Annoying bug in Avira

[Shadow]

It ignores the exception list.
I use nirsoft a lot and it tries to delete a lot of the files,
even though I have marked the whole folder to be ignored both in scan
and shield.
Hope they fix it soon. Every time I have to save a video from
youtube or display my current ports through the "Nirsoft launcher", up
comes the box warning I have been infected with a virus.
This has got a lot worse since the last update.
Nirsoft launcher is not malware, and should be on most capable
user's PCs, along with sysinternals. IMHO
[]'s

 

[FredW]

It ignores the exception list.

Not for me.

Hope they fix it soon. Every time I have to save a video from
youtube or display my current ports through the "Nirsoft launcher", up
comes the box warning I have been infected with a virus.

What do they have to fix?
An executable in memory is marked as "infected".

What does this have to do with a folder in your exception list?
Files in the folders in my exception list are not scanned during a
manual scan, just as I expect.

 

[VanguardLH]

Shadow wrote:

It ignores the exception list. I use nirsoft a lot and it tries to
delete a lot of the files, even though I have marked the whole folder
to be ignored both in scan and shield. Hope they fix it soon.

Every time I have to save a video from youtube or display my current
ports through the "Nirsoft launcher", up comes the box warning I have
been infected with a virus. This has got a lot worse since the last
update. Nirsoft launcher is not malware, and should be on most
capable user's PCs, along with sysinternals.

As you noted, Avira has *two* exclusion lists. One exclusion list is
used by the on-demand scanner (configuration -> expert mode -> scanner
-> scan -> exception) and the other is for the on-access scanner (guard
-> scan -> exception). You have to enter the Nirsoft folder in two
exclusion lists. It's *stupid* that they have two independent exclusion
lists because it doubles your effort to maintain both of them to keep
them synchronized. Obviously these lists can get out of sync.

In some programs, the browse dialog doesn't end up putting the correct
filespec in the list. You still have to edit the entry added by the
browser dialog, like adding "/*" at the end of the folder selection to
actually specify any file within a folder. The folks in the Avira
forums would know better if a trick is needed to specify all files under
a folder after using the browser dialog. I'd first try specifying each
file (full path and filename) of each program on which Avira false
alerts to see if a fully spec'ed file is honored. The title in the
on-demand scanner's exclusion list is "File objects to be omitted for
the scanner" which means the list specifies files, not folders, hence
why I suspect you might have to use the browser dialog to pick the
folder but then edit the filespec it adds to include a trailing "/*" to
actually specify files.

Most AV's will categorize some Nirsoft tools as a PUP (Probably Unwanted
Program). You may be able to configure Avira to eliminate warning you
about PUPs. Don't hold your breath waiting for Avira to remove Nirsoft
from their PUP list. Won't happen. Users have complained for years
about this but Avira doesn't care and continues to list Nirsoft as
suspicious. In fact, as I recall, their response to me when notifying
them about their false alert on Nirsoft was that it could be used for
malware (gee, what OS utility can't, duh) and they continue to keep it
on their "bad" list.

I didn't like having to use workarounds to eliminate the adware-ness of
Avira. I used a SRP (software restriction policy) to get rid of the
avnotify.exe crap on an update that displays their adware window (the
other tricks of deleting or renaming the file or creating a zero-byte
version of it could be undone in an update) and having to modify the
startup entry for it in the registry to eliminate the adware splash
banner on its load. Avast is adware, too, but far more subtle in that
you only see it when you load their config GUI. About 3-4 years ago, I
got hit by the claimed rare bug that Avira would start to continually
poll floppy and external (USB-attached) drives at 1-minute intervals if
any program you used polled those drives (e.g., Speedfan or any program
that queried the drives for their type and looked at the SMART data).
Avira can't differentiate between querying a drive for type versus
accessing its media. The problem disappeared for awhile but then
returned in a recent version. It hits me on my platform and I'm not
interested in wearing out my floppy drive with continual accesses by
Avira and preventing my external drives from going into low-power mode.
Without this bug, and without the nuisance of having to use workarounds
to get around their in-your-face adware, I might still be using it;
however, there were other choices so I dumped Avira.

 

[Shadow]

Not for me.



What do they have to fix?
An executable in memory is marked as "infected".

Even on boot-up, when there would be no reason at all to use
"current ports" ?

What does this have to do with a folder in your exception list?
Files in the folders in my exception list are not scanned during a
manual scan, just as I expect.

Yes they are. Just scanned my Nir folder and it detected 21
new "malware". The folder is "excepted". in both scan and shield. This
started after the last big update, couple of days ago.
[]'s

 

[Shadow]

As you noted, Avira has *two* exclusion lists. One exclusion list is
used by the on-demand scanner (configuration -> expert mode -> scanner
-> scan -> exception) and the other is for the on-access scanner (guard
-> scan -> exception). You have to enter the Nirsoft folder in two
exclusion lists. It's *stupid* that they have two independent exclusion
lists because it doubles your effort to maintain both of them to keep
them synchronized. Obviously these lists can get out of sync.

I have just two folders excepted, Nir is one of them. Yes,
they are in both lists.

In some programs, the browse dialog doesn't end up putting the correct
filespec in the list. You still have to edit the entry added by the
browser dialog, like adding "/*" at the end of the folder selection to
actually specify any file within a folder. The folks in the Avira
forums would know better if a trick is needed to specify all files under
a folder after using the browser dialog. I'd first try specifying each
file (full path and filename) of each program on which Avira false
alerts to see if a fully spec'ed file is honored. The title in the
on-demand scanner's exclusion list is "File objects to be omitted for
the scanner" which means the list specifies files, not folders, hence
why I suspect you might have to use the browser dialog to pick the
folder but then edit the filespec it adds to include a trailing "/*" to
actually specify files.

