Strange Avast behaviour

Operating system

Windows

Joplin version

3.6.15

Desktop version info

Joplin 3.6.15 (prod, win32)

Appareil : win32, 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz
ID client : e0bd9e0e7e9a4028ad138acda884ece6
Version de Synchro : 3
Version du profil : 49
Trousseau supporté : Oui
ID d'instance alternatif : -
Sync target: OneDrive
Éditeur : Markdown

Révision : c615726

Backup: 1.5.1
Copy Anchor Link: 1.1.0
Folding in Code Mirror Editor: 2.0.1
Freehand Drawing: 4.3.0
Joplin Batch: 0.2.2
Joplin Disk Usage: 1.2.0
Note Tabs: 1.4.0
Search & Replace: 2.2.0
Space Indenter: 0.2.5
Text Colorize: 1.2.5
Wrapped Line Indentation: 1.0.3

Sync target

OneDrive

What issue do you have?

Hello,

For 2 months, Avast antivirus has been repeatedly complaining about the contents of one specific Joplin note. I repeatedly sent messages to Avast stating that these were false reports without any answer. I ended up excluding (...).config\joplin-desktop\tmp from Avast a few days ago.

But I am not writing here about Avast's issues, it was already discussed here Avast identifies Joplin infected with md:httprequest-inf [sups]?

What I find strange is that Avast only complains about one note which I did not touch since I created it, last November. Avast was triggered only when I actively used Joplin.

My question is: does Joplin copy all notes in the tmp directory? If not, why was this particular note copied? Is it because Avast has removed it. Why hasn't this happened before?

I can post the contents of this note here if it would help.

Screenshots

I deleted my previous post as I missed what you were actually asking.

My question is: does Joplin copy all notes in the tmp directory?

When a backup is triggered Joplin creates a temporary folder in the Joplin tmp folder. For you, for this particular backup the folder was C:\Users\FDV_Standard\.config\joplin-desktop\tmp\224c15f6a7891d7e9859b2bee1b539e3\.

It then exports your notes to that folder, copies that data as a backup to your chosen backup location (along with other files), and finally deletes the temporary folder.

For this particular backup one of your notes was exported into the temp folder as b6c5550c54f64ed2b1329888f38e25f1.md. This markdown text file probably contained an http URL so Avast quarantined / locked it as "MD:HttpRequest-inf [Susp]".

That is why you also got the backup error.

Why hasn't this happened before?

If you have always had backup active I can only assume that your AV has only recently got the update from Avast that declares that http URLs in text files are potentially "Divers: logiciel malveillant capable d'endommager vos données, votre ordinateur ou votre réseau."

Thank you for your clear and detailed explanations. I still wonder why Avast screams at this particular note and not on the more than 300 others I have which contain "http", or why Avast sees it/them in this particular temporary folder but not in my main Joplin folder, but this obviously is a question for Avast, not for Joplin. Anyhow, this gives me one more reason for stopping my Avast subscription ASAP!

I would guess that Avast does not see the contents of the note when it is in your main Joplin data folder as it is stored in database.sqlite and not as a plain-text file.

As Joplin creates a backup file it exports your notes from the database into the tmp folder as plain-text md files. I suppose that it is then that Avast "sees" the note contents.

I did find a GitHub issue for another project where Avast was quarantining a README.md file. They thought that it may not be triggered just because there was an http URL, but also because there were several in the document.

"Avast/AVG quarantine the packaged README.md with MD:HttpRequest-inf[Susp] -- a heuristic false positive that fires on Markdown/text files carrying many HTTP-request-looking links."

Hi,

I am also an avast antivirus user.

I can confirm that a vast can sometimes falsely complain about a markdown file with URLs in it.

I have active databases in both Joplin and obsidian which stores its data in regular files not a database so they are more susceptible to being scanned by Avast it doesn't complain very often so I don't worry about it.