avast! File Reputation flagging Windows Update

[Ink]

Hello

I have avast Free Antivirus installed and configured on a Windows 8.1 PC. Today, I was alerted by avast with a File Reputation warning, as seen below:

Reading the warning information, I am instructed to Abort the connection as recommended by avast.

Be aware that avast! File Reputation may cause False Positive during a Windows Update.
- Should avast be scanning the connection line for Windows Update?
- Does this compromised Windows security by preventing any critical updates?
- How can avast File Reputation be improved to reduce False Positives?
- Have any Windows Update failed due to avast warning WUs as suspicious?

Feel free to discuss further.

 

[Aura]

I don't know why Antiviruses should even scan Windows Updates. I may be too new in the domain but, I've never heard of a situation where someone got infected over Windows Updates. Adding to this, avast! is having a lot of false positive detections lately, many which are annoyings : AdwCleaner, RogueKiller, RKill, etc. Yes avast! is an excellent Antivirus with an excellent reputation, but their number of false positive is rather annoying, not even adding the fact that it scans files or Windows features that it shouldn't be handling.

Right now, it looks like it's suspecting an update package coming from an official Microsoft update server, like, are you serious ? Aren't you able to whitelist Microsoft's approved domains and not scan them ? If it is to do that everytime a program or Windows have updates, maybe I should just stop recommending it and recommend another Antivirus, which is less annoying then.

avast!, fix your false positive detection ratio and file reputation system otherwise you're going to lose users.

But anyway, that's just my 2 cents.

 

[Tony Cole]

I had similar problems with Comodo it kept blocking microsoft files, updates and .net framework updates. I had to remove it, then went back to Kaspersky, but their application control can also affect trusted files. It would seem that it's not just avast! that has these problems.

I hope you manage to sort out the errors/problems, if not then there are experts on this forum who will be able to help.

 

[jim lin]

well at least it looks like it's just "aborting the connection" but does it keep aborting from now on
and windows update will not work next time it wants to update?

if it keeps blocking it one would think windows update would not work no more

File Reputation to me seems like WOT and the users can abuse the ratings if thay do not like something
on or about the website

sure hope thay fix that one if it makes peoples pc's not work right



James

 

[MalwareT]

I've disabled it on both machines

 

[Aura]

I had similar problems with Comodo it kept blocking microsoft files, updates and .net framework updates. I had to remove it, then went back to Kaspersky, but their application control can also affect trusted files. It would seem that it's not just avast! that has these problems.

I hope you manage to sort out the errors/problems, if not then there are experts on this forum who will be able to help.

7 years of using Kaspersky Internet Security, and not even once it's Application Control blocked or gave me issues with trusted files, even less if they are from Microsoft for Windows.

Antiviruses shouldn't try to control vital Windows features like the Windows Updates as the risks of Microsoft Windows Updates servers being hijacked and compromised with malicious files in the updates are pretty small. It COULD happen, but I don't see that happen anytime soon.

It's like Malwarebytes and it's Web Protection Module with programs like Chrome, svchost, Skype. Simply annoying, I just ended up disabling that module completely.

 

[illumination]

False Positives such as this can be just as detrimental to ones system as malware can be.

 

[Aura]

Just took a quick look at the AV-Comparative results for the False Alert test for March 2014.
avast! is the second Antivirus with the most false positive detections at 95 while Baidu is the first with 111. And the third one (behind avast!) is ThreatTrack Vipre with 19 false positive. There's quite a difference between the second and the third ranking. Wonder what would be the results now for avast! if the tests were being held right now.

 

[Cowpipe]

Actually viruses propagating by Windows Updates is a very real threat. For example, Flame can spoof legitimate windows updates (see here for a quick low-tech overview).

So whilst it might be annoying to constantly receive false positives and I'm sure Avast can do it's bit by keeping on top of the latest windows update releases and whitelisting them, I'd rather they kept scanning Windows Updates, even if it does lead to these kind of popups

 

[avast! Protection]

As @Cowpipe said, Flame malware can compromise user's PC by spoofing a Windows Update. An antivirus should not be engineered to have such major exceptions. Even avast! scans its own updates. From there on, it should be users' decision whether he\she wants to exclude some particular directories, CDN's etc. Because, at the end, all users will blame the vendor in case of spoofed windows / other updates, who /vendors/ should provide all-round protection in the first place.

