Ondrej Vlcek

4 February 2010

What happened to the automatic actions in the Boot-time scan?

Go to comments Leave a comment

Since the release of avast v5.0, we have heard quite a few times the question "where do I set up the automatic actions for the boot-time scan"? As a matter of fact, we decided to remove this feature from avast 5 and this short post will try to explain why.

The reason why the boot-time scan (BTS) in v5 doesn't support automatic actions is that the feature (at least for now) is very dangerous. In the past, we have seen a worrying number of users who accidentally deleted critical system files by means of the boot-time scanner set up to take automatic actions.

Let me explain this in a bit more detail. Avast has a number of measures designed to fight with false positive issues. False positives, no matter how hard the AV companies try, were always here, are here, and will be here. However, there are many ways to mitigate this issue.

One of the most powerful anti-FP measures is that whenever avast detects a virus, it also consults the whitelist of well-known good applications, and files digitally signed by trusted publishers (such as the binaries belonging to the operating system itself). And whenever it finds out that a detection was made on a whitelisted/trusted file, it basically assumes that it's a false positive and doesn't really report the file as infected (and, more importantly, doesn't take any actions!); it only suggests the user to submit the file to our virus lab for further analysis. Now, this feature was already present in avast 4.8 and has actually saved our bacon quite a few times in the past. For example, about 18 months ago, we had an ugly FP in svchost.exe and only thanks to this feature, the vast majority of our users didn't really even notice before the problem was fixed).

Now, the problem is that this feature is currently unavailable during the boot-time scans. We are working on implementing it, but it is a lot of work (this is mainly because the Windows crypto subsystems are not yet available at the stage of boot in which the BTS is running). We plan to have this feature ready for v5.1 though (as well as other improvements in the boot-time scanner, such as 64-bit compatibility).

The boot-time scanner is an expert feature, and was designed to be used when there's something bad going on on the system. And in these cases, I'd say that having to actually select the actions manually is a small price to pay.