We have Avast Pro, with ADNM, and Avast decided to look like a hero overnight and picked a lot of files to successfully move to the chest. All of them were from System Volume Information (about 20-30) except for a few random infections here and there and two consistent infections. The consistent infections were both found in the avast program directory:
c:\program files\alwil software\avast4\setiface.ovr
c:\program files\alwil software\avast4\setiface.dll
The result on all of the files the same: “Infection: Win32:Agent-HFW[Trj]”
The same thing has affected every computer that we have here that is running Windows XP Pro. Is anyone else having the same problem?
well setiface.ovr and setiface.dll are used to update avast virus definition…
if its corrupt u can try repairing avast…it should solve the problem in hand…
i suggest u do it in safe mode…so that any malware that may be infecting it does have any effect…
and do a boot time scan avast will delete all the malware it can detect[right click on avast simple user interface and select boot time scan]
if it still does not solve ur problem then u’ll have to wait for one of avasts evangelist to answer ur query
It is setup.ovr that is used to create avast.setup to update avast rather than setiface.ovr or .dll, these two setiface files are however, in my C:\Program Files\Alwil Software\Avast4\Setup folder I don’t know if this differs from the Pro and ADNM.
Though a repair may resolve the problem.
Why they are detected as infected is strange.
I have the latest VPS 000743-4 and no detection on either of these files, you could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.
Whew, sorry for the long wait on this post - I’ve been… out.
Did I mention that we have identical symptoms on 20+ Windows XP computers? I don’t like the idea of personally attending to each computers needs separately. Also, that it happened to all of them at once is peculiar. Maybe it has something to do with ADNM?
I scanned the files Avast flagged in the avast folder on both virusscan and virustotal, and both came back 100% clean - including a scan by avast. However, my understanding is that both of those sites are hosted on linux machines, and the linux scanning software has differences from the windows software, so I’m not sure what to make of it.
At the same time I scanned the files on the web, I rescanned them on my PC, which decided that setiface.ovr was clean and that the other file was a virus.
Let me add something to what I just posted: when I deleted setiface.ovr (after a scan by Avast declared that it was clean) Avast nabbed the file out of the recycling bin. What’s going on???
I can appreciate (as an avast user with only one system to look after) that you wouldn’t want to do this with all 20 effected PCs after all this is why you went for ADNM, I don’t know if there is any way to restore the files from the chest via the ADNM control, perhaps that is something to ask in the ADNM forum or as if it can possibly be a feature.
It would appear as I thought it is a false detection, which would apear to have been corrected.
Which other file, setiface.dll ?
Are you sure that it got it from the Recycle Bin, avast I believe has an integrity check which can to a degree correct some missing files, but I don’t think there is any function to go to the recycle bin.
ADNM does have the ability to restore to the remote computers, so as far as that goes there is no problem.
As far as false detections go, well, I just update to the latest virus database (quite a chore when Avast thinks the files it uses to update itself are infected and… what do you know, the files appear to be clean. I know what I’m going to be doing tomorrow morning.
I’m pretty sure Avast detected the file in the Recyle bin, since the location it gave was “C:\RECYCLER\really long number”, and while the file didn’t have the same name, it did have the .ovr extension. I’ve also heard that Avast can’t scan the system restore, but we have entries all the time for infected system restore files. Maybe it’s because we have the managed client?
Anyway, the problem seems to be resolved. Thanks for your help!
Avast is certainly able to scan the c:\System Volume Information folder, part of the system restore function as you mention. As such is protected by windows, and you may get an unable to move to chest dialogue. Scheduling a boot-time scan should overcome that windows protection if required.
As your first post indicated it was able to scan the System Volume Information folder and probably deal with them otherwise you would have either had the can’t move dialogue or they would have still been in place and detected again on the next scan.
By nabbed the file out of the recycle bin I assumed you meant it recovered it from there to replace the missing file and not it detected the file in the recycle bin. So this too however, it became deleted and ended up in the recycle bin will almost certainly the same FP before you updated the VPS.
Anyway happy to have been able to give some limited help.
Ok, here’s the problem: I need to disable on access scanning on all of the affected computers so I can replace the two files Avast removed, so that I can update the virus database. Can this be done remotely with ADNM?
I thought that you were able to remotely restore the files from the chest, didn’t that restore the missing files ?
How about copying the files from another system to the effected systems, the setiface,ovr and setiface.dll I would have though would be the same. See the end of item 4. below about setif_av_pro-3e9.vpu.
I would imagine that you could pause one or more of the providers (could well be wrong), though I don’t know if you can be selective. I also don’t know if it is advisable to drop my trousers before going on-line to be able to update.
3 I just wonder if there is a repair option that can be used remotely in ADNM as for a stand alone system that is what I would have suggest a repair whilst on-line.
I’m also unsure why it is necessary to pause on-access scanning to replace missing files if those files are no longer detected as infected ? I’m looking at my \Setup folder where those files reside on my avast 4 home (probably different for you) and I see a file setif_av_pro-3e9.vpu, in avast there are a number of vpu files which validate the files so if a file is replaced unless you also copu the vpu file it may revert/restore the original. I’m making an assumption that the setif_av_pro-3e9.vpu file is related to the validation of the two missing files.
As I said I have zero personal experience of the ADNM so this may be best asked in the ADNM forum where I’m sure you will get and answer that is better informed than mine.
I’m sorry, I guess I didn’t make my situation clear. I stopped the on access protection on a test computer so I could restore the files and update avast. After the update, the test computer doesn’t detect the files as infected. But the rest of the computers are still in limbo - and I can’t restore or copy the files over, because the on-access protection interferes. To solve the problem then, I need to disable the on access protection on each computer, restore the files, and update the avast virus database.
Since my original question is answered, and the one I currently have is more appropriately posted in the ADNM forum, I have started a new post here: http://forum.avast.com/index.php?topic=28556.0.
I can't restore or copy the files over, because the on-access protection interferes.
That’s my problem, I couldn’t understand why the on-access protection should interfere, in restoring of files from the chest which are no longer detected as infected. That is why I mentioned the possible associated .vpu file issue.
So was there an alert, error or warning message to indicate why the on-access protection was stopping you doing that, or is it that because these effected systems haven’t got the latest VPS they would still detect them as infected ?
So was there an alert, error or warning message to indicate why the on-access protection was stopping you doing that, or is it that because these effected systems haven't got the latest VPS they would still detect them as infected ?
It’s the latter; the effected systems don’t have the latest VPS - which is what the files are needed for. Someone suggested I try to uninstall/reinstall, so I’ll see how that goes. Otherwise I’m just going to have to go around to each station individually. Other suggestions are still welcome!
You can update off-line (http://files.avast.com/iavs4pro/vpsupd.exe) but, of course, this will need to be applied to each workstation… Do you have a method to deploy these automatically (and run them) to each workstation?
You can update off-line (http://files.avast.com/iavs4pro/vpsupd.exe) but, of course, this will need to be applied to each workstation... Do you have a method to deploy these automatically (and run them) to each workstation?
I might have been able to do that, but the files avast quarantined needed to be on the computers anyway, so this is what I finally did:
I disabled the standard shield so I could push those files to the remote computers and update Avast: Under “On Access Scanning Tasks” I changed the Default Resident Task to not include the standard shield, and then waited for it to take effect. After waiting, I copied the files manually to the remote computers (because restoring them from the chest didn’t work) and updated Avast.
I’m glad we got this one resolved! Thanks for all of your help, guys!
Someone suggested I try to uninstall/reinstall, so I’ll see how that goes. Otherwise I’m just going to have to go around to each station individually. Other suggestions are still welcome!