scanning exe every second even though its excluded (processlasso.exe)

Avast is scanning the file processlasso.exe every second even though I have excluded it. I assume it has to do with processlasso’s behavior somehow (it monitors other processes). But the program is ligit, so how do I tell Avast to really layoff?

I’ll add it also seems to scan NotedPad++, KiwiLogViewer.exe, Bonsai.exe every 5-10 seconds as well even though I have a read exclusion for EXEs.

The only shield I have turned on is File System Shield. AutoSandbox is turned off.

I have the following exclusions that are not working:

RWX processlasso.exe
RWX C:\Program Files\Process Lasso\processlasso.exe
R *.exe

Thanks,
dave
Avast 7.0.1407
Windows XP SP3

Here is what I am seeing in FileSystemShield.txt:


2/25/2012 10:57:12 AM    C:\Program Files\Process Lasso\processlasso.exe [+] is OK
2/25/2012 10:57:13 AM    C:\Program Files\Process Lasso\processlasso.exe [+] is OK
2/25/2012 10:57:14 AM    C:\Program Files\Process Lasso\processlasso.exe [+] is OK
2/25/2012 10:57:15 AM    C:\Program Files\Process Lasso\processlasso.exe [+] is OK
2/25/2012 10:57:16 AM    C:\Program Files\Process Lasso\processlasso.exe [+] is OK
2/25/2012 10:57:17 AM    C:\Program Files\Notepad++\notepad++.exe [+] is OK
2/25/2012 10:57:17 AM    C:\Program Files\Notepad++\notepad++.exe [+] is OK
2/25/2012 10:57:17 AM    C:\Program Files\Kiwi Log Viewer\KiwiLogViewer.exe [+] is OK
2/25/2012 10:57:17 AM    C:\Program Files\Natara\Bonsai\Bonsai.exe [+] is OK
2/25/2012 10:57:17 AM    C:\Program Files\Process Lasso\processlasso.exe [+] is OK
2/25/2012 10:57:18 AM    C:\Program Files\Process Lasso\processlasso.exe [+] is OK
2/25/2012 10:57:19 AM    C:\Program Files\Process Lasso\processlasso.exe [+] is OK
2/25/2012 10:57:20 AM    C:\Program Files\Process Lasso\processlasso.exe [+] is OK
2/25/2012 10:57:21 AM    C:\Program Files\Notepad++\notepad++.exe [+] is OK
2/25/2012 10:57:21 AM    C:\Program Files\Notepad++\notepad++.exe [+] is OK
2/25/2012 10:57:21 AM    C:\Program Files\Kiwi Log Viewer\KiwiLogViewer.exe [+] is OK
2/25/2012 10:57:21 AM    C:\Program Files\Natara\Bonsai\Bonsai.exe [+] is OK

Using procmon I’ve tracked down the notepad++.exe, KiwiLogViewer.exe, and Bonsai.exe scanning as being triggered by a AutoHotKey script I have for switching between windows. When I use it to switch windows (not to any of the three I listed) its showing the following in procmon for those executables. Probably to get their icons or something. Somehow that is causing Avast to scan them each time…


"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"11:34:08.4914510 AM","AutoHotkey.exe","3832","QueryOpen","C:\Program Files\Notepad++\notepad++.exe","SUCCESS","CreationTime: 1/3/2012 6:06:00 PM, LastAccessTime: 2/25/2012 11:34:08 AM, LastWriteTime: 1/3/2012 6:06:00 PM, ChangeTime: 2/25/2012 11:26:28 AM, AllocationSize: 1,605,632, EndOfFile: 1,605,632, FileAttributes: A"
"11:34:08.4915125 AM","AutoHotkey.exe","3832","CreateFile","C:\Program Files\Notepad++\notepad++.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Alert, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
"11:34:08.4915418 AM","AutoHotkey.exe","3832","QueryStandardInformationFile","C:\Program Files\Notepad++\notepad++.exe","SUCCESS","AllocationSize: 1,605,632, EndOfFile: 1,605,632, NumberOfLinks: 1, DeletePending: False, Directory: False"
"11:34:08.4915580 AM","AutoHotkey.exe","3832","FileSystemControl","C:\Program Files\Notepad++\notepad++.exe","SUCCESS","Control: FSCTL_READ_FILE_USN_DATA"
"11:34:08.4915815 AM","AutoHotkey.exe","3832","QueryBasicInformationFile","C:\Program Files\Notepad++\notepad++.exe","SUCCESS","CreationTime: 1/3/2012 6:06:00 PM, LastAccessTime: 2/25/2012 11:34:08 AM, LastWriteTime: 1/3/2012 6:06:00 PM, ChangeTime: 2/25/2012 11:26:28 AM, FileAttributes: A"
"11:34:08.4916008 AM","AutoHotkey.exe","3832","ReadFile","C:\Program Files\Notepad++\notepad++.exe","SUCCESS","Offset: 0, Length: 1,024"
"11:34:08.4916315 AM","AutoHotkey.exe","3832","CloseFile","C:\Program Files\Notepad++\notepad++.exe","SUCCESS",""

The AutoHotKey script I am using is at https://gist.github.com/1839751.

d

When the last scanned file path is shown is it shown in the old 8.3 file name format as Program Files, would be shown as Progra~1 or something like that. Now avast used to be able to cater for that as it is the same, but one of the exclusions I created failed because of this when I changed it C:*\Agnitum\Outpost Firewall Pro\op_mon.exe it worked.

So this is another issue related to the repetitive scanning, the exclusions also appear to have issues with the 8.3 file/folder name format.

Is the FileSystemLog.txt one named by you (and where is it located) as I don’t have it ?
Did you happen to enable debugging or add OK files to the File System Shield Report settings ?

Where are you seeing the last scanned file path? In the File System Shield GUI and in the File System Shield report I see “Program Files”.

Yes, but at least the *.exe should catch it. It seems to me this is due to some sort of behavior scan that doesn’t check the exclusion list like I described way back when here - http://forum.avast.com/index.php?topic=83707.msg682952

FileSystemLog.txt is the default if you use * for the report name. I have File System Shield reporting turned on at File System Shield >> Settings >> Report file with these settings:
File name: *
File Type: “Plain text”
If file exists: “Append”

A little more information on at least one of the cases. The Avast scan on Bonsai.exe seems to be triggered when the AutoHotKey does calls GetClassLong(Bonsai.exe hWnd,GCL_HICON)

Avast scans when GetClassLong(SciTE.exe hWnd,GCL_HICON) is called also, but it doesn’t do it when GetClassLong for a bunch of other EXEs.

Here is info on GetClassLong
http://msdn.microsoft.com/en-us/library/windows/desktop/ms633580(v=vs.85).aspx

d

For me the default isn’t FileSystemLog.txt but FileSystemShield.txt (bearing in mind I have have had avast previously installed and exported settings and imported them), and the information contained in there on default settings is basically file system shield stared file system shield stopped.

That is why I asked if you had changed any of the settings, like including OK files.

I don’t use AutoHotKey, certainly not to my knowledge.

I tried running your script, but windows scripting host doesn’t want to know.

Your right, repeated typo on my part. It’s FileSystemLog.txt. And, yes, I do have it turned on to list OK files. Forgot to answer that. I have it turned on so I can find spurious scans like these.

Yes, you need AutoHotKey to run it. But I listed above, I think you should be able to reproduce with GetClassLong which is a normal windows function. It seems it has to be on a specific EXE though, like SciTE.

I’ve found a 4th case of it scanning an EXE. It’s also scanning SciTE.exe every time I save a file in it (it’s a text editor).

For the record, I have about 3 situations I am seeing here:
processlasso.exe - every second, not sure why. but it does funky process stuff.
bonsai.exe, SciTE.exe,notepad++.exe - I think every time GetClassLong is called on their window handle
SciTE.exe - every time I save a file in it

This is even with “R *.exe” in the exclusions.

What I want is to exclude these scans, but exclusions are being ignored for these cases.

Thanks,
d

Success! It turns out that Avast is considering these cases “execute” for some reason. So I added the following exclusions and its working…
*SciTE.exe
*Bonsai.exe
*notepad++.exe
*KiwiLogViewer.exe
*processlasso.exe

Note the * is needed also (which I missed earlier when I tried this approach before posting).

I’m still not sure if Avast should be doing some of these scans (like when I save from SciTE), or if they should be considered execute vs. read, but I have a workaround so I am happy :).

d

I appear to have many, more files in this repetitive scan cycle.

Switched OK files on in the FSS Report file settings, Stopped FSS to enable changed setting, Started FSS. Left on for 3 minutes, unchecked the OK files in the Report file, Stop and Start FSS. In that 3 and a bit minutes over 900 files were scanned.

25/02/2012 17:54:31 C:\PROGRAM FILES\ROCKETDOCK\ROCKETDOCK.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\BELKIN BULLDOG PLUS\MUPS.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\7-ZIP\7ZFM.EXE is OK 25/02/2012 17:54:31 C:\PROGRAM FILES\7-ZIP\7ZFM.EXE is OK 25/02/2012 17:54:33 C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQSmeCOM.dll is OK 25/02/2012 17:54:33 C:\Program Files\PowerQuest\Drive Image 7.0\Agent\gwlangEN.dll is OK 25/02/2012 17:54:34 C:\WINDOWS\system32\gearaspi.dll is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\ROCKETDOCK\ROCKETDOCK.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\BELKIN BULLDOG PLUS\MUPS.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE is OK 25/02/2012 17:54:41 C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE is OK 25/02/2012 17:54:42 C:\PROGRAM FILES\7-ZIP\7ZFM.EXE is OK 25/02/2012 17:54:42 C:\PROGRAM FILES\7-ZIP\7ZFM.EXE is OK

Me I’m far from happy as this was never how it was, and there really shouldn’t be a need for a user to go to these lengths, analysis & exclusion of tens of files. When the Transient cache is meant to cater for this repetitive scanning of the same file, until the user reboots, a virus definitions update or the file actually changes.

For me most of these files although loaded would be pretty dormant.

I would agree I am definitely seeing a lot more scanning in general. And transient cache seems to be working even worse that it did before.