Hello,

I wonder what is different in File shield than the normal scan. I set all the parameters to most aggressive scan in normal mode and nothing… On File shield will not let me copy a file after last update. It triggers a Win32:Evo-gen [Susp]. I think [Susp] comes from suspicion.

Well I configured File shield for 0 heuristics and it still triggers. The software is my own production in C++ compiled with Borland 5.0 and packed with Winlicense.

The issue is the most aggressive file scan is OK, where the file shield give false positive…

What is the file name and location given for that detection ?

There are differences between an on-access scan, which may access the avast cloud for any details about this file. This wouldn’t happen in an on-demand scan due to the volume of files being scanned. It also depends on what on-demand scan you are doing Quick, Full System Scan or Custom as it may not be checking those areas depending on the file type and location (hence my question).

Hello,

OK here we go in more detail.

I compiled the .exe again in a clean directory with all shields up. Size was the intended one. I packed it with Winlicense. Size was unaltered with the previous one.

I took both .exe file and put them in a ‘Tmp’ directory.

I select a ‘Select folder to scan’. On Settings i set ‘Scan all files’, on Sensitivity - ‘Test whole files’, i put Heuristics High, Use code emulation, Scan for PUP.

I hit Start - NO THREAT FOUND, so both my files protected .exe and unprotected .exe are OK. We just established they are not infected.

Then with all shields up, i try to copy both files from directory Tmp to Tmp2. SUCCESS. No shield trigger.

Then i try to copy them on network, on the server where the auto-update files resides. SUCCESS. No shield trigger.

When i try to copy from the network directory back to Tmp2, the unprotected file copies just fine, the Winlicense protected one triggers the Win32:Evo-gen [Susp].

Active Protection settings are all unchecked or off (Heuristics, Sensitivity, etc) so i guess it is from cloud. Sadly i cannot find an option to turn the cloud off.

So, the final verdict, the shield will trigger as a false positive ONLY when you want to copy that specific file from network to drive. Will not trigger for drive to drive or drive to network. Only for network to drive. I MD5 them, before and after the network copy, they are unaltered on network as are in the drive.

http://www.biosol.ro/Poze/MD5.jpg

My temporary workaround is to exclude that directory from scan. Please fix this, i really like AVAST, but i cannot stay forever with my software excluded from scan. What if a real infection appears ?

Best regards
Vlad Popovici

Hello,
Evo-gens are detected only OnAccess not during OnDemand scan. Send the files to virus@avast.com and put “False positive” to email subject.

Milos

Hello,

i make updates twice per week. If i just send you one file, it may trigger the next also.

This ‘cloud’ access is dumb, please tell me how to disable it. Let me tell you why:

After suspicious infection i guess it uploads into the cloud based on THE SUSPICION ONLY!!!. My ‘infected’ file gets the shield trigger only based on name. If i take ‘Biosol.exe’ from network to drive and gets flagged as ‘suspicion’, after a while will trigger it for drive to drive too. If i just change the file name to Biosol_xxx.exe will NOT TRIGGER ANYMORE !!! for drive to drive. So it gets triggered by file name only, please excuse me, but this is just dumb.

Good people, please give me the option to disable this half working ‘cloud’ access…

Regards,
Vlad Popovici

Sorry, but that’s nonsense - the name is irrelevant for the detection.
If the rename changes anything, then it would be a bug in the filesystem shield (related to the rename operation itself somehow - definitely unrelated to any cloud access), as the renamed file should be detected as well, of course.

Hello,

it my be as well, but again simple reproducible test: one file triggers the shield on copy from one directory to another. I change its name, it will not trigger anymore. I did recorded a short video to prove that.

http://www.youtube.com/watch?v=-F8humaRwNU

After you watched the video, please notify me so i can delete it from YouTube, since i don’t want to anti-advertise or something like that. I just want you, the support stuff, to see it exactly how it happens.

Beside this file name change non-sense my problem still persists. This Winlicense protected file triggers the shield. Other files protected the same way with the same Winlicense version will not trigger it. I recompiled the file with a lot of structural change and also i changed the way Winlicense protects the file (different virtual machine). It still triggers the shield.

EDIT:
Is not cloud related. I disabled the network connection and it does the same. I went to File System Shield Settings and cleared all the check boxes on Advanced, so no transient or persistent caching. I cleared all exclusions and I cleared the Virus Chest. Same result. It is like Avast! hates the name Biosol.exe :)…

Regards,
Vlad

Weird… I’ve sent the link to couple of other developers, as I really don’t have any explanation for this.
So when you cleared all the checkboxes on the Advanced page of File System Shield, you also unchecked the option “Optimize scanning during file copy operation”, right?

Yes