The problem with Update FPs is pretty common with file reputation systems whether is avast!'s or any other vendors' because that's how file reputations are designed to work. They need some reputation base for a given file to be able to judge if it's safe or not. This will mean that anything new/unknown to avast! which has low prevalence will alert a popup. Other factor is the digital signature, which, by seeing the attached picture above, isn't present for this particular update.

 

[smipx]

Hi, FYI. I logged this as a ticket with Avast support via email. They simply let the ticket stew from 27th October to 10th November (even though I logged it as a priority 1). They told me to reinstall / turn off file reputation as their solution. I explained that I wanted file reputation and that I felt Avast should be able to determine that the updates are essential and genuine.

They ignored me for several more days and then simply closed the ticket saying I had not replied - even though I had - in great detail. I requested that the ticket be reopened on 7th November again on 12th November and they have simply ignored me. Just in case there is an Avast support / tech viewing this the case# is #MDJ-932-70547

If that experience is anything to go by then I don't hold out a lot of hope that the issue will be resolved or that Avast is moving in the right direction generally.

Imho it is not good enough to tell customers to simply disable a core part of the new release just because it is troublesome and then close a ticket without even. I appreciate that the file being supplied my Microsoft is not signed and that is a big problem however, you would have hoped that Avast and Microsoft could have a dialogue in order to address the problem.

I was looking to turn this on for some of my customers because they are novice users and just want top level protection without really understanding what is safe and what is not safe. I have always put Avast on to their machines because Avast is very user friendly to the novice computer user. At the moment I, on behalf of my customers, are faced with two choices:

1. Turn off this great new feature because it breaks Windows 8 updates
2. Let my customers live without Windows 8 updates

Obviously I will turn it off for them now and until this is resolved. It's a real shame as it makes a core feature of the 2015 release unusable unless you are a computer expert and know what the file that is being warned about actually is. 99.99% of the average user base will have not a clue and therefore will block it (rightly) as it looks suspicious. They will then lose Windows 8 updates and expose themselves to massive risk.

I feel Avast is on a bit of a slippery slope at the moment:

1. Their detection rates are slipping down the rankings according to AV Comparatives
2. They have a 3rd party support line that when you call simply wants to try to upsell you premium features rather than actually fix problems (I can prove this and have customers who have been duped).
3. The FP's are sky rocketing
4. Email support does not grasp the issues when you log a problem and close cases that are still active


I am an Avast fanboy and am really sad to have to say all of that. I still use Avast and install it for customers as I still think it is the best of the "free" AV's out there today but I wonder if that will be the case in 6 months - especially with the slipping detection rates. I always used to laugh at AVG for their poor detection rates and the amount of customers I had through the door with viruses due to using AVG free. It now seems that Avast has slipped below AVG in the detection stakes and that is a real worry.


*** update - in fact I have a machine in at the moment where AVG quarantined some important windows updates and as a result the machine was totally trashed (as customer deleted quarantined files in a mis-guided attempt to fix the issue himself). This is a case in point - windows updates need to be handled properly by all AV's otherwise really bad things can happen. At least Avast did not trash an operating system by popping up a warning that a file is of questionable heritage.

Cheers,
Paul

 

[jamescv7]

In fortunate side, Avast did not kill Windows update since the default settings for file reputation is to notify . However in bad side a total glitch happened like first, why its unsigned? Second Windows update have already fix server destination to retrieve therefore all AV's must understand already and lastly mistaken rated as few users.

 

[smipx]

Agreed. In fact avast 1st level support finally (today) pushed the ticket to level 2 support (after sitting on it and being of no help whatsoever for over 2 weeks). I just heard back from level 2 support that they are going to look into the issue and see if they can modify the file reputation side of things to fix this problem. I expect it may be a while and I may not hear back but at least now they are properly aware of the issue.

I asked them why it took 2 weeks to even ask me for the log files and do anything with the ticket but I suspect the level 1 support will not reply to that particular email.

I further suspect that someone at Avast read this post and that's why I miraculously got a reply and the ticket re-opened today. It's a shame that it took a public slagging off for them to action it properly and professionally.

 

[smipx]

Well and update. Apparently they are not going to fix this defect.

 

[Malware Person]

try disabling the real-time protection when installing updates