Well, I'm using \*.*, but I did try with some exact
path\filenames, and it did not honor them.

Most AV's will categorize some Nirsoft tools as a PUP (Probably Unwanted
Program). You may be able to configure Avira to eliminate warning you
about PUPs. Don't hold your breath waiting for Avira to remove Nirsoft
from their PUP list. Won't happen. Users have complained for years
about this but Avira doesn't care and continues to list Nirsoft as
suspicious. In fact, as I recall, their response to me when notifying
them about their false alert on Nirsoft was that it could be used for
malware (gee, what OS utility can't, duh) and they continue to keep it
on their "bad" list.

The command prompt should be listed too. I can destroy all
data on a PC with a prompt..... Just give me 5 seconds.

I didn't like having to use workarounds to eliminate the adware-ness of
Avira. I used a SRP (software restriction policy) to get rid of the
avnotify.exe crap on an update that displays their adware window (the
other tricks of deleting or renaming the file or creating a zero-byte
version of it could be undone in an update) and having to modify the
startup entry for it in the registry to eliminate the adware splash
banner on its load. Avast is adware, too, but far more subtle in that
you only see it when you load their config GUI. About 3-4 years ago, I
got hit by the claimed rare bug that Avira would start to continually
poll floppy and external (USB-attached) drives at 1-minute intervals if
any program you used polled those drives (e.g., Speedfan or any program
that queried the drives for their type and looked at the SMART data).
Avira can't differentiate between querying a drive for type versus
accessing its media. The problem disappeared for awhile but then
returned in a recent version. It hits me on my platform and I'm not
interested in wearing out my floppy drive with continual accesses by
Avira and preventing my external drives from going into low-power mode.
Without this bug, and without the nuisance of having to use workarounds
to get around their in-your-face adware, I might still be using it;
however, there were other choices so I dumped Avira.

IMHO Avira detects better than Avast, and AVG, so I'll keep to
it for now. I've had no adware from Avira for some time.Even that hard
to delete: [HKEY_CLASSES_ROOT\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}]
registry key has gone.No Idea why.

But if this bl^%*%dy virus alert keeps popping up 6-8 times
per session, I'll dump it.
[]'s

 

[Shadow]

It ignores the exception list.
I use nirsoft a lot and it tries to delete a lot of the files,
even though I have marked the whole folder to be ignored both in scan
and shield.
Hope they fix it soon. Every time I have to save a video from
youtube or display my current ports through the "Nirsoft launcher", up
comes the box warning I have been infected with a virus.
This has got a lot worse since the last update.
Nirsoft launcher is not malware, and should be on most capable
user's PCs, along with sysinternals. IMHO
[]'s

They fixed it in today's update. Now honors exceptions.

 

[gaz]

It ignores the exception list.
I use nirsoft a lot and it tries to delete a lot of the files,
even though I have marked the whole folder to be ignored both in scan
and shield.
Hope they fix it soon. Every time I have to save a video from
youtube or display my current ports through the "Nirsoft launcher", up
comes the box warning I have been infected with a virus.
This has got a lot worse since the last update.
Nirsoft launcher is not malware, and should be on most capable
user's PCs, along with sysinternals. IMHO
[]'s

another one is the aggressive false positive of autorun.inf.

 

[Shadow]

It ignores the exception list.
I use nirsoft a lot and it tries to delete a lot of the files,
even though I have marked the whole folder to be ignored both in scan
and shield.
Hope they fix it soon. Every time I have to save a video from
youtube or display my current ports through the "Nirsoft launcher", up
comes the box warning I have been infected with a virus.
This has got a lot worse since the last update.
Nirsoft launcher is not malware, and should be on most capable
user's PCs, along with sysinternals. IMHO
[]'s

another one is the aggressive false positive of autorun.inf.

I see no reason for autorun.inf to exist. It's usually
malware. It saves you clicking on the file it points to, BUT it could
cost your hours of work removing malware.
Even microsoft agrees
http://www.microsoft.com/technet/security/advisory/967940.mspx
Panda has an anti-autorun utility called Panda USB Vaccine,
there are dozens of others, but this one is pretty simple.
//
http://research.pandasecurity.com/author/pedro-bustamante/
Microsoft’s 6-year long open door to malware
March 9th, 2011 Pedro Bustamante 3 comments
Finally Microsoft has released an automatic update which disables
AutoPlay in USB drives for all its Windows Operating Systems. Up until
now only Windows 7 disabled this functionality by default. With this
update Microsoft finally puts a stop to one of the most common malware
infection vectors of the last 6 years.

Let’s quickly review the history of this functionality which during
2010 has been said to account for 25% of malware infections worldwide
and the source of quite a few embarrassments for many companies
Example:
http://research.pandasecurity.com/vodafone-distributes-mariposa/
//
FWIW
http://www.softpedia.com/get/Security/Security-Related/Panda-USB-Vaccine.shtml

 

[gaz]

It ignores the exception list.
I use nirsoft a lot and it tries to delete a lot of the files,
even though I have marked the whole folder to be ignored both in
scan and shield.
Hope they fix it soon. Every time I have to save a video from
youtube or display my current ports through the "Nirsoft launcher",
up comes the box warning I have been infected with a virus.
This has got a lot worse since the last update.
Nirsoft launcher is not malware, and should be on most capable
user's PCs, along with sysinternals. IMHO
[]'s

another one is the aggressive false positive of autorun.inf.

I see no reason for autorun.inf to exist. It's usually
malware. It saves you clicking on the file it points to, BUT it could
cost your hours of work removing malware.

I know its dangers, but on my drive i use a utility from hirens boot disk
that locks a fake autorun file and recycler folder preventing the well known
infection... But, it still picks it up as an infection..