Why are shortcuts scanned by the Standard Shield?

Avast Free Antivirus / Premium Security
21

streetwolf,
please use this fixed version, I guess we’ve solved the problem:
x86 binary: http://public.avast.com/~kurtin/public/flt_02/i386/aswMonFlt.sys
amd64 binary: http://public.avast.com/~kurtin/public/flt_02/amd64/aswMonFlt.sys

thanks.

22

This new module took care of the shortcut problem. No popups and no messages in the Resident log. Nice going.

Now how about the other issues with both Standard and Web shield scanning files that they should not be scanning? Under web shield I only specify exe,rar,zip files to be scanned, yet I see loads of popup messages for all kinds of files. There is a lot of scans of jpgs and gifs from my TIF. Just had a flv file scanned from a website. Not for every site mind you. Are these the orphaned memory mapped files mentioned in my other post about this?

I assume that when I tell avast! to only scan certain extensions it will do just that. Unless I am assuming incorrectly.

23

memory mapped issue has been already fixed

Could you please identify if the problem was with Std Shield or Webshield? i.e. you can turn on “Show detailed info on performed action” either in StdShield settings or in Webshield settings. If it’s StdSheild issue, what settings do you have in “Scanner (Advanced)” window?

24

First off does the new aswMonFlt.sys module ‘fix’ the memory mapped issue? If so I want to use the Resident Protection log from this point on to gather files that I believe are being scanned when they shouldn’t.

Secondly, I think it would be useful to indicate in the Resident Protection.txt log which shield produced the entry.

Since the new module I’ve had .json files and a. vidt file scanned from the Web shield. These came from www.cnn.com when clicking on a video.
Also my meager web site www.shap721.com produces this in the log:

http://cgi-wsc.chi.us.siteprotect.com/cgi-bin/CMForum/ahw050inxsel11a988f69e2?cc=0.21385138523430758&lang=en&country=US

Also got this one from the Standard shield:

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2ACN16GB\catbg[1].jpg

So far it appears I am not getting as many ‘false’ scans as before. So far only the ones I just mentioned.

My advanced settings in the standard shield are all disabled. Nothing is checked.

To reiterate, my standard shield is set up just to scan executed programs. My web shield is set up to scan only exe,zip,rar files. That is it.

25

After I just booted up my machine into Vista I looked at the resident log and saw that everything that is on my Start Menu was scanned. This includes the targets of links.

Also a bunch of other stuff was in the log. Here’s a section of the log with this other stuff:

:\Users\Streetwolf\AppData\Roaming\Microsoft\Windows\Cookies\index.dat [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Feeds Cache\index.dat [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008070520080706\index.dat [+] is OK
C:\Windows\SoftwareDistribution\AuthCabs\authcab.cab [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Feeds Cache\index.dat [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008070520080706\index.dat [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db [+] is OK
C:\Users\Streetwolf\AppData\Roaming\Microsoft\Windows\Cookies\index.dat [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat [+] is OK
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db [+] is OK
C:\Windows\System32\winevt\Logs\Security.evtx [+] is OK
C:\Windows\System32\wbem\repository\INDEX.BTR [+] is OK
C:\Windows\System32\wbem\repository\OBJECTS.DATA [+] is OK
C:\Windows\System32\winevt\Logs\System.evtx [+] is OK
C:\Windows\System32\winevt\Logs\Application.evtx [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db [+] is OK
C:\Windows\System32\wsqmcons.exe [+] is OK
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx [+] is OK
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx [+] is OK
C:\Windows\System32\wbem\repository\MAPPING2.MAP [+] is OK
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx [+] is OK
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat [+] is OK
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db [+] is OK
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx [+] is OK
C:\Windows\System32\wbem\repository\MAPPING1.MAP [+] is OK
C:\Users\Streetwolf\AppData\Local\GDIPFONTCACHEV1.DAT [+] is OK
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx [+] is OK
C:\Users\Streetwolf\AppData\Roaming\Microsoft\Protect\CREDHIST [+] is OK
C:\Windows\System32\catroot2{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb [+] is OK
C:\Windows\System32\catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb [+] is OK

