Simple question, I hope: why can’t you add just the file that gets flagged up as a ‘Threat’ rather than have to include the whole folder it is contained in?
I ask because AVAST has flagged a Nirsoft tool (WirelessNetView.exe) in Program Files in this way despite the fact I have written it in specifically ie. …NirSoft Utilities\WirelessNetView.exe* to be excluded.
If I add the whole Nirsoft Utilities containing folder then everything is OK and AVAST reports no threat. But that means everything in the folder is excluded from the AVAST scan doesn’t it? If so that is is hardly safe practice.
This is not the only Nirsoft Utilities software tool components that AVAST has problems with either. There were three others that caused a problem in the Roaming folder as well.
Typically this NirSoft Utilities toolset is included alongside the better known MS Syinternals Suite when using WSCC3 (Windows System Control Centre). These toolset packs are found on many trust worthy web sites often with warnings about AVs having issues with some of the NirSoft ones.
I’ve submitted this particular one to the Virus Lab and to avoid the hassle of having to deal with it every time I do an AVAST scan I’ve also sent the ‘offender’ to the AVAST Virus Chest for the time being.
Incidentally despite being present it wasn’t flagged up as problem during my last AVAST Full Scan a week ago or the recommended boot time scan I did after those NirSoft tools in the Roaming folder had been dealt with.
I don’t know of any one who works on computers to any extent that doesn’t use some or all of their tools.
Since some of these tools can be used for both good and bad, detection is to be expected.
@ Cluster-Lizard2014
If you have added an exclusion as you have typed it then the exclusion is likely to fail.
NirSoft Utilities\WirelessNetView.exe\*
First this isn’t an exclusion on a folder but on a file WirelessNetView.exe placing the * I believe this would have no impact as they are not going to find any sub-folder below a file name.
I assume that you have given the full path before the NirSoft Utilities folder, otherwise that would also fail, but you could use a wildcard at the start.
Excluding a whole folder, increases the risk of infection much more, so use of the wildcard * has to be considered carefully.
*\NirSoft Utilities\WirelessNetView.exe
Forgive me if I’m using the wrong terminology but I used the form of syntax indicated as it is shown in the other exclusions (folders). I simply edited it by adding the actual file name …\WirelessNetView.exe finished by * as I assumed this was required.
I did try writing the exclusion both with and without the * and on re-scanning the parent folder “NirSoft Utilities” the same ‘Threat’ was reported by AVAST. When I exclude that whole folder, the only option you’re allowed when using the Global Exclusion > Browse option, AVAST does ignore the file and not report the ‘threat’. If you try to add the file name via the browse menu, however it is formed, it will be shown as an invalid path. Editing the exclusion list path in the same way is allowed once the folder has been added but the effect is the same: the whole exclusion is treated as invalid.
Obviously it is not safe practice to exclude a whole folder from scanning just because it contains one item that AVAST will report as threat. That was really the point of my OP. If you could specify the particular file shown as a threat rather than have to do it at the folder level wouldn’t that make more sense?
As it is for years I’ve had to put other portable tools of one sort or another into their own folders just to be able to add them to the AVAST Global Exclusions list or it would be flagging them up threats after scans or even trying to block their use.
That IS a possible alternative solution in this case and the other NirSoft Utilities mentioned if I wanted to use them as individual portable tools. But the whole point of WSCC3 and the NirSoft Utilities sub-set is to be an all in one goto toolbox.
If you put the WirelessNetView.exe in the AVAST Virus Chest WCSS3 won’t pick it up either.
I don’t understand the use of the wildcard * thing. I’ve not come across this before. Does that mean I can exclude the specific file mentioned if I write the exclusion in the way shown or does that exclude the whole NirSoft Utilities folder too. If so how does this differ from C:Program Files (x86)\WSCC3\NirSoft Utilities* which is the path shown when you add the NirSoft Utilities folder otherwise?
It seems to me that if the particular file can’t be written in as an exclusion then, as others replies (thanks) here have suggested, I’ll just have to live with AVAST reporting it as threat.
If you are excluding a file and you give the full path to it then the \ sub-folder nor the * wildcard is required.
The /* is the indication that you want all folders and files after the previous named folder.
Whilst the Exclusions File Path doesn’t actually drill down to a file name, it stops short at the folder and will append the * after that folder.
You can indicate a file to be excluded, either by finding it in explorer and from the Address/Path window copy that path and enter (paste) the path into the exclusions. Or you can, having excluded the folder, manually edit that file path and change the /* for the file name you wish to exclude.
I have several files in my exclusions, see image example. EDIT: additional image attachment posted.
Obviously if the file is in the virus chest then nothing will pick it up or see it. The virus chest, encrypts the files in there and assigns a different name to the file. So to all intents and purposes it is invisible from outside the virus chest.
The problem I was having and what prompted my OP was not being able to write in an accepted path to that WireNetView.exe.
I also noticed that after AVAST had flagged it as a threat and I eventually let it be put in the Virus Chest I had great difficulty stopping AVAST redoing that every time I scanned the NirSoft Utilities folder. When I clicked Restore it would reappear in the NirSoft folder but every time I tried to launch it either directly or through WSCC3 AVAST on its own volition sent it back to the Virus Chest.
Even when I re-scanned the folder immediately and told AVAST to “Do Nothing” when the ‘threat’ was flagged again and then tried to launch it AVAST would send it back to Virus Chest. WTF?
