It’s the first thing it’s found in real-time for ages, and I think the timing is significant because I’m trying to troubleshoot a boot-time hanging problem that just started tonight. Below is the related post I just made in the Online Armor forum (I would have been quite happy that Online Armor and TrojanHunter Guard were the the villains of the piece if Avast! had not had something interesting to say while I was still trying to figure the problem out).
Running Windows XP Home SP3 with Avast! v4.8, Online Armor Free v4.0.0.15, Malwarebytes Anti-Malware v1.44 and TrojanHunter v5.0. PC has been fine recently, until tonight, in fact it had already been used and switched off normally twice so far today. Tonight, it hung mid-boot, quite repeatably. Did some basic diagnostics in safe mode which threw up nothing, but based on observations of what was loading in the system tray when the hangup occurred, the finger of suspicion was pointing at either TrojanHunter Guard or Online Armor. So I disabled both of them at startup using sysinternals’ Autoruns - and here I am, working again except minus two of my four security apps. I’ve tried starting and unloading each of them separately, successfully - the only unusual feature was that when I started Online Armor, it blocked something Java-related (jqsnotify.exe, which was reported to be way away down deep in a tree of subfolders, but when I checked, the last three or four links in the chain of the subfolders were not there, and neither was the exe). I set it to Run Safer, and not long after, when I clicked “Latest version installed” in the OA interface, OA asked me about it again, saying Firefox was the requesting application, and when I allowed it, Firefox opened up to display the OA downloads page.
At the moment, I figure I can live without TrojanHunter better than without Online Armor, so I’ve left TrojanHunter start-up disabled, but I’d like to know what’s suddenly gone wrong so I can fix it and get both of them back. Interestingly, while I have been typing this, Avast! has piped up that it had just found Win32:Malware-gen in RootRepeal, which has been installed on this machine for several months (first time Avast! has found anything in realtime for ages). So I moved it to the chest, but the timing is to say the least suspicious.
I’ve done a scan with MBAM, using latest database version, and it came up clean. Does anyone have any suggestions what the problem might be here?
Now I /am/ curious. Avast! just reported finding Win32:Malware-gen in RootRepeal.exe again, except this time it was in C:\windows\temp rather than in the installation folder (where of course it no longer is, because it got moved to the chest). I moved it to the chest again. If Avast! was FPing on the original archive file rootrepeal.zip during a scan I could understand it - but this is a realtime alert. I certainly haven’t (knowingly) done anything to cause a copy of rootrepeal.exe to be in c:\windows\temp. So I’m baffled. Any ideas, anyone?
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
avast4 - Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Depends on your scan settings as on-demand could be unpacking archives if that was your setting, so yes it would alert even if in a zip.
If avast is the only scanner (excluding GData which uses avast as one of its two scanners) then yes it is likely to be an FP and needs reporting.
Hmm. I did what you said, and as soon as the exe hit the hard disk, avast! reported finding Win32:Malware-gen in it ( despite my having just excluded that folder from consideration). Then I tried using VirusTotal, and it said:
0 bytes size received / Se ha recibido un archivo vacio
So then I tried using Anubis, and it said:
Fatal Submission Error
There seems to be an problem with the executable file you submitted. Maybe the upload did not work correctly. Please try again!
I can see that windows thinks there is 448 kB of exe in the folder; maybe Avast! didn’t re-export it unchanged?
Edit: I meant to say, I couldn’t follow your instructions exactly, I think they may be for v5? What I did was, opened Program Settings from the system tray, then added c:\suspect* under Exclusions.
Send it from the chest to Avast from the chest - This may be a possible false positive as rootrepeal is a rootkit detector I use… In fact I will download it and run it
Interesting. Are you using v5? I downloaded rootrepeal several months ago and Avast! never had a word to say about the archive zip or the installation until now.
Hey, it was months ago - I can’t remember! And I’m still using v4.8, remember. But I just did what you did and downloaded the latest version. The original archive came up as infected and I moved it to the chest. The new archive which I got from:
So on the face of it, I seem to have been targetted by malware which made a beeline for, first the installed copy and then the archive copy, of genuine anti-malware on my hard disk, and infected it. It wasn’t the latest version of Avast’s database suddenly finding something during a scheduled scan because I don’t have Avast! set up to do any scheduled scans.
