Avast! heuristics picking-up on MBAM file

Just want to bring to your attention:

I just received an avast! warning, "A suspicious file has been detected (using a heuritistic method)…

file name: c:\windows\system32\drivers[b]mbamswissarmy.sys[/b]
type: hidden services

Recommended action: Ignore"

This warning popped-up at the end of running an MBAM on-demand scan.

the avast database is 09-08-02-0
earlier databases had not reacted to the mbam file.

Since MBAM is often recommended by (and to) users of this forum, I think avast should look into the matter, lest some users over-react and delete this file.

Hi ky331,

This seems to be a FP on avast!'s part (although, technically it is doing it’s job), could you report the file as being a false positive?

You could send the file in a password protected archive to virus(at)avast(dot)com with ‘potential false positive’ in the subject line and the password in the email body.

or

You could add the file to the user files of the virus chest and send it from there:

Right click avast icon in taskbar -->click start avast antivirus -->right click scanner background → click virus chest → navigate to user files → click add files →
right click file -->email to alwil software.

NOTE:
The file will actually be uploaded when the next update is performed (you can do a manual update to get it sent)

-Scott-

This is the anti-rootkit scan that happens 8 minutes after boot, see image example of the alert, is this the alert you get ?

Are you using the MBAM Pro paid for option ?

If so it could be that this is legit in trying to hide from malware that might otherwise try to disable it.

If it comes up again, ignore again but ensure that you allow it to be sent for analysis.

Thank you both for your prompt responses.

Per the suggestion above, I sent [a copy of] the file to the User Files area of the Virus Vault, and e-mailed it to avast (which was effected by a manual update search).

Yes, I have the MBAM paid version… but the protection module is NOT enabled: I use MBAM purely as an on-demand scanner.

And yes, I believe the warning I received corresponds to the picture above, which you say was generated by the anti-rootkit scanner. However, for what it’s worth, I was unable to duplicate the warning, neither by rebooting (and waiting 8+ minutes), nor by running an on-demand MBAM scan.

I think that between your getting this alert and now there has been a VPS Update, I don’t know if that may have also had a correction to this.

However, I find it strange as you say you don’t have the resident protection enabled on MBAM Pro, which should mean no services running, hidden or otherwise. For avast to actually detect it then it would have to have been running, but not registered in the windows API listing, what is meant by Hidden.

Running an MBAM scan wouldn’t start a hidden process I believe all that starts is mbam.exe, certainly that is the case with the free version that I use. I have just started MBAM and then run a rootkit scan and no alerts, VPS version 090802-0.

So I’m not really sure I can check any further not having MBAM Pro.

I’m not sure what else to say/try.

To mention one last point, after I got the warning about mbamswissarmy, which I “ignored” — as was suggested — I then received another message (not sure if it was a warning, or what other terminology might have been invoked) that avast found a virus in memory, and recommended I run a boot-up scan.

I just ran a boot-up scan, which showed nothing:

08/02/2009 19:55
Scan of all local drives

Number of searched folders: 7846
Number of tested files: 78159
Number of infected files: 0

I think it is just a case of monitoring it and see if it occurs again, which I would think is unlikely, given that you have run subsequent scans, which have included the anti-rootkit scan again.

Check the following files:
C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log - This contains information on all conventional avast signature detections.
C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log - This contains information on the last anti-rootkit scan, it gets overwritten after each scan so info on the original detection won’t be present.

The warning.log file had no entries from today…

and, as you anticipated, the aswAr.log has been overwritten by the subsequent anti-rootkit scan(s) — the latest summary showing:

Scan finished: Sunday, August 02, 2009 9:27:18 PM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

Should anything further occur, I’ll certainly get back in touch.

P.S. On the possibility that the database 090802-0 was loaded after the warning, perhaps avast can try testing the mbamswissarmy file relative to yesterday’s 090801-0 database, to see it that was the culprit??

I think swissarmy is the driver that mbam use for DDA(Direct disk access) so avast could have detected it as malicious while mbam was running a scan.It has happened to me before
In the pro version of mbam,it only has 2 process.
Mbamservice.exe which is the real time module
Mbamgui.exe which is the tray icon.
I hope this helps you

I used to see that warning when I had Windows Defender but now that I have Microsoft Security Essentials the replacement for Windows Defender in Windows 7 I don’t see that warning anymore.

YoKenny,

You are correct that Windows Defender used to pick-up on MbamSwissArmy.sys ; I would have to “approve” it in Defender each time I ran an MBAM scan — which is why I believe(d) SwissArmy was activated (visibly or hidden) by MBAM’s scanner.
I “got around” this minor annoyance by placing SwissArmy in Defender’s ignore list. And so I never received another message about SwissArmy until last night.
(Side note: Interestingly enough, I just removed SwissArmy from Defender’s ignore list, and I see that Defender no longer questions that file when I run an MBAM scan. Which either means that Defender has corrected its database to allow that file, or perhaps, that MBAM is no longer using that file as part of its on-demand scanner???)

I treated the warning by avast as a f/p — yet i understand the view that perhaps avast was doing its job, since the file may have had rootkit-like behaviour. Nonetheless, I reported it here, lest other users — who may have a tendancy to remove anything detected by an anti-virus — remove the MBAM file.

  • Please start a New Topic of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help.

  • Go to this link, http://forum.avast.com/index.php, scroll down to the avast! 4.x Home/Pro forum and click it, click the New Topic button at the top of the list and post there.

  • I also suggest that you remove your email from posts unless you particularly like spam - apart from that people will only respond through the forums. If you have the default forum settings than you get emailed by the forum software when a reply is posted in topics you create or contribute to.