However, I took DavidR’s advice and rather than add the path via the AVAST Global Exclusions > Browse option I used Windows Explorer to copy/paste the address instead. I still had to write in WirelessNetView.exe manually because, apparently, Windows 7 does not show the full file location in the address bar by default.
Whatever the reason, and I still don’t understand it as the path show is exactly the same as I had before when I added it this way the exclusion now appears to be working correctly and I can launch the tool OK and scan either the whole WCSS3 folder or the NirSoft Utilities sub-folder without AVAST reporting any threat from that particular .exe.
When the file is in the chest you can do two things:
right click on it (in the chest) and send it to the virus labs for analysis.
right click on it and select Restore and add to exclusions.
Telling avast to Do Nothing doesn’t allow you to execute what it considers an infected file. All that happens is to take no actions that are listed in the option. It leaves the file in place but it will not allow you to run it.
When you get to explorer, having selected the folder add the \ at the end of the location in the address window, now type the first few letters of the file name. Explorer will throw up some files beginning with those letters, highlighting the correct file (using the down arrow key) puts it in the address window, now you can copy and paste it.
I’d always assumed Do Nothing actually meant what it said. I’ve used that for other tools that AVAST has issues with and launching them has, usually, never been a problem whether added to the Global Exclusions list or not. It appeared that because I had sent the .exe in question to the Virus Chest once it was now tagged as being forever naughty.
Thanks for the Windows Explorer tip for putting in the full path. As a long time XP user I’m still learning Windows 7’s and other OS’s quirks and, unlike XP, not showing the full path in the address bar is a well known annoyance.
For others here who might be interested the (MS) recommended way of showing the full path is to hold down the Shift Key whilst Right mouse clicking the file in question to bring up the context menu. Doing this you will find an otherwise hidden extra menu copy option: “Copy As Path” which will copy the full path into the Clipboard for pasting.
For me Do Nothing would also include don’t allow it to run.
I’m not even sure DO Nothing is a valid action (in the file system shield) - I believe it is No Action. Whilst that is similar to DO Nothing, I think it is a little clearer in that it No Action is take None of the Actions listed.
Something is now interfering with my ability to update/reinstall WirelessNetView.
I thought I had this all sorted out but when I came to update the tool ‘suites’ WCCS I’m now find that NirSoft’s WirelessNetView is apparently being blocked and my suspicion was that AVAST was doing it.
This was confirmed when I’ve tried downloading its stand alone .zip installer and the portable version from five different sources. The source file connection error message I got with WCCS was replaced by AVAST flagging up
a red warning message that a ‘threat’ had been blocked.
When I looked in the AVAST Virus Chest lo and behold a .part path presumably the incomplete blocked download was there. When I repeated the download attempts from the other places, which had slightly different IDs, those incomplete downloads, same thing happened and they were also added to the Virus Chest.
Maybe there some other explanation but it seems a strange coincidence that a week after I submit the NirSoft WirelessNetView to the Virus Lab to try and get it excluded as a “Threat” AVAST is now blocking even its updater/installer and preventing any download from NirSoft that contains this particular tool.
There doesn’t appear to be anything I can do about it either. AVAST just flags up that red warning message it has saved me from a threat and in doing so permanently blocks the download. Is there anything I can do to stop AVAST automatically doing this?
The point is this is new behaviour. I could not have installed WirelessNetView as part of the WSSC if it had been doing this a few weeks ago.
Later I decided to try and restore the file from the Virus Chest and write it in as an exclusion. When I realised each download uses different file IDs and this was useless I sent it and the other .part download files to the recycle bin. When I used CCleaner to delete the contents of that by luck I discovered AVAST had instead actually sent all the incomplete downloads from the Recycle Bin back to the Virus Chest.
Has somebody at the AVAST Virus Lab got the wrong end of the stick here and added WirelessNetView as a general threat to AVAST’s definitions rather than exclude it as a False Positive?
When I looked in the AVAST Virus Chest lo and behold a .part path presumably the incomplete blocked download was there. When I repeated the download attempts from the other places, which had slightly different IDs, those incomplete downloads, same thing happened and they were also added to the Virus Chest.
What malware name is it being given ?
In previous versions, there used to be a setting for the web shield, intelligent scanning this would mean scanning of data being downloaded and not waiting until the whole file had been downloaded. Effectively that should stop .part data being scanned until the download had been completed.
Unfortunately I can’t see that setting anywhere in the 12.3.2280 version. I checked the web shield customisation and troubleshooting areas and couldn’t find any reference to intelligent stream scanning.
I include a couple of screenshots I’ve just captured showing the AVAST ‘threat’ message.
The first one is a direct download attempt from the NirSoft web site of just the WirelessNetView zip file but the same thing happens with the installer link you can see below it too. The same message appears at all the other places I’ve tried to download it from including earlier versions.
The second shot shows what happens when you try to download the full NirSoft toolset. Same issue, different .exe but I’d bet that is only for alphabetical reasons. As said in my first post AVAST doesn’t like some other NirSoft stuff either.
NirSoft, as can just be seen in the second screenshot, also helpfully provide a password protected version of the full NirSoft toolset. Of course AVAST lets this through but a manual scan reports it as threat because it couldn’t open the password protected files.
Of course when I unpacked it AVAST went spare sending ten of the items including WirelessNetView straight to the Virus Chest.
To stop this sort of thing am I really going to have to add them all as exclusions and go through the shield settings and change Actions to “Ask” instead of their default just so I can update existing tools or add other ones that AVAST doesn’t like? I’m not even sure which ones are relevant for all these matters, presumably Web and File System Shield but anything else?
