Shield Events in SOA Scan Log?

Avast Business Avast Endpoint Protection
1

Using SOA 1.3.3.35 on Windows 7 Ultimate 32-bit.

I asked about this in Viruses and Worms originally because Avast apparently detected a Windows Update session on a Windows 7 workstation as a false-positive “rootkit”. I accept that this was a false positive. But there is a related problem.

The SOA reported this event in the Scan Log, not in the Shield Log. However, I did not run any “scheduled” or “manual” scans on the workstation. Boot scans are not turned on in the SOA. I simply ran Windows Update, and Avast reported a “rootkit”–and did so, by the way, without popping up any warning window on the workstation, even though such pop-ups are turned on in the SOA.

The File System Shield is turned on, and I know it “scans” files when they are opened, etc. But I would expect anything the File System Shield detects to appear in the Shield Log, not in the Scan Log.

My question is: Is it appropriate for File System malware detection events to appear in the Scan Log? If not, then is Avast performing “scheduled” or “manual” scans on the workstation even though no such scans are turned on in the SOA?

I’ve attached a png image of the Scan Log for your information.

Thanks for any help.

2

Update to 1.3.3.42 → https://forum.avast.com/index.php?topic=149975.0

3

Thank you.

But… will upgrading fix my specific problem? I don’t see anything in the information provided that indicates this.

4
  1. You’re welcome.
  2. IDK, but for further help you should be at the latest version.
5

Thank you again.

However, I don’t upgrade software unless I am sure the upgrade won’t break something I depend on.

I will wait for someone who is knowledgeable about this to answer the question: Should events detected by the File System Shield appear in the SOA Scan Log, or not? It seems like a simple enough question.

6

OK, no problem.

7

No it shouldn’t.

What’s the client version?

8

On the machine where I first reported this, Program version 8.0.1603. Definition version on that machine was 140630-0 when this happened last week. (Automatic program updates are turned off in the SOA, because I had a serious issue with the move from 7.x to 8.x and I no longer allow program updates until they are tested.)

However, this morning I saw another instance of this. SOA Scan log reported three instances of:

\AppData\Roaming\DigitalSites\UpdateProc\UpdateTask.exe

on a workstation (same Program version 8.0.1603; newer definition version, 140702-0, as expected). Again, there are no “scans” scheduled in the SOA, and no manual scan was run on that machine at the time of the report. I assume the File Shield was responsible for this report, but, again, I expect File Shield reports to appear in the SOA Shield Report, not in the Scan Report.

Thanks.

9

I was thinking that it could be an older version of the client…

Could you try with the EICAR test-virus? Try with both HTTP and HTTPS links.

10

Eicar events show up in the Shield Log (for Web Shield) as I would expect. Does that mean anything?

However, I was only able to get an http: version. I can’t find an https: version. The only reference to https I was able to find was at:

https://www.fortiguard.com/antivirus/eicartest.html

However, downloading the test file from there redirects to an http: address.

Thanks.

11

Here is the link: hXXps://secure.eicar.org/eicar.com

Or disable the WebShield temporary and download from the http url.

12

Thank you. That one worked. The attempt to save the file triggered the File Shield, the save was blocked, and the event was noted in the SOA Shield Log. It did not appear in the SOA Scan Log.

So the system performs properly some of the time.

It is still not performing properly all of the time.

I will be on vacation for a week and will come back to look at this when I return. Thanks for your help.