large amounts of hub mails lately with certain events?

Since around 2-3 weeks I see hub mails coming from certain customers that have detections basically from web shield but also from file shield.
The avast clients seems to detect the stuff and blocks it or event put it into quarantine but in the result of that there are doezenz even hundred hub mails regarding this event/detection.

Here are some of the blockt files/URLs:

https://assets.msn.com/bundles/v1/edgeChromium/latest/coachmark-wc.dc2f3913b6decb39f9fe.js → detected today on diffrent customers
https://assets.msn.com/bundles/v1/edgeChromium/latest/ocvFeedback.c971e5724f4ea1df02b1.js → detected today on diffrent customers

https://www.supprimer-trojan.com/de/trojan-win64-generic/ → august 14th

These detections are occuring in the end at over 1000 times so you can imagine the mail flood resulting in this…

Anyone else seeing this behavior?

Update on this: Right now there is no way of preventing the hub from sending “spam mails” in the event of dozenz or hundereds detections.

Since we also getting altert mails vom threats detected and successfully solved this might be not a widespread issue.
We use this kind of info mails for detecting false positive or unusuall activities.
If majority of other Avast partners do not e-mail track this stuff you might not experience this issue…

I created a feature request for some kind of spam protection.
But maybe this issue will be solved with the planed “Active alters - Daily/weekly digest” topic which shall be introduced within the next 3 month.

As of today there are new false positive detections for this URL

https://assets.msn.com/bundles/v1/edgeChromium/latest/interest-fre-card.a80b5e6edcf8cb63bc55.js

After I’ve seen a few devices spread over diffrent customers I it was clear to me that this is a false positive…
Credit to the avast team, they removed it pretty soon after I requested it via https://www.avast.com/false-positive-file-form.php#pc

Anyway there is a major miss behavior of the hub when it comes to the following situation:

  1. client detects several, maybe hundereds of malicous files or URLs → it will spam not just this hub quarantine but if configured will also sent hundereds of mails! → “Bug” for one certain customer on a certain device
  2. false positive detections like today where many clients on many customers and probably many partners will detect false positive → this will also lead to a hugh amount of Hub mails of configured.

The thing is: why isn’t the hub able to detect such anomalies? It doesn’t even need to get detailed information but just an increase number of sent mails from the hub to detect that the hub has something going on…

:frowning: >:( >:(

Today: A customer has a USB stick on which is kali linux located. Customer starts an on demand scan of the USB stick/drive and Avast will detect this:

Name der Bedrohung: Dateizugriff

Bedrohungstyp: Malware

Prozess: D:\kali-linux-2022.4-installer-amd64.iso|>pool\main\e\exploitdb\exploitdb_20221122-0kali1_all.deb|>data.tar.xz|>data.tar|>.\usr\share\exploitdb\exploits\multiple\dos\1937.html

Erkannt von: Scan-Aufgabe

Status: NONE

The hub then has made just 1.000 warnings which then result also in Avast Hub mails spamming our mailbox and the mailbox of the customer!?!?!?

How is this even possible that noboddy at avast sees this large amount of mails as outgoing?!?

I will create a support case for this… :frowning:

Update on this: I was mistaken in the way that Avast Hub was doing it’s job: The Avast client did check the Kali Linux iso file… within that it detected over 1000 malicios files… which are basically not malicios because of the very nature of Kali Linux…
So basically Avast was working somehow correctly. Yet taken from another perspective the Hub needs to make a cut at a certain point and stop sending hub mails. Instead of this it should sent a totally diffrent mail that is informing the Hub Admin or Avast partners like us that there is a pretty unusuall stuff happening with this client.

Also one should keep in mind that the Hub mail servers could be detected as spam servers sending such hughe amounts of mails.

This is, from my opinion, a design flaw in the behavior of hub mail alerts.