Using avast home 4.8.1229 with virus file def 080916-0
My PC has been powered down and off the net for 3 weeks while on vacation. Got back today (Sept 17), updated the virus def file and did a scan. It turned up the following:
agenth.dll from C:\Program Files\RFA modified 2/11/2004 Win32:Amtis-M[trj]
and
A0051784.dll from a system restore location with the same modified date and trojan name.
A google shows agenth.dll being part of Registry First Aid (which fits with the file being in folder RFA).
I think I tried RFA once long ago but it is not installed on my PC any more. That fits with the file mod date of 2/11/2004.
Looks like a false positive to me, maybe associated with the updated virus definition file?
Whilst that google hit might well be correct but there is no guarantee it hasn’t been modified, so it is best to check.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
I would say that it is a very strong possibility as GData also uses avast as one of its two scanners and esafe is saying suspicious, normally this mean a heuristic detection, which are more prone to false positives. So the file should be sent to avast for further analysis and probably correction of the VPS signature.
I emailed the file to avast directly out of the chest. I also extracted copies to a folder on a non-system disk and set up avast to ignore the folder. There have been one or two virus def updates since the detection happened so I though I would do a scan of the file I had extracted. I right clicked and chose scan. Something happened because a window popped up but was gone way before I could see any of it. I figured that meant the scan happened and was OK. But, always being over-cautious, I also did a scan from within the chest. That resulted in the virus detected warning. So I moved a copy to an non-excluded place, right clicked and scanned. Got the virus detected warning.
I guess the bottom line is that if a file is in a place excluded from the scanner, even a direct command to scan that file is ignored. I’m not sure I like that behavior but now I know. It would have been WONDERFUL if avast had generated a message that said that the scan was not performed and why. I didn’t find anything in the logs either.
If you are trying to scan it in the folder you excluded, it won’t work, scan the copy of the file that is in the avast Chest. This needs to be done from inside the chest, find the file and right click, select scan.
Almost a week has gone by since I sent the agenth.dll file for analysis. With today’s latest definitions (080925-0) the file in the virus chest still turns up as a virus (Win32:Amitis-M).
How do you know if the analysis has been done and what the outcome was?
It’s been almost a month now and the file (in the virus chest) still shows as a virus.
So, I guess it is. ANd I think I will not try installing Registry First Aid again as a test.
Just thought I’d try another online scanner (like Virus Total). So I scanned the agenth.dll file from Virus.org. The scan was 100% OK - no problem. Hmmmmm…? I noticed that avast! was one of the scanners they use but it was using an older virus def file (080821-0) whereas the def file I originally used was (080916-0). However, several of the other scanners at Virus.org were using much more up to date definitions.
I emailed the agenth.dll file (zipped and password protected) to avast on Oct 10 and now today (Oct 12) the file does not show up as a virus. I checked it in the virus chest. OK!
So, I think the original emailing, out of the virus chest, did not make it to avast. Here’s a message thread of mine where I describe why I think the message might not have made it to avast on the original attempt. (See msg #5 in the thread for details.) From now I’m going to use the direct email method.
Personally I haven’t had any problems sending directly from the chest, but since we don’t even get an auto response acknowledging receipt, we don’t know if it was received and the same is true of sending conventionally.
So the only course of action is periodically scanning the file in the chest, which isn’t the best solution. There is a new submission process in developement, what that is and when it will be implemented hasn’t been revealed.