How to locate "suspicious" file?

This morning while booting up I got warning from avast of a suspicious file and recommendation to report it to the Avast labs. I unfortunately didn’t make a note of the file name or location, and wasn’t yet online (I have PPPoE DSL, and usually only connect when I’m using the internet). The only two choices were to delete or ignore, so I gambled on the latter.

Once fully booted, I opened the avast interface, but couldn’t find any reference to this in any of the reports or logs. The graphical stats for the behavior shield did show 1 suspicious incident this morning, but no way (that I could find) to get details on it.

I did run a full system scan with avast immediately afterwards, also quick scans with SAS and MBAM, but nothing turned up.

Is there a way that I’m missing to retrieve this info, other than manually making a note if I should get such a warning? Possibly a change to report/log settings?

I think it may be in a file called arpot.
Possibly at C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\arpot?

Yes, the file name is arpot.log in that folder, assuming it was an anti-rootkit alert, see example image.

Thanks, mag. I looked in the arpot folder and there’s two files in it, one an INI and the other a DAT, both with the same file name and both modified this afternoon.

The DAT is obviously useless to me (might be useful to the avast labs?) … I looked at the INI and nothing in it jumped out at me, other that it ended with 6 or 8 lines each beginning “Inline:_abnormal_termination”

Hopefully one of these years the behavior shield will become developed enough to include a log or report. Till then, about all I can think of is to reboot and see if I get the warning again (and of course, write down the info it gives me).

Thanks again, and best.

There is a long thread that I started in similar vein a month or so ago - however it seems that, despite the graphical notification of BS alert, it is actually the rootkit scan after start-up that is flagging, as DavidR points out above.

In my case the arpot log was at least capable of identifying the file:
09/04/2011 10:20:44 Suspic Driver: ??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25641\RapportCerberus_25641

Thanks, David, but I’ve got no such log. Your screenshot does look like what I saw, so it’s very likely we’re talking about the same thing. And though I waded through all of the Settings possibilities, plus all the Shields settings, I couldn’t find any provision to turning that log on/off.

Possibly means time for a Repair, or even clean re-install? I’ll give the former a shot, since it’s quick and easy.

Update: Just did a Repair and reboot, and no error this time. No arpot.log either, but maybe that’s only first created when there’s something to report.

I took a second look at the stats, and apparently the same thing happened yesterday when first booting. Funny I don’t remember a warning from avast then … it’s not (I assume) like the update popup, which closes itself.

Whoops, just got the warning again, but at least I got the file’s name and location this time: \Windows\Sys32\Drivers\pctplfw.sys. I’ll google that. although the name suggests it’s related to (or is supposed to make me think so) my PCTools firewall. Interestingly, still no arpot.log file, and the other two files I’d mentioned have disappeared from the arpot folder, which is now empty (except for empty Temp sub-folder).

Yup,

I get that message about once a year. The wording should be better and/or the options should be more. Its the Behavior Shield completing it’s surface root kit scan, and after 8-minutes, it reports that suspicious file with an Ignore or Delete option. Nothing else, saying to allow the files to be set to the Virus Lab for analysis. I still say that the Delete Options should NOT be there for a suspicious file.

Oh and another thing that I want to ask about this annual issue. Why doesn’t the Sandbox kick in if set to Auto or Ask for a prompt on what to do? I thought the whole point of the Sandbox is to have a quarantined special place to isolate suspicious files? Should that Behavior Shield notice of the suspicious file be prompted to go in the Sandbox for “Ask?” Or a notification pop-up that the file is going into the Sandbox on auto? The only time you should see the message you are seeing, would be if you don’t have sandbox turned on.

90% of the time, the shield is good, but it just seems that there is this sensitivity that from time to time is generating what, I won’t call it a BS alert. But it seems to be a false positive thing. If this Behavior issue came up as a Sandbox situation as it should, it would be better than it is now, and I almost wouldn’t care if when that Behavior Shield thing came up, it was treated as a sandbox situation. However, as it stands now, the verbiage on “Ignore” or “Delete” for a suspicious file is too confusing.

This issue needs to be studied by the engineers and improved in future Avast updates.

Jack

That file is in the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log folder.

Just submitted the file over at Jotti and it came back 100 percent green/OK.

It wasn’t clear from Jack’s post whether the apparently long-term intermittent problem always involves this file, or is a more or less random glitch in the rootkit scan. If the latter, there’s probably not much point submitting this file to avast as a FP.

Wonder if the send-to-support thing for this thread would help any, if it hasn’t already been done?

Oh, and David, you posted while I was typing this … I don’t have arpot.log there either.

I wouldn’t expect it to be detected at Jotti or VirusTotal as the rootkit scan isn’t doing a standard scan. So neither they or avast would find this during a conventional scan.

The rootkit check in a very simplistic explanation, compares what windows APIs say is running against what is actually running. Those hidden would require further checking and would either be considered suspect or a certain rootkit.

It wasn't clear from Jack's post whether the apparently long-term intermittent problem always involves this file, or is a more or less random glitch in the rootkit scan. If the latter, there's probably not much point submitting this file to avast as a FP.

Oh and for the record. This issue goes all the way back to Avast 5, and remains in Avast 6. The thing is it happens so rarely, but purists may find it annoying enough. I think it’s a very small bug in the root kit/behavior shield scan aspect of the program that is generating this rare response.

Thank you for your post Mike. For the record, I am not sure of the cause of this rare occurrence. I think its a program bug that Avast just has not been able to pin down because of its rarity. But the options for Ignore or Delete are certainly not a bug, and I think that this issue needs to be improved.

Jack

I just clicked the “send to support” link for this, for whatever good that might do.

Hi Mike,

What do you mean the “Send to Support Link?” When I get that Suspicious File message once a year, all it gives me is “Ignore” or “Delete” for options in Avast.

Jack

It is a forum option, nothing to do with an avast alert. The idea being to try and draw support attention to a topic.

Personally I don’t believe it is working, previously it brought up a form you had to complete and send. Now it just takes you to the forum home page.