upon booting, an avast alert popup announced that avast’s heuristic algorithms identified suspicious files and that avast wants these files sent to their lab.
the popup’s drop down menu allows for “ignore” and “delete” – with “ignore” being the default!
the first time that it happened, 2 months ago, i unthinkingly clicked the “ok” button, as the majority of people will do, and thereby inadvertently told avast to ignore these suspicious files – an extreme error because i wanted avast to delete the suspicious files!
i will assume that if i press the “ok” button then the suspicious files will automatically be sent to avast’s lab, regardless of the value (“ignore” or “delete”) of the drop-down menu …(??).
can i ask avast to send me the findings of their investigation – whether the suspected files were indeed malicious, and what will be, or would have been, the symptoms of this infection?
That is the anti-rootkit scan 8 minutes after boot, we will need more information about the file name and location of the suspect file ?
Ignore isn’t actually so bad as they aren’t ignored for all time, just until the next anti-rootkit scan when the alert should pop-up again; unless you further compounded this action by having avast remember your decision (or words to that effect) as you wouldn’t see the alerts.
Deletion should only be contemplated after full investigation.
Ignore is normally the default in the case of suspicion and not a more positive detection.
I honestly don’t know if the file is sent to the labs along with information on the detection, as previously there was a check box to actually send it to the labs. This seems to differ in the Suspicious alert.
Effectively how would avast know who to send any info to, as any information passed would I believe be anonymous.
Deletion should only be contemplated after full investigation.
isn't this a catch-22 -- how would i know the results of the investigation if avast will not send me the results?? and i am here presenting a best-case scenario because it assumes that the suspected files are in fact being sent to avast's labs -- a seminal factor of which you yourself are not certain.
and what if i elect “ignore” and then choose to ‘hibernate’ rather than reboot – can the rootkit run? what harm can it do?
... more positive detection.
how do i acquire a definite identity if avast will not deliver it; you are effectively saying that i will need to scan using another brand of antivirus? at what point should i elect "delete"?
Effectively how would avast know who to send any info to, as any information passed would I believe be anonymous.
avast and i can elect to waive anonymity! what might an enduser have to hide that would be revealed by sending a suspicious file?
i have not run a boot-time scan but i have scheduled it for my next bootup.
nevertheless, i see that boot-scan is an obsolete weapon http://forum.avast.com/index.php?topic=19790.0
but the problem remains even if avast’s boot-scan does uncover a suspect – how do i decide whether to ‘delete’ or to ‘ignore’?
The boot scan does a deeper scan and will look at rootkits as well. The scan usually takes a bit longer.
When you are in doubt as to what action to take, it is safer to put something in the Virus Chest where it is safe. From the Chest, you can always rescan the item and if clean restore it back to the machine. Sometimes, at a later date with updated virus definitions, items in the Chest come back clean. Other times they are true infections and must remain in the Chest.
If you ignore, you never know if the malware is a false positive or really an infection. So to play it safe, put it in the Chest.
If you delete and it is a vital file you need for something to make your machine run, you are out of luck! Better to put it in the Chest where you can always rescan and restore if needed.
IMHO, if you have the options to “delete” or “ignore” during boot-time scan and you don’t have a clue, it is best to ignore, in order to keep the PC bootable. Otherwise you might delete a vital file and end up with a non-running system.
This should then be followed by other measures of course, and I like to start of with Malwarebytes Antimalware, which is a great tool for removing malware if you really got hit by bad stuff. Most of the time, MBAM does the trick.
Avast is a great prevention software, however, like with any other AV software, some sneaky stuff may get past it so that another tool needs to be used. Sadly, there is no panacea for malware around.
How do I investigate - Guess what you are starting the ball rolling here and that doesn’t require avast contacting you. As I said how can they contact you if they don’t know whom to address; this is a chicken and egg situation, catch 22 as you say.
However, that doesn’t stop you a) answering the questions asked relating to the detection, file name and location, etc.
It also doesn’t stop you using google, etc. to look for information on the above either. Finding out if it is a) a legitimate file name and location, b) an application that you are aware about and installed, c) what it is that this application does that might make the anti-rootkit scan consider it ‘suspicious.’
From this you can get a pretty good idea if what is definitely bad, or not confirmed.
I feel that you should in the first instance have chosen Ignore as a) the alert is one of ‘Suspicion’ not certainty b) that is the safer option ‘first do no harm’ and c) that was the recommended action by avast.
Hibernate isn’t a solution, just a temporary computer state, whatever that suspicious alert is about will still be running when you come out of hibernation.
If there is no means of direct input you can’t waive anonymity, there certainly isn’t something in the avastUI that I’m aware of. Same thing even if it was what avast saying that they thought it a good detection (different alert, not mentioning suspicious), were the alert gives the option to send for analysis. That again as far as I’m aware won’t provide feedback.
This is why I said this, not to delete:
Ignore isn't actually so bad as they aren't ignored for all time, just until the next anti-rootkit scan when the alert should pop-up again; unless you further compounded this action by having avast remember your decision (or words to that effect) as you wouldn't see the alerts.
Deletion should only be contemplated after full investigation.
The above allows it to be scanned again and again and again if necessary, if it is a false positive it would eventually not be detected. So analysis must have been done and the correction made, back handed confirmation and why I feel deletion is never a good first or early decision as you have none left. So Ignore is the lessor of to evils as the condition of your system hasn’t changed i should still boot, it should still work as it has been, deletion as a first option could totally change that.
However all of the above is pure speculation as you have given me noting to work with, that is why we ask questions. The very first thing I did in my first reply was to try and get this information, which you seem to want to keep to yourself, I can’t work in the dark.
I have this issue every year or so, and wrote that Avast’s default pop up Window’s options for dealing with suspicious files is currently too confusing to most users and should be changed as well The Delete option for suspicious files should be replaced with “Move to Chest.” Currently, I too find the Delete or Ignore Prompt too confusing.
Sorry, but moving to the chest in the case of these suspicious anti-rootkit detections could have exactly the same consequences, as the file wouldn’t be present at the next boot.
how do i acquire a definite identity if avast will not deliver it; i will need to use a different brand of av scan – what do you recommend?
Effectively how would avast know who to send any info to, as any information passed would I believe be anonymous.
avast and i can elect to waive anonymity -- what don't you understand?!!! and what do you mean by "[i]believe[/i] be anonymous" -- don't you [i]know[/i]?
However, that doesn't stop you a) answering the questions asked relating to the detection, file name and location, etc.
It also doesn’t stop you using google, etc. to look for information on the above either. Finding out if it is a) a legitimate file name and location, b) an application that you are aware about and installed, c) what it is that this application does that might make the anti-rootkit scan consider it ‘suspicious.’
as usual, i have no idea what you’re talking about! we have an expression in english: “if you can’t dazzle them with brilliance then baffle them with bullshit”
I don’t work for avast, so my beliefs are based on my personal experience on how I have seen avast working and what I have read about the avast CommunityIQ function on data being transferred to maintain anonymity. Plus the fact that there is no such setting in the avastUI relating to waiving anonymity.
Sorry but I’m not going to debate what I have no control over and to be honest doesn’t go an inch to trying to resolve the problem.
I have asked for information to help you twice now, but you seem not to be concerned about doing that just this other trivial matter.
Simple fact without information than I can’t help you and arguing about anonymity, etc. etc. is really a waste of time, yours and mine, so I’m done trying.
and in the future, for the benefit of the avast community, for the benefit of my blood pressure, and for the benefit of the World’s Society, kindly relinquish the soapbox (7 stars?!!!) to someone who has the competence. Many Thanks.