp] on several programs, after I had compiled them, and used them for some time during internal testing.

Then I compiled the programs successfully, uploaded them to the Internet, and asked a friend download them. He was using the same version of Avast (and definitions) I was, and he got the Win32:Evo [Susp] error. No matter what I did (I accessed his system with Teamviewer), I couldn’t get the file to download, all because AVAST kept flagging the Win32:Evo [Susp] error. But yet I could download it just fine to my computer as well as my wife’s and our definitions were the same.

A couple of days after this, I finally got the Win32:Evo [Susp] error on a download of the same file. Like before, our definations were the same. The funny (strange) thing about the whole situation is that on download or copy, the error came up, but on a regular scan of the specific folder the program was in (dev folver), AVAST didn’t flag anything.

I couldn’t find out 100% for sure what the cause was, but it pointed to the database engine. I say this, because other programs written, that didn’t use a database, worked just fine. So I decided to rewrite the programs that used databases into using XML instead, to bypass this possibility. All seemed fine. Almost all rewritten programs was just fine, save one discovered last night.

One of the last programs that needed to be converted was done on 2013_12_05, and I didn’t get any errors, the new XML version (this was backed up to an external drive a few days ago). Last night I tried to run the program, and I got the Win32:Evo [Susp] error (the one on my “C” drive).

Just a little bit ago, I finished additional testing, where I commented out all the code in the program, then one-by-one uncommented the code in each function, ran in debug AOK, then did a batch build (debug and release), and got squat. Note that I got the error on the debug run last night, and also during the compiles. The definitions were the same as last night, 131228-1, as well as AVAST version.

But this isn’t the end of it. After all this, I ran the same program that AVAST complained about from the external drive, with a date of 2013_12_05, with no problems. I scanned it, no problems. I uploaded it to my site, no problems. I downloaded it from my site, no problems.

This is why I question the competency of AVAST. Later today, once my friend gets up (he’s three time zones away from me), I’m going to ask him to try and download the program.

Before anyone says that this was fixed months ago (numerous sites said that), I challenge the validity of the comment, and I point to the above. I’m relentless when it comes to up keeping my computer up to date (e.g. security updates, etc), so that isn’t an issue.

I also copied the file to a Virtual machine, installed programs like SPYBOT S&D, no problems. I even uploaded the program to VirusTotal, and nothing was flagged, including Avast (that’s what the site said).

So AVAST, why does the problem exists and what you plan on doing to fix the issue? The most recent example used the same definitions last night and this morning, and pitched a fit last night, but not this morning. That’s a major bug.

The funny (strange) thing about the whole situation is that on download or copy, the error came up, but on a regular scan of the specific folder the program was in (dev folver), AVAST didn't flag anything.
W32:Evo-Gen [susp] = suspicious / used to detect new malware and new files not used by many may get this detection And detection is on access only and not when running a scan

You can upload files and report issues to avast here : http://www.avast.com/contact-form.php (select subject according to Your case)

You can use mailsend to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected

Or you can send files from avast chest
How to use the chest. http://www.avast.com/faq.php?article=AVKB21

The point I believe you missed is that the detection is inconsistent on the same file. The same file, for example can be downloaded from the same location, and have different results on multiple computers. As for putting them in the chest, that’s ridiclous! Why would I put a program I wrote in the chest, when I know it’s AOK!

There database programs, or example only added, deleted, and edited records, nothing more. This means that AVAST is messing up. The XML programs only read and wrote to an XML file that stored the data. Here the catcher. The other XML file writing programs work fine, and this one that messed up, was created from the same skeleton file.

I’m a software developer and I had some false positives for Win32:Evo Gen [Susp] (or something like that) not long ago (like 3 weeks ago).

I reported them as false positives, and ended up having to exclude my development folder structure in order to proceed.

More recently I’ve removed the exclusions and been through the same build processes again, and lo and behold I’ve had no more false positives - without having changed the build process.

My opinion is that the Avast developers are trying to walk a fine line between reporting too many false positives and missing suspicious activity by malware.

There ARE quite a number of different settings buried within the Avast UI, and it’s possible that changing or disabling some of them will reduce the aggressiveness of Avast’s detection processes and ultimately avoid these “Evo Gen” foul-ups. I don’t know what, specifically, might affect this particular detection, though there is a Heuristics sensitivity setting that seems a good place to start.

-Noel

By the way, the term “Heuristics” implies a potentially unrepeatable process.

-Noel

Sorry for bumping this thread, but its still active issue with Avast. Was or is somebody looking at fixing those false detections? I am getting reports from my customers that Avast claims that my pruduct is “virus” and removing it protected their computers.

Actually just having the same VPS doesn’t mean much because there are also streaming updates. And as far as i know Evo-Gen doesn’t work for on-demand. So there might be the difference.