A friend of ours sent us an email with a MS Excel worksheet attached. Clicking on the attachment brought up an installation page for the AVAST antivirus program, and in fact, refused to open the spreadsheet unless we first installed the program. Is there a virus masquerading as an antivirus piggybacking on the spreadsheet? What do we tell our friend to do?
First confirm with your friend that they actually sent you a spreadsheet.
If they did, upload it to Google Drive and open it with Google Sheets. Don’t open it locally or install something because this attachment tells you.
I think you should start by asking your friend if they sent the Excel worksheet or if it was from someone pretending to be the friend. And even if it’s really from the friend, ask them if instead they can just send it in different form, like a CSV plain-text file or a Google Sheets document.
I would guess it is the email provider prompting them to install avast, I’d be curious a) which provider it is b) is it being accessed through webmail or a desktop email client. Just clicking on the attachment link for an Excel spreadsheet wouldn’t open an install dialogue for Avast antivirus unless the email provider was involved in some way. Even if it was a xlsm macro spreadsheet that contained some code to download Avast, Excel itself would first have to launch to execute the macro code. It’s also possible it’s not an excel spreadsheet attached at all but just something that appears to be.
It’s definitely from the person it says it’s from, and she definitely told us she’d be sending us a spreadsheet, so that checks out. As for the email provider, it was gmail to gmail.
Is the file extension xls, xlsm, or xlsx?
Actually, there’s no file attached at all, just an envelope that says Virus-free www.avast.com
When you click to open the envelope a window opens to the Avast site.
Sounds more like spam from AVAST to me. Or malicious email masquerading as “legit” spam.
He has already confirmed from the sender they sent it. It sounds like maybe the sender has Avast on their computer and it automatically made an attachment into some sort of link for Avast?
Many years ago I used Avast when I switched away from AVG, back then Avast had a pretty good free antivirus without a lot of bloat in it. Later on, Microsoft improved its built in antivirus enough that I no longer run third party AV software. But it sounds like the culprit here might be the sender having Avast installed on their machine, doing a bit of research it looks like Avast has a “feature” to auto-embed basically an advertising link for Avast in all of your outgoing emails as a signature. They “helpfully” seem to enable this feature by default these days.
I wonder if it’s possible the sender actually forgot to attach the spreadsheet and just sent the email without it, and the Avast signature was automatically added in to the email, giving the appearance of having taken the position of the attachment.
I’m curious if this is similar to what OP saw:
That sound plausible.
Yeah, that must be it. I have Avast on both my Windows laptop and my Android phone, and it attaches a signature of “Virus-free approved by avast.com” or such like to every email I send. It’s not a virus, but a forced advertisement.
ETA: I just checked my emails, and actually the added signature just reads “virus free: www.avast.com” with an icon of an envelope left to it. The link in this icon directly takes you to the installation page for Avast. Case closed, I think.
ETA2: I made a screenshot. “Virenfrei” means “virus free”:
Okay, I think I’ve figured this out.
-
The sender sent an attachment. For some reason, the attachment did not show up on my wife’s computer. HOWEVER, it did show up on her iPhone, and when clicked on, it opened.
-
As @EinsteinsHund has helpfully illustrated, the envelope link appears to be a clickable ad for Avast, nothing more.
-
It turns out that the whole thing is immaterial, because the sender sent the wrong file and now she and my wife will have to go through the whole thing over and over again until they’re on the same page.
But at least we’ve learned to ignore the little envelope icon. Thanks, everyone!
It’s a bit of a dick move by Avast. I appreciate that they check my outgoing mail for viruses, that’s a good thing because I don’t want to send malware to any of my contacts, and I understand that I have to pay with ads like that if I don’t pay them money for their product. But a direct link to the install page in an innocuous envelope link is destined to lead to misunderstandings like exhibited in this thread and probably to a lot of inexperienced people inadvertently installing the software.
I assume there is a way to disable the Avast signature in email.
And who’s the message supposed to be for? It’d be trivially easy for a real virus to attach a message that said “Virus-free”. If this ad has any effect, it’ll be to make people more likely to trust viruses.
I just checked the Avast app on my laptop, and indeed there’s that option. But it’s hidden deep down in their menu where the casual user would never look. And it’s of course the sender who’s responsible for finding this option to protect his recipients from getting confused.