Quarantine and Exclusions not working

Avast Business
1

I have multiple times, on many machines set a quarantine exception, and every time the file updates (most days) the file is detected again and I have to rescue it from Quarantine.

The file has the same name and is in the same location each time - how can I get a quarantine exception to work on this file?

I’ve also excluded that same file, and the holding folder using exclusions, but again every time the file updates it is caught again.
I’ve excluded my website where the file is upgraded from…

2

And now I’ve had cmd.exe be blocked for “IDP.Generic - Command line detection”

3

Screenshots of these alerts could help us to help you ?

4

Sure,

One example. This is entirely repeatable.

Here is a screenshot showing how many times this file (same name in two separate locations) is caught by the Quarantine system
And secondly is a screenshot showing the exclusions

5

And this again

(Removed the exceptions for meshagent 4 times today)

6

If you have MeshAgent.exe in quarantine I suggest you submit it for analysis - see attached images.

Give brief details of the problem in the remarks section of the submission and I would suggest giving a link to this topic so they can also see the problem in detail.

That said the detection is on cmd.exe, presumably because it is being run by meshagent.exe, I certainly wouldn’t recommend excluding cmd.exe

I also did a search on meshagent.exe - https://www.google.co.uk/search?q=meshagent.exe - and there are a lot of hits, some relating to malware. This being just one - https://www.hybrid-analysis.com/sample/47cfbeb98ee6a141d4550c19be928625ef633d02d863f727ad08415408f2933c/6163ea9891e09e09784aade3

I have zero experience of meshagent or how it works ?
But the IDP (Intrusion Protection Detection) Generic (generic signature rather than a specific signature), so it could be what it is doing could look like an Intrusion.

7

I have a number of times

I completely agree with your assessment, however I am trying to bypass the automatic deletion of this software. I can’t force Avast to NOT delete this file. Each time I ask for the quarantined exe to be excluded, it is, only for the software to be quarantined again, sometimes only hours later.

This is a case of the tail wagging the dog - and Avast should stop doing that.

8

I’m surprised that you haven’t had a reply as yet.

As I suggested, did you ever give a link back to this topic as that probably has more information that a remarks window caters for and may help.

Unfortunately it is always going to be a fine balance with tools like this and I don’t know why the exclusion doesn’t work.

That said, in a way I do have an idea as I don’t think it is just the file name that is the problem, but its actions that are getting hit and an exclusion doesn’t stop its actions being checked. Which would appear to be why your image shows cmd.exe being alerted on, presumably because meshagent.exe calls it to perform actions.

I will try to draw some attention to this topic.

9

False positive detections can usually be resolved via exclusions. Since cmd.exe is being detected, the exclusions need to be configured for the file that is triggering cmd to be ran. It may also be necessary to create a script exclusion for the commands being ran in cmd by the detected file. The file/s can also be sent to the Avast Virus Labs for whitelisting within the virus definitions.

I recommend reaching out to the Avast technical support team for assistance in creating the proper exclusions. https://www.avast.com/en-us/business-support-contact

The technical support team can also be contacted via the “contact support” button in your management console.