Avast Community

ADNM 4.8 - Windows 7 Memory Scan False Possitives

Avast Business Avast Distributed Network Manager

system December 6, 2011, 3:24pm 1

Hi,

We get every week False possitive warnings for all our Windows 7 computers.
Infected files are the files in de memory (see below). We get around 25 virus warnings (all from memory scan) from all Windows 7 clients.

Is there a compability issue with avast 4.8 and Windows 7?

Example:

avast! [XXX-A117]: File “Proces 3000, memory block 0x02D00000, blockspace 262144” is infected with “INF:AutoRun-AW [Wrm]” virus.

system December 6, 2011, 10:52pm 2

how did you conclude that it is a FALSE positive?

my environment runs on windows 7 x32 for almost a year now iwth the 4.8 client (in transit to the SBC product) and i dont get this notification.

system December 7, 2011, 10:51am 3

Because even new installed Windows 7 computer gives the same warning after the scan. And it is only happening by Win 7 machines.

There is like 20 different warnings for the same Process for each Computer.

See the logs:

avast! [xxx-L11]: Bestand “Proces 2116, geheugen blok 0x09EA0000, blokgrootte 262144” is besmet door “Win32:FakeAV-ANO [Trj]” virus.

avast! [xxx-L11]: Bestand “Proces 2116, geheugen blok 0x00790000, blokgrootte 262144” is besmet door “Win32:Adloader-AC [Trj]” virus.

avast! [xxx-L11]: Bestand “Proces 2116, geheugen blok 0x03800000, blokgrootte 262144” is besmet door “Win32:Hupigon-OAM [Drp]” virus.

avast! [xxx-L11]: Bestand “Proces 2116, geheugen blok 0x037C0000, blokgrootte 262144” is besmet door “Win32:Siveras-B [Expl]” virus.

avast! [xxx-L11]: Bestand “Proces 2116, geheugen blok 0x036A0000, blokgrootte 905216” is besmet door “Win32:Small-HUF [Trj]” virus.

avast! [xxx-A108]: Bestand “Proces 2496, geheugen blok 0x019F0000, blokgrootte 262144” is besmet door “NSIS:Downloader-CC [Trj]” virus.

avast! [xxx-A108]: Bestand “Proces 2496, geheugen blok 0x01970000, blokgrootte 262144” is besmet door “JS:Agent-II [Trj]” virus.

avast! [xxx-A108]: Bestand “Proces 2496, geheugen blok 0x01710000, blokgrootte 262144” is besmet door “BV:NoShare-H” virus.

avast! [xxx-A113]: Bestand “Proces 1332, geheugen blok 0x02A40000, blokgrootte 262144” is besmet door “Win32:Banker-CDW [Trj]” virus.

avast! [xxx-A113]: Bestand “Proces 1332, geheugen blok 0x029C0000, blokgrootte 262144” is besmet door “BV:NoShare-H” virus.

avast! [xxx-A113]: Bestand “Proces 1332, geheugen blok 0x02920000, blokgrootte 262144” is besmet door “Win32:MalWarrior [Tool]” virus.

igor0 December 7, 2011, 2:13pm 4

Most likely unpacked/decrypted virus signatures from another antimalware tool (Windows Defender?) which get detected in memory.
My suggestion would be simply not to use the memory scan.

system December 7, 2011, 3:06pm 5

I will disable Win Defender on all win 7 computers and will run the scan again.

Thank you.

system December 13, 2011, 4:29pm 6

Indeed, it was the Windows Defender !

Thank you for your Help

Announcements