26

Questions without answer…

27

streetwolf, I’ve made some new changes and you can use this new driver:
x86 binary: http://public.avast.com/~kurtin/public/flt_03/i386/aswMonFlt.sys
amd64 binary: http://public.avast.com/~kurtin/public/flt_03/amd64/aswMonFlt.sys

Also note, scanning on-exec is not enough, you should turn DLL scanning on (except System DLLs, of course), but it’s up to you…

Tech,
> How to test if my links are being scanned into Vista 32bits SP1+?

  1. Turn off everything in “Scanner (Basic)” and “Scanner (Advanced)” windows.
  2. Turn “Scan execututed programs (and all its three nested checkboxes)” in the first tab.
  3. Terminate Standard Shield provider.
  4. Start Standard Shield provider.
  5. Click at Start button, click at “All Programs”, open “Accessories” folder and LNK/EXE files will be scanned.
28

This new aswMonFlt.sys seems to have done the trick regarding all the needless scanning that was done at boot time.

My Start Menu is no longer being scanned and I did not see in the log any of the other files. I’m seeing nothing but exe’s and dll’s (I took your advice).

Regarding dll scanning on the Basic standard shield. There is no option to disregard system dll’s. That appears only under the advanced tab for opening files. I disable all of the advanced stuff. Is the basic dll scanner supposed to ignore system dll’s on load?

And in this regard does avast scan the files Vista’s Superfetch loads into memory at startup time? SF slows things up all by itself. Having avast in the mix can only make it slower (I suppose).

I’ll do more testing and get back to you. My interest is with the standard and web shield.

29

Yes, try to disable everything from advanced tab, except “do not scan system dlls on load” and check “scan dlls” on the Basic tab.

Since Standard shield will not scan system DLLs at startup time, it should be fast. After Vista loading, you can check report log (or number of scanned files) and see what files have been scanned.

If you find out something interesting, please post a comment to let us know. Thanks.

30

pk:

What about all those other files I posted that are getting scanned? You never said if they should or shouldn’t be getting scanned.

Even some of my favicon.ico are getting scanned. As are some jpg’s and lots more stuff. What is causing these files to be scanned? IMO they shouldn’t be scanned the way I have my shield set up.

31

streetwolf, what did you set on the Advanced tab? it should be only “scan on-open” (no extensions!) and “do not scan system dlls”.

32

I have those settings at the moment and it appears that only executables including dll’s are being scanned.

When I reported all those ‘other’ files being scanned I didn’t have anything checked on the Advanced tab. Are you saying that in order not to scan the files I reported you need to set the Advanced tab as you indicated? I figured not checking anything was what I wanted to only scan executables. Seems I was wrong. If this is true then I think it’s a little confusing regarding the relationship between the basic and advanced tab.

As far as the Web shield goes I am seeing a similar thing. I specify only certain extensions to be scanned yet I see other extensions being scanned. As a test I checked the option to scan files of selected type but didn’t fill anything in. When I go to my web site www.shap721.com it scans some sort of file. I also saw a ‘flv’ file being scanned at another site www.gamecopyworld.com. I suppose a flv file is some sort of flash video? Placing *.flv on the exclude list prevents it from being scanned as well as placing the URL that pops up at my web site. I would think that nothing should be scanned with my settings.

33

http://filext.com/file-extension/FLV

34

Everytime I replace aswMonFlt.sys with the new one you posted here (the second one) that one gets replaced by an older version probably after my second start of Windows.

I noticed this because my shortcuts were being scanned again.

Any idea who is reverting aswMonFlt.sys back to a previous version? Is it Vista or avast!. How do I keep the new version?

35

avast! did that.

I thought, driver will not be replaced, because I’ve digitally signed it…
You can rape avast4.ini to disable replacement, but I’d suggest you to wait for new avast! build - it should be released within some hours.

36

I’m waiting ;D
Where is it? ??? uh, uh…