Sign in to follow this  
gszakacs

What does "Ignore" really do when a threat is found in a scan?

Recommended Posts

I have had a problem with false positives, but that's been resolved and the question here

is what Adaware 10.x does when I finish a scan and direct it to "ignore" some of the found

threats.

 

What I noticed was that if I asked it to ignore the files in question, they would still disappear

from the Windows Explorer browser as if they had been quarantined or deleted. However

re-scanning the folder would find the same threats again.

 

So where were the files after I "ignored" them. This seems to be some sort of no-man's land

where, unlike the quarantine, I have no access to the file whatsoever.

 

In addition, after reporting the false positive and updating to a version of definitions that

no longer finds the files as a threat, they were completely gone as if deleted. In my

estimation "Ignore" should not mean "delete." So what's up? What does "Ignore"

really do with my files? Note that I'm not talking about the "Ignore list," just the "Ignore"

action when cleaning up after a scan.

 

-- Gabor

Share this post


Link to post
Share on other sites

Hi Gabor,

 

I haven't notices the behaviour you have seen. Is it possible that the files are flagged as hidden or as system files?

Check by turning on display of those two kinds of files in Folder Options (Control Panel).

Share this post


Link to post
Share on other sites

No, they're not hidden or system. I already allow viewing of all such files. It appears that

it's actually the Active Protection that is causing the files to disappear from view, but I

don't find them in quarantine. One thing that occurred to me is that in this case the

files were all copies of the same file, and possibly were not quarantined because they

were duplicates of something already quarantined. Originally there were 7 copies

of the file in 7 different folders. One got quarantined. The odd thing is that further

scans of the parent folder continued to find 6 threats even though I could not see the

files in the browser. After the definitions were updated to no longer find this file as a threat,

I only had the quarantined files and the other copies were just gone.

Share this post


Link to post
Share on other sites

I have talked with my contact person at Lavasoft, and she would like to see all log files created since the first detection of the false positive. She would then be able to see what has happened in more detail.

 

You will find the log files here:

XP: c:\Documents and Settings\All Users\Application Data\Lavasoft\AntiMalware\History\

Vista and 7: c:\ProgramData\Lavasoft\AntiMalware\History\

 

Please, zip the relevant files and upload them in your answer here (use "More Reply Options" button to see how to upload files).

Share this post


Link to post
Share on other sites

Here's all the files since the original full scan. Note that the more recent ones occurred after the

false positive was reported and the definitions were updated to exclude it. However there were

two scans showing 6 and 7 threats respectively, where I ignored the threats. See the PNG

image in the Zip archive to see the ones I mean. At the time those threats were found in the

scan, the Windows Explorer browser did not see the files (I tried to search for the file "jpgm.exe"

as well as browsing the the containing folders). The scan that found only 6 was run when one of the

7 instances was in quarantine.

 

My machine is running WIndows XP 32-bit Service Pack 2.

History.zip

Share this post


Link to post
Share on other sites

Thanks, Gabor :)

I have informed my contact person.

 

Don't you have Service Pack 3 installed?

Without it there are many severe vulnerabilities in the computer and it's easy to infect from a web page.

Share this post


Link to post
Share on other sites

The problem is that I am still running some important software from the late 1990's and it doesn't like

Service Pack 3. So I'm pretty much stuck with what I have, and try to play safe when I'm on-line. For

one thing I don't use Outlook, Outlook Express, or Internet Explorer, and I keep my FireFox and

ThunderBird up to date. I don't follow any links on unsolicited e-mails, or normally visit any sites

that I don't trust. Even on trusted sites I always look at the status bar while hovering over a link to

make sure I'm not getting hijacked to new domain. From what I've seen, the bulk of the "security"

fixes to Windows have been to Internet Explorer, and the SP3 security fixes to the desktop browser

are laughable - generally bringing up stupid pop-ups asking if I'm sure I want to do something. That

doesn't make anything more secure because one gets very used to always clicking on "Yes."

In any case SP 3 is not currently an option for me.

Share this post


Link to post
Share on other sites

Sorry, my contact person didn't have time to check so much before leaving work.

 

But I tried to read the files from March 20 and onwards, and it seems that there isn't any information about threats that have been ignored in those log files.

 

20130320135948.xml

<numTracesFound total="7" MBR="0" rootkit="0" hookCodeSectionRing3="0" hookCodeSectionRing0="0" hookDevice="0" scanSysEnter="0" hookIDT="0" hookIAT="0" ntosExport="0" ntdllExport="0" ssdt="0" sysModules="0" threads="0" procMemory="0" procModule="0" archives="7" processes="0" folders="0" files="0" registry="0" cookies="0"/>

I'm not sure but since it's says "archives", it maybe is files inside zip files and such files are handled in a special way. But I don't remember exactly how, maybe they can't be quarantined.

 

The oldest and biggest file, with 9 detections, lists files inside zip files:

F:\Archives\FastVault\GigE\BroadcomPHY\photo.zip|photo.exe"><

F:\Archives\Quarantine\Inv._08.10.2011_D17.zip|Invoice_08.15.2011_Stropol‮cod.exe

You will not be able to see photo.exe in Explorer, only photo.zip.

Could it be something similar the other times, that Ad-Aware reported a file that is inside a zip file and therefore you weren't able to see it with Explorer?

Share this post


Link to post
Share on other sites

Yes, it appears that 6 of the 7 copies of "jpgm.exe" were in a single zip archive, and looking now I can see that they

are still there. That would explain why Windows Explorer didn't see them, but Adaware did. The seventh copy

was not in a zip archive, and that's the only one I had ever quarantined. As to the archives="7" in the first

report, there was another trace found in a separate zip archive. I have since deleted that one. It was in

a section of my disk where I manually quarantined suspicious archives when they weren't detected by virus scans.

So of the 7 items found in archives, 6 were the ones I had issues finding, and the other was a different threat.

So I guess the fact that the one copy went invisible was due to auto protection quarantining it without asking,

and later when I restored it from quarantine it stayed in place because by then the risk definitions had been updated.

 

Thanks for the help, I really appreciate it!

Share this post


Link to post
Share on other sites

You are welcome :)

 

I'm glad that you know understand what has happened.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this