False positive in Virtualbox image ?

Viruses and worms
1

Avast 6 detected a virus “Civil - Defense 6672” in a Virtualbox .sav file.
As this file type is a compressed file, I think it’s a false positive.
Can I safely add this file to exclusion list or should I check it with other antivirus?

2

upload suspicious file(s) to www.virustotal.com and test with 44 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/

3

The file is very big (1GB) and probably contains sensitive information.

4

Hi marziano_mork,

Why don’t you use the search function here and then you would have stumbled upon this thread about your issue: http://forum.avast.com/index.php?topic=50054.0
Write-up on this virus: http://www.symantec.com/security_response/writeup.jsp?docid=2000-122011-5347-99&tabid=2 (link source: symantec security response)
Did you experience a stop error and a BSOD?
There is also this info on the Russian forum: http://www.avsoft.ru/forum/read.php?FID=31&TID=369
Try to put the memory dump file into the chest.
Try to run DrWeb’s CureIT, download from http://majorgeeks.com/downloadget.php?id=4783&file=1&evp=ef9669e4f16e6e75d95abcde8f88163d
But I think you have to wait for the assistence of essexboy with a run of RSIT and ATF Cleaner as well. Wait until he appears and he will tell you what to do,

polonus

5

I didn’t experience any error o strange behavior.
Most of mine VirtualBox .sav files, if checked with Avast, is detected as a virus, so I doubt that the antivirus is able to correctly scan this compressed file.
I also discovered that .sav files are created when the VM is suspended ( a sort of VM memory dump), so I can probably erase those files without corrupting my VM’s images; but I’m not sure about that.

6

Hi marziano_mork,

That is why you can temporarily put them into the chest, later you can recreate/restore them from there.
But I rather wait for what essexboy has to say on the issue. Did you do a scan with DrWebCureIt? Did it flag it also?

polonus

7

I scanned them with Avira antivir and it found no virus.

8

You can exclude them from scan (it will have a minor -good- impact on performance of your VM too).
Even if there are malware in memory of your VM and avast detect it from there, you are safe, that malware cannot affect your host machine.

9

The integrity of the guest system (VM) is also important for me, because I setted a particular environment (Eclipse,JDK, …) to write Java programs, and i don’t want to lost my work.
In the guest system (Windows XP), Avira antivir is installed and it has never detected an in-memory virus yet. Should I install Avast on the guest system too and make a full scan ?

10

It does sound like a false positive as this is a very old type of infection that I have not seen for years

11

Probably,it does.
It does seem Avast has some problem with .vdi and .sav files too.

12

I have just installed windows 8 On virtual box , I will scan it

13

I’m with essexboy, I think that’s a FP, so I think there is no need to bother change your AV in the guest system, solve the problem where FPs comes up.

14

At the end, I added Virtualbox .sav files to the Avast exclusion list. :wink:

15

I scanned another .sav file (not added to the exclusion list) and this time the virus found is:
Suela-1042 >:(

16

Hi marziano_mork,

That is a FP because you scan with both avira resident and avast resident. There is no such virus but the one scanner is detecting the other av solution’s signatures. You are never to use two resident av scanners at one time. So either scan with avast when you have uninstalled avira or v.v.
See: http://forum.avast.com/index.php?topic=35083.0

polonus

17

Hi polonus,
I scanned a .sav file (a memory dump of a running guest VM) while the guest machine was off;
so only avast was running.
However as the Avira Antivir was running when I suspended the VM, I suppose that the created .sav file contained the in-memory loaded Antivir signatures too, so probably that’s the problem.
Thanks for the help.

18

Haven’t had the time to create a sav file yet - will try to do it tommorow

19

Hi marziano_mork,

What you suggest in your previous posting is a very likely scenario, but it cannot be proven from the name of the find Suela-1042 = avast; Suela-1042 = avira
So we have to wait for essexboy’s verdict of a conflict possible with the Virtualbox scan…

Aliases
Virus.DOS.Suela.1042 (Kaspersky Lab) is also known as:

Suela.1042 (Kaspersky Lab)
Virus: Suela.1042 (McAfee)
Suel-1042 (Sophos)
Suela.1042.B (Panda)
Suela.1042.B (FPROT)
Virus:DOS/Suela_1042.A (MS(OneCare))
Suela.1042 (DrWeb)
unknown CRYPT.TSR.COM.EXE virus (Nod32)
Suela.1042.B (BitDef7)
Suela-1042 (AVAST)
Virus.DOS.SillyRE.360 (Ikarus)
Suela-1042 (AVIRA)
Suela.1042 (NAI)
SUELA.1042 (PCCIL)
Unknown (Rising)
SUELA.1042 (TrendMicro) (source: http://www.securelist.com/en/descriptions/old10434)

polonus

20

OK, so we wait for essexboy’s further investigation. :slight_smile: