I ran File Monitor program and Avast continually (a couple times per second ) does this:
Query Information C:\Program Files\AlwilSoftware\Avast4Data\log\selfdef.log
What is it doing? It is non stop. How do I stop it? I turned off Self Defense and it still does it.
Well it looks like file monitor is accessing avast files with write permission and avast won’t allow that to protect its files. That file records the Self-Defence module actions to block outside applications from modifying or deleting avast files or registry entries, trying to possibly disable your protection.
I have no idea what file monitor you are using or what exactly it is monitoring but it shouldn’t need write permission to do it ?
Open the selfdef.log using notepad and you will see listed the avast files which have blocked write permission and the application responsible for trying to access them with write permission (no doubt file monitor).
What were you actually running file monitor for ?
I was just curious to see what was happening when the computer is idle. What a surprise to see everything that was going on but mostly from Avast. I used Filemon v.7.04 from sysinternals. It really seems like Avast is doing something. I looked in the selfdef.log file and it showed nothing about filemon trying to do anything. It would really be interesting to have someone else run filemon and see what they get.
Here is one line from filemon. Each line appears about 2-3 times per second. It seems like a lot of work is being done for a computer that is doing nothing.
ashServ.exe:1496 QUERY INFORMATION C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log SUCCESS Length: 108509
Perhaps a little more about your system (operating system) and your avast configuration (which providers running) would help us.
I have been running Filemon 7.04 for about 15 minutes now on my Win XP Pro SP3 system. There is not a single access by avast to the selfdef.log. The only avast accesses showing up are to the avast4.ini file about once a minute.
Are new entries accruing in your avast selfdef.log file?
I can confirm this using Sysinternals Process Monitor, which replaces Filemon etc.
My guess is that the Avast service ashServ monitors the self defense log for new entries produced by the self defense driver, and generates an alert in that case. We don’t want to miss those events!
ashServ also reads some registry entries for performance monitoring. I have no idea why.
Anyway, these are all harmless activities that don’t create any disk accesses. Your system performs millions of these every second. Don’t worry. 
Edit: deep inspection of system activities is only for software engineers and other experts. Ordinary users will see a lot of things they don’t understand. 
TheSpirit said:
I can confirm this using Sysinternals Process Monitor, which replaces Filemon etc.
It does not replace Filemon … it is a different function with different intent.
Nevertheless, I too am running Process Monitor and have been for a while as I type (on the same system I reported above) and in the time I have been running it there is no reference to avast accessing the selfdef.log file.
Can you also add to the thread with the operating system you are using and the avast configuration you are using … I can probably replicate the avast configuration to see if I can replicate the conditions reported … even if I cannot replicate the operating system.
Note: Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon remain for legacy operating system support, including Windows 9x.
Nevertheless, I too am running Process Monitor and have been for a while as I type (on the same system I reported above) and in the time I have been running it there is no reference to avast accessing the selfdef.log file.Can you also add to the thread with the operating system you are using and the avast configuration you are using … I can probably replicate the avast configuration to see if I can replicate the conditions reported … even if I cannot replicate the operating system.
XP pro SP2+ with Standard Shield. Maybe SP3 disables important functions? I wouldn’t wonder. Maybe your filtering is too aggressive?
Thanks for your post of their comments.
It is still easier to use Filemon if files accesses are the desired result and Regmon if registry accesses are the desired result. The use of Procmon to separate the two does require the user to implement filters/other options to overcome the total inundation from an unfiltered Procmon.
I have no filters whatsoever in Procmon.
Maybe SP3 disables important functions?
Sorry but I think that is clutching at straws.
XP pro SP2+ with Standard Shield.
Anything other than “Normal” setting of Standard Shield (and is that the only provider running)?
Also, do you have any recent content in your selfdef.log?
bfor, please update to the latest version of avast (4.8.1296) which resolves this specific issue.
Thanks
Vlk
Vlk,
I would have suspected that TheSpirit who apparently confirms the finding of the OP is on the latest update … perhaps we can be advised of his release in the thread.
I can confirm that this was an issue in all 4.8 builds up to .1290 but should have been fixed in .1296.
I guess TheSpirit is probably not using the latest version then…
Understood … and thanks,
Alan
Thanks for this update! This is a “speed optimization in kernel-mode components”? Or is it an issue/bug?
Anything else we need to know? Any list of open/closed bugs?
The real list of changes in each build is obviously longer than the one published on the website. These are minor changes / optimizations / tweaks that don’t quite deserve to be published IMO.
Thanks VLK
I updated to the newest version and everything is happy now. It was a little scary seeing that much activity in filemon.
Thanks to everyone that responded.
bfor
Nevertheless, you consider it necessary to push this minor update immediately after a major update. Why might that be? I would have thought that minor fixes could wait until the next major update.
TheSpirit,
the avast team posted in another thread that an update was imminent. They made good on that promise.
avast is a security product, it is also a business (something I think is sometimes overlooked in this forum). They must make business decisions based on the needs of their business and for good security reasons … so do not be surprised when they may not be totally forthcoming to questions such as yours.
Actually, the changes in the submission system were quite a good reason for the update.
Initially, we didn’t really anticipate how big the number of submissions would be (and also, we found out later that people are reporting mostly anything avast! detects for them as false positive, even though it’s obviously not) - so we did some changes allowing better/easier processing on our side.
Perhaps we need another check box, I’m really not sure what I’m doing box ;D