Real-time protection

Hi !

This is my first post and I am a new user of Avast ! 4.8, too. I have an issue regarding protections against spywares and rootkits.
I would like to know if the anti-spyware (and anti-rootkit) runs in real-time alongside anti-virus or is just an on-demand scanner.

Thanks in advance,

André

As far as I’m aware the anti-rootkit runs firstly on windows boot and when you use the on-demand scanner for Standard or Thorough sensitivity scans (but not Quick). You can also schedule a boot-time scan and during that the anti-rootkit scan is done. There is also a stand alone version of the avast anti-rootkit, which should be released soon which you can also use.

The anti-spyware is integrated within the normal avast on-access scanner.

Anti-spyware runs on-access as the same as the anti-virus.
Anti-rootkit runs at boot time (as on-demand thorough scannings). It’s not necessary to ‘stay running’ in background.
Welcome to avast forums.

Edit: David beat me again ;D

Tech. When you say that anti-rootkit runs at boot time does it mean it runs every time I restart my PC? And if so is there a way to stop it? I looked under the settings and help section of Avast, but didn’t see anything mentioned about the anti-rootkit feature. Thanks.

No “on boot scanning” runs only once when/if you “schedule” it from the main AVAST windows options.

I am not 100% sure but I guess rootkits are recognized as other threats by the “on access scanner” via the proper virus-string before they get installed in the system. Of course when ever / if it is possible to recognize a threat using a string.

When you say that anti-rootkit runs at boot time does it mean it runs every time I restart my PC?
Yes, that is what boot time is.
And if so is there a way to stop it? I looked under the settings and help section of Avast, but didn't see anything mentioned about the anti-rootkit feature.
You have to look better then ;D It is in the settings under the troubleshooting section. But I strongly suggest you leave it on.

ps: Tech, did David use a hammer to beat you?

So if the rootkit scan runs after restart/reboot can this cause the PC to be a little sluggish at first? I thought I noticed this after installing Avast. As far as finding where anything is. I think my wife would agree with you that I need to look harder as I can never find anything around the house either. LOL. I do see where it states i can disable rootkit scan at start up which would have also answered my question. LOL. Thanks for your help and to the others that replied. Takse care all.

The rootkit scan runs after windows has opened the desktop and there is a delay built in so that it allows windows to complete loading so there shouldn’t be a reason for it to be sluggish being down to the rootkit scan. It can’t start to soon as any possible rootkit might not be running if done to early thus escaping detection.

You don’t say what version of avast you are using 4.7.1169, latest regular release where I believe the delay is two minutes, this has been extended a little in later beta builds being tested now.

Всем привет и у меня вопрос как добавить файл в доверенную зону антивируса Avast 4.8. Я никак не могу найти эту опцию :-(. Я играю в Counter-strike 1.6 и для игры на сервере требуется античит Sxe.injected который Avast считает вирусом Win32:Trojan-gen {Other}. Как мне справиться с этой проблемой?
заранее спасибо

To all regards and i have the question as to add file into the trusted zone of antivirus Avast 4.8. 4 in no way I can find this option: - (. I play in Counter-strike 1.6 and for the game on the server is required it antichit Sxe.injected which Avast it is considered virus Win32:Trojan- gene {Other}. How to me to manage this problem? previously the thanks

You can add it to the exclusions lists: Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

First you should check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If only avast detects it on virustotal:

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Спасибо большое за рекомендации. Я со всем разобрался благодаря вам. Проверил античит на онлайн сканере и он мне показал Файл sXe_Injected.exe получен 2008.03.22 20:42:05 (CET)
Текущий статус: закончено
Результат: 6/32 (18.75%)
. Я думаю это хороший результат и что можно доверять этой программе. После чего я добавил его в доверенную зону. Теперь все хорошо, антивирус не проверяет этот файл.
P.S. Спасибо еще раз за помощь

Mullerius, it should be an English-only forum…
Could you please, go to an automated translation service, copy & paste your text and get, at least, an automated translation of your writings?
Thanks.

http://world.altavista.com/
http://dictionary.reference.com/translate/text.html
http://www.freetranslation.com/
http://www.worldlingo.com/en/products_services/worldlingo_translator.html
http://translation2.paralink.com/

I would say 6 detections even out of 32 scanners isn’t a good result.

If you had posted the results of the VirusTotal scan we could see what the other scanners are saying it is. When the result is done, either copy and paste the results or copy the URL from the address window and post that we could then see what the other detections were.

I apologize for posts in Russian:-(. As to the reference to the report, here it http://www.virustotal.com/ru/reanalisis.html?742650a2f0c3cbff9c44e079f56c0221
Sxe.injected 800 person of our local network uses it rather. Kaspersky’s antivirus defines it as " potentially dangerous Software ". Still it seems to me that antiviruses sound alarm because this program is built in other process, i mean in process Counter-strike that is characteristic for viruses.

Unfortunately the link is broken, anything that has suspicious in the signature/malware name is likely to have used heuristics and this can be prone to false positive detection, so those wouldn’t carry as much weight.

The same is true of the avast malware-gen, the -gen usually indicated a generic signature trying to catch many variants of the same malware type and it is possible that something has been caught that shouldn’t have been.

So you should send the file to avast for analysis (as I detailed above) and hopefully correction of the VPS (virus signatures). In the meantime you have excluded the file so you will be able to use the program. You need to periodically scan the copy in the chest and if it proves to be clear in the future the exclusions can be removed.

Antivirus Version update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - Win32:Trojan-gen {Other}
AVG - - -
BitDefender - - -
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - High threat detected
Fortinet - - -
Ikarus - - Virus.Win32.Trojan
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - Sus/ComPack-J
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Virus.Win32.FileInfector.gen (suspicious)
Дополнительная информация
MD5: 466121bddb12bb662cb07b95c678d3be
SHA1: 0ff13ba1b127c201ed048b40eacd7f24ca6a7b4d
SHA256: 1a50ac176075f7ecd94f3c3a7ad2f6a0b084434a487e4378be8caf7c2b9d2a7b
SHA512: 840c5151905c356123319fc1b9d1bf9271b7ece25f193c0ce41792c8d9ea63989b0672255812d33cd927d0a4186e7db7220907dca4e520659847c65d41e8e2a7
Here that that was under the reference

Yes with the majority being suspicious or generic detections, it is one that should be sent to avast.