Arto

How do I trust a program that is in an excluded folder

Recommended Posts

Hi;

 

I have OA running in harmony with Avast.  Both are excluded from each other.  However, I have recently noticed that avast sometimes uses (or maybe generates) executables that are downloaded into a folder other than the excluded Avast folder.  This causes OA to issue a pop-up asking for permission to run.  Even if I check off the trust program option in the pop-up, it happens again the next time.  I also tried to manually add the specific Avast program to OA's program list (in order to set it to trusted), bu OA rejected that, indicating that the program was in a trusted folder.

 

What can I do about it?

 

I'm running OA v6 (Free edition), build 6.0.0.1736 on Win XP SP3.  Also, I do not have the option to trust programs that Emisoft deems trustworthy (although I doubt that a random executable in a temp folder would ever be deemed trustworthy) enabled.

 

Thanks;

Arto

Share this post


Link to post
Share on other sites

Hello Arto,

 

Thank you for contacting the Emsisoft support.

 

Please open Online Armor and go the section History in the left menu. Export the Online Armor history and save the file on your computer. Please send me this file on PM (personal message) or to [email protected] with a hint to this forum topic.

Share this post


Link to post
Share on other sites

Hello Arto,

 

Since I'm using Avast+OA (mutually excluded) on WinXP Pro just like you, may I ask you what kind of file Avast generates that is triggering OA's HIPS and in which folder Avast generates the file? I'm asking because I've never noticed this OA pop-up related to Avast - and also never heard of it on the Avast support forum.

 

Thanks in advance

Share this post


Link to post
Share on other sites

Nick;

 

The sample file created/used is:  C:\WINDOWS\Temp\2ccb1ec9-0c47-4931-ae7d-819660ce0dcd.exe.  The AvastEmUpdate.exe program is the one trying to run it.  It only started about a week ago.

Share this post


Link to post
Share on other sites

Thanks, Arto,

 

For your convenience, I've attached some notes I had taken in the past  from the Avast forum about the Emergency Update.

 

What is avast! Emergency Update?
A new feature -- allows us to push out critical product updates in case of some big issues where the main avast service is not able to start / crashing.
Such situations, till this new version, meant the user had to reinstall avast as there was no way for us to fix such problems from remote.
With this new mechanism, we can push out fixes even to such issues (...)

---

(...) The "emergency update" is as simple as possible, it has nothing to do with the normal update process, it's not really an update. It basically only downloads a file from our server (if any is available - which is normally not the case).
So if this "emergency scenario" occurred, we would have to prepare some fix - a program that would fix the avast! installation. This is just a way of distributing it without the need of user's intervention, nothing else (...)

 

 

Basically it's quite unusual to see Avast! pushing out an emergency update through AvastEMUpdate.exe.

The Emergency Update task is delayed for 2 minutes on system boot, it checks the servers for some fix and then it disappears (up until the next boot).

In any case, the file you mentioned should be digitally signed as far as I can tell - Do you have  "Automatically trust programs signed with valid digital signatures" enabled in OA?

 

You may want to try enabling Learning Mode (be sure that your system is free from malware, first) in OA and then reboot you system so that the Avast's exe file downloaded in C:\WINDOWS\Temp could do its things and then be automatically removed.

 

Hope this could be helpful.

Share this post


Link to post
Share on other sites

The sample file created/used is:  C:\WINDOWS\Temp\2ccb1ec9-0c47-4931-ae7d-819660ce0dcd.exe.  The AvastEmUpdate.exe program is the one trying to run it.  It only started about a week ago.

I assume these files are randomly named?

Share this post


Link to post
Share on other sites

Yes, they are. ...

Random names means that you can't anticipate what the next file name will be, so you won't be able to add it to the Programs list as Trusted. In order to prevent HIPS softwares from displaying notifications about these executables, AVAST will have to redesign their software to not run executables out of temp folders with random names. ;)

Share this post


Link to post
Share on other sites

Random names means that you can't anticipate what the next file name will be, so you won't be able to add it to the Programs list as Trusted. In order to prevent HIPS softwares from displaying notifications about these executables, AVAST will have to redesign their software to not run executables out of temp folders with random names. ;)

 

Yeah, you're right.

For the moment, I think that the OP could try checking "Automatically trust programs signed with valid digital signatures" in OA, since the downloaded file is digitally signed - and/or enabling OA Learning Mode as previously suggested.

Share this post


Link to post
Share on other sites

For the moment, I think that the OP could try checking "Automatically trust programs signed with valid digital signatures" in OA, since the downloaded file is digitally signed - and/or enabling OA Learning Mode as previously suggested.

Yes, those would both be helpful. ;)

Share this post


Link to post
Share on other sites

Sorry for the late reply...

 

I have a thing about trusting software just because it is digitally signed.  As for learning mode, I don't see how that would help.  It might let the most recent one run, but there will probably be another one a few days later.

 

Really need for OA to have some way for me to it to allow Avast to run random executables even though Avast's folder is excluded from OA.

Share this post


Link to post
Share on other sites

I have a thing about trusting software just because it is digitally signed.

That is understandable, considering the recent theft of a cryptography certificate from Opera Software, and the fact that they are not the first software vendor to be the victim of such a theft. That being said, it is generally safe to trust certificates from trusted vendors (such as AVAST), since issues with stolen or forged certificates are fairly rare (it takes a lot to break into a server and steal a certificate, and most security software companies should know how to protect their servers).

 

As for learning mode, I don't see how that would help.  It might let the most recent one run, but there will probably be another one a few days later.

Learning Mode only helps if Online Armor is in Learning Mode while avast! is installing updates. In that case, you would need to know when the updates are going to be installed, and enable Learning Mode to allow them to be installed without interruption.

 

Really need for OA to have some way for me to it to allow Avast to run random executables even though Avast's folder is excluded from OA.

The only way to know that a randomly named executable belongs to avast! is by using the digital signature to identify it. Beyond that, or putting Online Armor in Learning Mode while avast! is updating, there really isn't any way to automatically whitelist a randomly named executable.

The only other solution to the problem would be if avast! would stop creating randomly named executables in temp directories, as such a thing prevents you from being able to exclude it in other security software.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.