What's causing so many emergency updates?

Avast Free Antivirus / Premium Security
1

Since November 9, emergency updates are piling up. 36 total of which 24 today. It used to be one every few days. Can someone explain?

2

Your Avast! sounds like it’s very outdated. Have you tried running the update processes to make sure you’re on the latest version?

3

How do you know its emergency updates? Those are only fired up when something goes wrong globally. To me it seems like you’re describing Streaming Updates, those that are received several times a day…

4

Malware Writers are getting more active and responsive to avast! protection ;D

thats why more streaming updates…

5

Cybersecurity: A Global Economic
Security Crisis

The mainstream threat has matured and one cybersecurity company stated that in 2011, it was finding up to [b]150,000 new pieces of malicious code daily.[/b] That figure is double what was seen daily in 2010 (75,000 daily), which is also double what was observed in 2009 (approximately 37,500 daily). The troublesome fact about the growth of malware is that both the quantity and the quality have drastically increased. The vast proliferation of malware has facilitated a much broader probing of the Internet, leading some bad actors to realize there is an immense number of interesting targets that might have been ignored five years ago
http://www.growthconsulting.frost.com/web/images.nsf/0/B1A9AEA0488DE48A802579B3005B0190/$File/GIL12_fs.htm

thats why. :wink:

6

They aren’t emergency updates, they are streaming updates, check the avast defs sub-folder and you will see the streaming folder.

The Emergency Update Check is a scheduled task and it happens twice a day. It would also be initiated if you did a manual update.

The streaming update folder is removed when the next regular auto update happens as that also contains the previous streaming updates. So they shouldn’t keep accumulating (piling up as you say).

7

hi cooby,

To give you an idea of what Avast! is doing when you surf the net, here is a website reporting in real-time malicious attacks on computers worldwide: http://map.honeynet.org

This mapsite uses honeypots to catch the bad guys in the act of infecting a system. A part of the streaming updates information Avast! provides is based on what these honeypots see and collect. As this is real-time information, streaming updates are now necessary to provide the protection you need to stay safe. Two to three core updates a day are not sufficient to protect you anymore.

8

By the way, you can see that there has been a some emergency updates applied once in a while.

C:\ProgramData\AVAST Software\Avast\AvastEmUpdate.ini

AvastEmUpdate.ini:

[Config]
LastAppliedPatchId=104
9

Personally I don’t believe that there have been 104 emergency updates, they are designed to overcome a problem whereby you can’t actually use the regular update process. The emergency update has been said to be a very rare/unusual occurrence and one no doubt we would see topics about in the forums.

So I don’t know if this is just an ID assigned to checking rather than an emergency update as such. I believe that if there were an emergency update the user is likely to know it has happened (as they are likely to have been having update/serious problems recently). There is also a likelihood that after the emergency update you may be asked to reboot.

10

I am not aware of having received any Emergency updates since they implemented the feature.

11

@DavidR, RejZoR,
Aha, indeed, defs subfolder says streaming, a ton of them yesterday 30+. Today 1 or 2 files in -stream directory.
Why did I say emergency updates? see attached firewall log, it never lies, clearly the application indicates emergency update.

12

Sunbelt Firewall is not one I have ever used, so did not know about the terminology. Learn something new everyday.

13

@ cooby
I see lots of outbound connections for AvastEmUpdate.exe in your image, but no inbound connection, an impossibility to update anything if there is nothing coming back in.

I haven’t got a clue why you have so many connections for the AvastEmUpdate.exe, I only see one entry for today in my firewall.

14

These two things are completely unrelated. You get streaming updates by the standard auto updater. The Emergency Updater is just checking periodically as a stand alone app for updates that are issued under emergency priority. You can also see that from the FW logs. Only outbound connections and no inbound transfers. Meaning you’re not getting the streaming updates in those folders from the Emergency Updater component.

What does this mean?

