Since around 2-3 weeks I see hub mails coming from certain customers that have detections basically from web shield but also from file shield.
The avast clients seems to detect the stuff and blocks it or event put it into quarantine but in the result of that there are doezenz even hundred hub mails regarding this event/detection.
Update on this: Right now there is no way of preventing the hub from sending “spam mails” in the event of dozenz or hundereds detections.
Since we also getting altert mails vom threats detected and successfully solved this might be not a widespread issue.
We use this kind of info mails for detecting false positive or unusuall activities.
If majority of other Avast partners do not e-mail track this stuff you might not experience this issue…
I created a feature request for some kind of spam protection.
But maybe this issue will be solved with the planed “Active alters - Daily/weekly digest” topic which shall be introduced within the next 3 month.
After I’ve seen a few devices spread over diffrent customers I it was clear to me that this is a false positive…
Credit to the avast team, they removed it pretty soon after I requested it via https://www.avast.com/false-positive-file-form.php#pc
Anyway there is a major miss behavior of the hub when it comes to the following situation:
client detects several, maybe hundereds of malicous files or URLs → it will spam not just this hub quarantine but if configured will also sent hundereds of mails! → “Bug” for one certain customer on a certain device
false positive detections like today where many clients on many customers and probably many partners will detect false positive → this will also lead to a hugh amount of Hub mails of configured.
The thing is: why isn’t the hub able to detect such anomalies? It doesn’t even need to get detailed information but just an increase number of sent mails from the hub to detect that the hub has something going on…
Update on this: I was mistaken in the way that Avast Hub was doing it’s job: The Avast client did check the Kali Linux iso file… within that it detected over 1000 malicios files… which are basically not malicios because of the very nature of Kali Linux…
So basically Avast was working somehow correctly. Yet taken from another perspective the Hub needs to make a cut at a certain point and stop sending hub mails. Instead of this it should sent a totally diffrent mail that is informing the Hub Admin or Avast partners like us that there is a pretty unusuall stuff happening with this client.
Also one should keep in mind that the Hub mail servers could be detected as spam servers sending such hughe amounts of mails.
This is, from my opinion, a design flaw in the behavior of hub mail alerts.