Avast! v4.6 Home (fully updated) on WinXP Pro SP1 (fully updated except SP2, of course).
Using only the screensaver scanner of Avast!, scanning halts when process XXXX (exact PID changes with each new Windows session) is detected as the Virus/Worm Suela-1042.
Using Windows Task Manager identifies this running process as AVGUARD.EXE (AntiVir on-access scanner).
The file/process is legit as certified by numerous other products and even by the Avast! main on-demand and shell-extension scanners!
Bear in mind that Avast! is currently being used only in screensaver mode while AntiVir is being used only in on-access mode, so to my thinking they ought to be able to co-exist.
Since this is a running process being detected rather than a file on disk, apparently no action can be taken on it. It cannot be excluded from scanning and no actions are available after detection except the “OK” button which then shuts the Avast! virus alert dialog box and returns to the Windows desktop. Since scanning cannot continue, this makes the screensaver scanner essentially useless right now. This situation has only developed after a recent update of Avast! and/or AntiVir. The exact information given (in both the on-screen alert dialog and subsequent alert email is as follows:
avast! [COMPUTERNAME]: File “Process 1220, memory block 0x00E00000, block size 1572864” is infected by “Suela-1042” virus.
“Screen saver” task used
Version of current VPS file is 0518-5, 05/08/2005
While I AM a self-proclaimed computer security expert, I AM NOT an expert on Avast!, particularly the screensaver scanner mode. I have carefully checked all configurations and see no way for the end user to circumvent this situation.
The only solution that I can forsee is a correction to Avast!'s virus definition database so that it does not recognize the running process “AVGUARD.EXE” as malware.
If anyone has any other suggestions, I will eagerly eat some humble pie and try them out. Otherwise I hope that the authors of this fine program will make the necessary database correction.
Sincerely,
tgeer
p.s. Here is the complete version info for the AntiVir program that is being detected:
Build: 1035, 03/16/2005
Main Program: 6.30.00.17, 03/07/2005
AntiVir Guard Service: 6.30.00.06, 02/28/2005 (This appears to be the process being detected)
Control Program: 6.30.00.01, 02/17/2005
Search Engine: 6.30.00.12, 05/05/2005
AVREP.DLL: 6.30.00.160, 05/07/2005
Virus Definition File: 6.30.00.161, 05/07/2005