Regular updates are controlled by the avast! app itself. The Emergency Updater is a completely stand alone app which can resurrect avast! in case if some really nasty bug sneaks into a new program update release and you can’t use avast! anymore to update it. That’s where Emergency Updater kicks in. avast! team issues an emergency program update on a separate servers which are checked by the Emergency Updater component. This updater will find there is a new update and will try to update avast! forcibly.

It’s very unlikely for such scenario but not impossible. That’s why they introduced this feature not that long ago.

15

The streaming update files are associated with VLC media player. I have no idea if this could be a cause of this or not but wouldn’t avast see this as a problem?

16

Check the VLC file associations as clearly .bin files are associated with it. Why that is required I don’t know.

Why would avast see it as a problem, if avast uses the pkg…00000001.bin file it is still able to action it as it knows what to do with it, it certainly isn’t going to call VLC to run it.

17

@SugarD-x, in Reply#1
I’m one version behind, see my sig, not many. Will update soon. I doubt this is the cause of all this strangeness.

@Charyb, (post above this one)
I know. Many config files are associated with not what they’re supposed to be :frowning:
I didn’t design windows. No, really, it usually works just fine for firewall config (MS Outlook association), some other config files in in XML format (windows sees is as associated with XML editor, which it’s not), and various others.
So most unlikely avast would have an issue with .BIN file here. If avast does, then indeed we have a problem.

@DavidR and RejZoR,

  • Normal Avast updates normally come come in. Avastsvc.exe launches avast.setup, communication is over TCP, outbound to one of several avast servers. Directly to avast IPs, no proxy. All allowed, not logged.

  • Emergency updates are by TCP through the avast proxy port. Don’t ask why. I have no clue. I don’t care. Having read, long ago, what it’s about, when my Firewall alerted, I made a rule to permit and log since emergency updates are infrequent, except what’s in this thread.

  • Inbound connections are not needed, unless I run a server of some sort. If they were for Avast, I’d ditch avast. Once you establish outbound to avast server (direct or through the proxy port), replies (updates) come in. True for outlook mail, gmail, web pages, really any internet stuff. Avast NEVER asked for any incoming connection to my box. It doesn’t want it. It doesn’t need it.

  • Bit more review of what I have:
    When my firewall watches behavior it reports it in the text file in addition to the behavior log. The log rolls over, so all I have is since Oct27. It’s easier to extract the events from the text file, so here it goes:

This is how it used to be, 14 emergency jobs in 10 days more or less - see attached FW-systemlog1

Then the flood began with something downloaded to the \temp directory, sure looks weird, I hope it’s not some trojan I’m happily allowing.
The .exe files aren’t there any more, so I can’t even upload to virustotal.
Since it came in, I have that flood I reported. Perhaps Avast changed the meaning of emergency updates and uses the application for streaming as well?
Several, not all, are followed by the normal update event like this
[13/Nov/2012 13:15:28] DriverEventHandlersImpl.cpp: “System” action = ‘permitted’, operation = ‘creating_proc’, proc = ‘c:\Program Files\AVAST Software\Avast\AvastSvc.exe’, subj = ‘c:\Program Files\AVAST Software\Avast\Setup\avast.setup’
see attached FW-systemlog2

18

Well, i’d use some tool to monitor what Emergency Update component is writing to the disk (and to what files) and how many bytes it is transfering inbound. Only way to really find out if it’s actually downloading anything or not…

19

There has been a 4 emergency updates, not 104! :wink: As far as I know default value was 100, so there has been 4 emergency updates.

20

Yesterday Avast downloaded an executable (a signed file with a long name of numbers and letters) in my windows/temp directory.
That file was automatically removed soon after, without any further actions. I know this, because of my HIPS.
I believe the file was downloaded by the Emergency Updater and probably for some other OS (W8?) it may have installed some emergency update: http://forum.avast.com/index.php?topic=107886.msg860588#msg860588 - but maybe I’m totally wrong…

This is the third time I (my HIPS) saw Avast downloading an executable like that. Ah, my OS is Win XP and I’m running the latest Avast Free, by the way.