Is there another explanation? I don’t like the sound of this one, and not just from my own PoV.
That is what happens when the exclusion is either incorrect or in the wrong location (though the program settings, exclusions is for on-demand scans, it isn’t where I said to exclude it. The Standard Shield is what is alerting so you have to add the exclusion there as I said and it has to be correct “c:\suspect*” (everything except the “quotes”).
It also follows that you have to have created the suspect folder in the root drive C:\
I only used Program settings because I couldn’t figure out how to access the various shields - all the context-sensitive menu seemed to provide was to pause and stop them. I see how to do it now via On-Access Protection Control. I was originally misled by its being emboldened; I thought that just meant “On-Access Protection Control is enabled” or something :-[
Any idea why the file failed to upload to VirusTotal and Anubis?
Edit: I’ve been having another go at this. I’ve managed to upload the original archive .zip that I downloaded in May 2009, and the .exe that appeared in windows\temp last night - but the installed .exe that first triggered the alarm absolutely will not go. I wonder why? Anyway, the two that did go both came back with a score of 8/41 (VirusTotal was reporting 2/41 and 3/41 respectively before I re-analysed them). Here’s the positive results:
It’s all circumstantial stuff. And I am very curious why Avast! has only just started to flag it up after eight months, and yet the latest version still comes up clean. Any thoughts, anyone?
Left click the avast icon, opens the On-Access settings window, if you see a Details… >> button, click it. That will give a detailed view and you can select individual Shields and adjust their settings (customize that I mentioned).
Of course I have, the standard shield blocked it, that is why we were setting the exclusion within the standard shield.
Well all of the detections are either Heuristic (suspicious) or Generic, which are more prone to misdetection or the precursor to main signature detections. So the sample should be sent to avast as a possible false positive.
New signatures and modified signatures are added all the time, it is the nature of AVs and with these new/modified signatures can bring detections not previously found.
Do I take it from Maxx_original’s comment that this was a FP that has already been rectified?
Well, yes, except that it did so without saying it was doing so. It makes enough fanfare on my personal access; why not a squeak on browser access? And except that, even once I set the exclusion, I could only get the zip and one of the exes to upload (the other apparently identical exe would not go) They’re all uploading now, though.
I still can’t get Anubis to make sense of the exes though. It says:
“Unfortunately your file could not be executed. Either your file is not a valid Windows executable or some of its startup-dependencies have not been met.”
Does it really need to resolve all the DLLs that an exe makes reference to?
Yes it has been acknowledged as an FP which has been corrected internally and will be released on a VPS Update.
I still can't get Anubis to make sense of the exes though. It says:
“Unfortunately your file could not be executed. Either your file is not a valid Windows executable or some of its startup-dependencies have not been met.”
you shouldn’t have uploaded a .zip file to anubis, just the .exe file that was detected.
It is looking at the zip file in its entirety as a single file. It doesn’t extract or scan the contents it isn’t designed for that, it analyses a single file you upload, that is why it is saying it isn’t a valid windows executable.
We seem to have a communication issue here. I would characterize it as you over-inferring. Maybe it’s just you answering hurriedly.
If you want to paraphrase what I said, Quote is not the right tool. Quote means exactly that - what was said, not what someone else inferred or paraphrased from it. Misusing Quote like that makes it a meaningless feature of discourse. It’s not even a good paraphrase. I just asked if it was a FP.
Even when do you Quote, it seems you don’t Read. I said:
“I still can’t get Anubis to make sense of the exes though”
and you said I shouldn’t have uploaded a zip file?!? I uploaded an exe file. That’s why I called it an exe. And Anubis said what it said about the exe that I uploaded. About both of them actually; the originally-installed one, and the one that mysteriously appeared in C:\windows\temp. So my question remains a valid one. Why can’t Anubis make sense of these exes? Might, for example, Avast! have subtly changed something in the process of putting them into the chest and taking them out again?