Avast Free AV

I am running Avast Free AV with Windows FW, UAC Enabled & Router on Win 7 64 Laptop. This system is family's system i.e everyone uses this system & are average or novices.

I am little confused with Avast's PUP settings. I always go with products default settings. Avast's default for PUP is disabled. On my XP laptop time to time I test few free AV's like Comodo & Avast. In my test I keep PUP enabled in Avast & when Avast detects anythings as PUP I check it with VirusTotal & I have observed that Avast's PUP detection is detected as Trojan by other vendors at VT.

As I said the users here are novices & average & I dont know if enabling PUP in Avast will increase false positives of legit programs. But given Avast's PUP detection as Trojan detection by others it seems PUP should be enabled & Avast should also enable it by default.

Whats your opinion for my family's laptop or average/novices system for PUP in Avast, Enable/Disable?

Thanxx
Naren

 

I'd leave PUP enabled. I don't think it will cause too much FPs. And as you've mentioned that things detected by avast as PUPs, are detected as trojans by other vendors, so why not keep it on?

 

Most of the AV's now enable PUP by default. Experts can always change it.

Why its disbled in Avast by default?

Is it coz enabling it gives FP's on legit programs? or Coz PUP are not malicious by nature?

Why Avast detects as PUP & many other as Trojan?

Thanx
Naren

 

I think the answer lies in the category descriptor: potentially unwanted programs [PUPs]. Some programs may be decreed as unneeded [such as search bars], but others may disagree. I think this is why Avast have disabled as default so they're not detected straight off.

Quite why one vendor classes something as PUP and another as trojan I don't know. They've been trying to standardise the malware-naming scheme for a long time, and they still can't fully agree.

I would enable it. You can always exclude the program from being scanned and detected if you're sure it's wanted and not likely to cause any problems.

 

I suspect the PUP detection being disabled by default and allowing a user to enable it is due to legal reasons. Classifying something as a PUP could cause litigation from some vendor claiming some sort of defamation of their product. Maybe just having the PUP detection disabled avoids the unneeded litigation, associated costs and free advertising for the PUP.

 

I read a link in Avast forum. Its mentioned it will give fp on legit apps. But so do the malware signatures, they too give fps on legit apps.

And how can PUP detection give fp on legit apps? i.e yes there's always a chance of fp with any detection service but dont you think it also depends on quality of signatures?

Most of the AV detects PUP by default but they dont say that it will give fp on legit apps. They say that some consider PUP as malicious & some dont. So for average users sake PUP is enabled by default & experts can always change it.

Some legit apps may be kinda similar to PUP but that doesn't means they are PUP as there's other factors too which make the app good or trusted like digital signatures, etc.

I consider Avast the best AV for average users & think that PUP should be enabled by default. Coz under PUP detection it misses trojans & other dangerous apps.


I had mentioned this in Avast forum with few VT links but they also mentioned that it increases fps on legit apps.

How can PUP detection increase fps on legit apps? The quality of PUP signatures should be good, like they carefully provide signatures for malware with rare or no fps on legit apps.

Thanx
Naren

 

In case of avast, PUPs include things like:
* remote access tools (VNC, LogMeIn, TeamViewer etc)
* some admin tools (PsExec, PsKill etc)
* some cracks

In general, stuff that network admins don't want to have on their users' systems UNLESS THEY KNOW ABOUT IT.

On the other hand, many home users have such stuff on their systems and are perfectly happy with it. This is why the detection of PUP is by default disabled in the consumer versions of avast.

Thanks
Vlk

 

Thanx replying Vlk.

I think Avast PUP detection should not detect programs like TeamViewer, LogMein, etc as they are popular & trusted programs & you too mentioned this in your post. But it should detect other unwanted, untrusted programs.

A program is remote access or admin tools doesn't mean it comes under PUP. The detection should be based on programs reputation.

I mostly collect malware samples from sites like malwaredomainlist, malwareblacklist, malc0de, cleanmx, etc. And many times I have found Avast detecting dangerous programs as PUP. Without PUP its a miss. Cross checking with VT also suggests its dangerous as app. 25-30 scanners detects them as trojan with Avast only detecting them as PUP.

Thanx
Naren

 

"Popular and trusted" doesn't mean they should appear on your machine without your knowledge.
These tools are abused by malware to provide additional (malicious) functionality. In the example of the remote control tools, some malware simply bundles them with itself so that the attacker can control your machine.

So yes, that's exactly the tools that should be detected as PUPs. If you installed it intentionally on your machine, fine. But if it suddenly appeared on your computer without your knowledge, it can be a sign of some (possibly undetected) running malware - or even somebody else having installed some spying tools on your computer.

If a real malware is detected as PUP, that it should most likely be re-classified (or, as said previously, it's also possible that the malware itself is undetected, and the scanner is detecting some tool embedded inside).

 

PUP means "Potentially Unwanted Programs". Which means app can be clean and legit but may pose a potential risk if used in a wrong way. And all the apps listed by Vlk fall into this category. You can exclude them if you want but they will get detected the first time they are scanned by avast!. It's a normal behavior.

 

The reason I have not enabled PUP coz I thought if its disabled by default then its behaviour/detection may be unacceptable i.e increased FP's on legit apps or FP prone, if it were to be the acceptable behaviour then they would have enabled PUP by default.

For me default settings means carefully selected set of settings comfortable/usable for any/every type of users. Change in default settings may have adverse effect or the behaviour may not be acceptable/comfortable especially for average/novices.

But I want to enable PUP as I already mention in my previous post according to me & my little tests disabled PUP means missing detection of few trojans or malware.

Especially I want to know if PUP enabled can give FP's on Windows Updates, System Files, Microsoft's Products & Laptop Manufacturer's Products like HP's Laptop's so HP's Products? These are mainly the area of my concern with PUP enabled on average/novices systems.

Thanxx
Naren

 

Not only Avast, but Eset also finds malwares as a PUP!!

 

Naren, avast does NOT detect TeamViewer or LogMein as PUPs.

 

I always have PUP turned off on my Eset pc.

 

It was always turned on when I used it.

 

I know I checked them.

Vlk mentioned so I checked them. Guess Vlk was just giving example of these as remote tools & didn't mean detection.

 

Yeah thats my concern. PUP detecting malware too but disabled by default in Avast.

 

No. avast does not detect malware as PUP. PUP is PUP, not malware. If something is detected wrongly should be corrected.

 

According to Avast it's on, but Windows 7 says avast is currently OFF and when I tell Windows 7 security centre to turn it ON, it just sits there and does nothing. What's going on?

 

Sometimes, Windows Security Center or Action Center stop recognizing your antivirus or firewall... So, check your system time and date and also https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=580
Microsoft released a fix for it: MS release a fix for it (http://support.microsoft.com/mats/windows_security_diagnostic/).

Run command line as admin:
net stop winmgmt
del C:\WINDOWS\system32\wbem\Repository
net start winmgmt

winmgmt /verifyrepository
winmgmt /salvagerepository

 

Thanks, but I did a reboot and it seems to have fixed itself