[FALSE POSITIVE?] Trusted Installer Service identified as rootkit

Hallo,

I’m using AIS 5.0.545 with defs 100608-1 under Vista SP2; i was installing Microsoft patches a few minutes ago for this patch tuesday…during the installation Avast notified me that Trusted Installer service is acting like a rootkit asking me to block or to ignore. I choose ignore to permit Windows Update to correctly finish the installation; a full system scan state that my system is clean.
Could it be a false positive? Windows update was installing, if I can remember correctly, the monthly anti malware package (i can’t remember the name)…maybe a conflict?

Thanks a lot and best regards.

Simon

It could be an FP, I believe there has been something about trusted installer before.

I think that the default option is Ignore, but it should also give the option to send data on the detection to avast (?), if so allow this to be sent on the next update.

Hi David,

there was no option in the avast warning message to identify the blocked behaviour as a FP to send it to Avast. Btw I’ve got Avast Community enabled so I think that Avast will send something useful in the next update session. Let me know if I can help you with other information.

Simon

Obviously I can’t speak from experience as I personally haven’t had one of these alerts and I use windows update, but on XP Pro. What scan was it that detected this, about 8 minutes after boot, as part of an on-demand scan (which one) or something else ?

Was the alert like the one in the image (click to enlarge), as it does mention allowing the submission, yet doesn’t have any yes/no option I can see. If so there is an Advanced option, I don’t know if that gives the option to submit the file or not as I haven’t had one of these alerts.

The avast community function does report information on alerts, but I don’t know if it would send the file or how much data.

The alert is very similar to the one you posted as a gif image; I opened the advanced tab but there was no option to send the signal the FP event. It was detected I suppose runtime by one of the run time protection shields. After the alert I did a full scan but system was clean.

I suspect that behavioural shield could be the problem. Please let me know if I can send some logs, registry values or other information directly to developers.

Simon

P.S. As of today I’ve got no other alerts from avast

Well is isn’t specifically being sent as an FP, but allowing to be sent for further analysis.

If it is similar to this image then it is most certainly the anti-rootkit module as the other images are quite different and they do give a direct option to report as an FP, see image of File System Shield alert…

You can check the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\log\aswAr.log, though that is replaced daily or when a rootkit scan it initiated.