Avast emulator service - what is it?

Discussion in 'other anti-virus software' started by act8192, Apr 4, 2012.

Thread Status:
Not open for further replies.
  1. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Firewall says Avast 7 on XP want to run emulator service.
    What is it?
    What does it do?
    Do I allow it? Not allow it to run? Why?
    Being part of Avast, i'd trust it, but might be some fake thing?
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    Look here. Seems legit.

    https://forum.avast.com/index.php?topic=76482.0
     
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Thanks, Victek123!

    I forgot to say what the firewall alert included
    c:\Program Files\AVAST Software\Avast\defs\12040401\Sf.bin

    DavidR answer in the link makes sense
    "A probable over simplified explanation:
    Emulation is used by the File System Shield on scans as another means to detect possible malicious content, e.g. the file is run in an emulator environment to see what it actually does when run. This is over and above the standard signature based scan that would be done."

    additionally, if looks suspicious, Avast will check things in the sandbox.

    I wonder why I got hit with the alert as I entered this forum and another. Neither has ads. But maybe it's an application check, something like Opera cacheing stuff?
     
  4. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    The emulator is used for executables only, i.e. ads are unrelated.
    Something must have been started (or created) on background.
     
  5. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    All emulators have serious holes.. probably not worth the trouble.
     
  6. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    As a code emulator is a foundation of most of today's AV engines, that statement sounds a bit exaggerated.
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    It's like saying, car's engine is very inefficient. Probably not worth using it.
    Well, there really isn't any other good alternative. You can go to HIPS or Sandboxing extremes but if those were the magic silver bullet, we wouldn't still be using "traditional" antiviruses. Nothing is perfect but current emulators are quite efficient.
     
  8. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    I've been allowing sf.bin to run for, now, obvious reasons. But I have a problem. I have to allow it with every single definitions update. Bit of a nuisance.

    For example, today it's
    ...avast\defs\12040800\sf.bin
    ...avast\defs\12040801\sf.bin
    and they're different.

    I use behavior watch in the firewall. Unfortunately, I can't add a general rule such as "permit everything avast", or "any sf.bin and allow it to be modified". The firewall hits every single version of Sf.bin which changes its path, size etc. If I ran SSM, I think I'd have the same problem - with the interface disabled, sf.bin wouldn't run at all, with it enabled, I'd have the nag.

    Suggestions?
     
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Update. Took a bag off my brain. Problem solved. Once I enabled all logging for avast items, the log said Sf.bin is started by avastsvc. So all I had to do is allow avast service to run other stuff. SIMPLE :)
     
  10. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    The scan engine can be updated with every VPS update so thats why SF.bin changes regularly.
     
  11. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    False success report above. It didn't work. The changes in the path and file continue to trigger an alert. Arrrggghhh.
    Googling, I also see that Outpost, OnlineArmor, Comodo suffer the same fate as my Sunbelt fw, i.e. nuisance. Yikes.
    I can live with it though, now that I see what's going on and when and where it gets triggered.
     
Loading...
Thread Status:
Not open for further replies.