I recently updated to Avast 5 from Avast 4.8. Each time Avast 5 updates, CIS writes a boatload of HIPS related registry entries relative to a file named avast.setup. The avast.setup file does not reside on the system as far as I can tell. With each update, the number of additional entries seems to be growing exponentially. I have tried deleting all but the most recent, but this results in a new permissions pop up and the process starts all over again.
Are there any settings within CIS to deal with this?
I don’t believe your reply addresses my issue. Avast 5 updates without any issues on both of my computers. The problem, if one choses to consider it a problem, only concerns the number of registry entries generated with each update. Since the last time I removed older entries, 400 new ones have appeared.
I think that EricJH has pointed the right issue. A5 has this file “avast.setup” that, as you already found out, is not in your sys right now. It is generated and it disappears in every boot and update. For the updates, and that is the way Avast does it, drop a folder with the update version number and the date, eg. 100212-1. In that folder you got about 13 .dll files and these are the alerts you see for avast.setup in D+. Now, you have two ways to avoid these alerts: 1. To have CIS in “Clean PC Mode” in D+; However, your Pending Files are going to grow with each update because the next folder will have a different number, or 2 you can follow the instruction in the post given by EricJH or here (last reply):
I do not have any accumulated def\xxxxxx files or problems updating or any alerts for that matter. Untill Alwil and Comodo sit together and see how that avast.setup file and those def\xxxxx files can work out that is the only solution I got for you. I do not have more than 9 keys in the #### folders that you mentioned sometimes only 4 keys:
I had 2 Avast5 updates today and, for the moment, the number of additional registry entries only increased by five. There is something going on here I obviously don’t understand. I can live with the situation as it stands as long my registry doesn’t keep growing rapidly without restraint. I will monitor each update and make a decision later.
Since I use my computer to make a living, I prefer to maintain Defense+ in Safe Mode.
Hopefully Alwil and Comodo will resolve this sometime soon.
I also use D+ in Safe Mode and sometimes in Paranoid Mode. My problem was that I test several different apps a week so I usually Purge non-existing apps from Comodo. In doing so, the famous “avast.setup” file :-TD, was also purged, and since that file in D+, Security Policy, contains all alerts for AvastSetup----------->.dll under Access Rights, Protected Files/Folders, I would get new D+ alerts for them for the next Avast update. If the PC was unattended at that moment, those pop ups were denied as default so making the update impossible to do.
Since I followed HeffeD advise to keep “avast.setup” in My Own Safe Files and to add C:\Program Files\Alwil Software\Avast5\defs*(wild card) in Avast.setup > Access Rights > Protected Files/Folders, I do not have any alerts popping or defs##### updates files in that section :-TU. May be and I say may be that is why I do not have 400 ##### registry keys adding up every day. Just a thought :-La.
As I indicated earlier, Avast5 updates on my machines without any need to interact with CIS. With even more Avast5 definition updates since my last post, additional HIPS related registry entries have all but ceased.
I have noted issues similar this in other situations. However, deleting the invalid registry entries only resulted in a leaner registry.
I am curious as to why these additional registry entries have stopped occurring so abruptly.
To iroc9555: With the modifications you made, do you still need to be careful not to purge avast.setup from the Firewall and Defense+ policy databases?
Yes, I have to be careful not to purge avast.setup. If I do, I just reboot in “Clean PC mode” and move avast.setup from My Pending files to My Own Safe files Then go to D+ > Computer Security Policy > Double click avast.setup rule > Access Rights > Protected Files/Folders > Modify > and add a wild card for (defs*) files, apply, apply apply. I then switch D+ to “Safe Mode or Paranoid Mode”.
I do not know if other Avast 5 users are having problems with this avast.setup and all its .dll files and its ####\defs files that come with booting the PC or updating Avast, but in my case if I do not have avast.setup file set in D+ rules, I always get these 13 alarms pop ups for avast.setup. :-TD It does not matter if CIS is in “Clean PC Mode or Safe Mode”.
@ Comodo. Alwil or Avast is suppose to be a “Trusted Software Vendor”. Why do I get these pop ups?
I believe I have resolved issues discussed above by reconfiguring Avast5 with CIS. My last update added no new entries to the registry.
The changes are as follows: (1) Added ashUpd.exe, AvastSvc.exe and AvastUI.exe to New Trusted Applications, and (2) added all executables from the Avast5 folder to My Own Safe Files. Step 2 occurs in a single step when the Avast5 Folder is highlighted, the “include all subfolders” is ticked, the choice is moved to the right column, and “apply” is pressed. From what I can see, CIS only moves DLLs when configured by this method.
I have some ideas about avast.setup problem also. To circumvent the fact its not resident, I was thinking about creating a TXT file in the Avast5\Setup folder, naming it avast.setup, including this file in My Own Safe Files, and then deleting the original file. As long as CIS is only concerned with file names and not their attributes, this might get around the problems associated with purging avast.setup from either policy database.
Before I try this, I was just wondering if anyone had any thoughts about unintended consequences.
“Added ashUpd.exe, AvastSvc.exe and AvastUI.exe to New Trusted Applications, and (2) added all executables from the Avast5 folder to My Own Safe Files.”
would not be the same as to set those files as “Trusted Application” in their respective rules for Network Security Policy and Computer Security Policy? Also, I believe that “New Trusted Applications” is just for the Firewall rules. Remember that the problem is with D+ and C:\Program Files\Alwil Software\Avast 5\defs#####, which is another different #### for next update.
Now for avast.setup
“To circumvent the fact its not resident, I was thinking about creating a TXT file in the Avast5\Setup folder, naming it avast.setup, including this file in My Own Safe Files, and then deleting the original file.”
Would you write something in the .txt file beside its name? When you say “deleting the original file.” Are you referring to the .txt file?
Now avast.setup file is not a problem by itself because once you have it in “My own safe Files” there is no need to purge it or remove it. You can purge it from firewall rules or D+ rules and reboot the PC and CIS will recreate rules for avast.setup without any popups. The popups come up when there is a new update folder (defs#####) and avast.setup tries to access, modify, change or whatever, to those .dll files that come inside that defs##### folder.
And I still do not have a valid reason from Comodo for why? Being Alwil a trusted Software Vendor, CIS popups for those files.
I didn’t find that to be the case. Adding these manually resulted in new and unique entries in the policy database.
To your second question:
Based on what I observed today, no matter what is tried, the avast.setup file with cause some sort of problem. Just like the DLLs the cause problems for you, it appears avast.setup changes at least daily. This is apparent from the registry entries CIS creates with each update and is still occurring despite my attempts to stop them. You can permanently stop your pop ups by applying (2) above. However, you will find that by opening “My Own Safe Files” and purging it, there will be numerous entries needing removal. It is also likely your registry is being littered with new entries, most of which are unnecessary. If you have a good registry utility, search for avast.setup and SF.bin. All but the latest SF.bin entries can safely be removed. I removed 844 from my XP x64 computer this morning. As for the avast.setup entries, I’m not sure which can be removed without causing pop ups.
Given the manner Avast5 functions, it’s not surprising “trusted vendor” status doesn’t mean much. Personally, I’m thinking about switching to a new firewall or antivirus.