FP from incomplete p2p download files

(Avast! 4.8 home, Win XP SP3 (32 bit) using uTorrent 1.8.1)

I am getting a false positive report from Avast (I believe it is the P2P shield provider). I repeatedly receive the following warning:
File name: J:\video\Heroes.S03E08.LOL.HDTV.XviD [TheTorrentSource org].rar.!ut\Heroes.S03E08.LOL.HDTV.XviD\Heroes.S03E08.LOL.HDTV.XviD.exe\IRSARU~1.EXE
Malware name: Win32Fabot [trj]
Malware type: Trojan Horse
VPS version: 081103-0, 2008-11-03

The problem is that the actual file path ends with the “.rar.!ut”. Avast! is trying to analyze the archive (the .rar), but it is incomplete (as indicated by the .!ut [like .bc! in BitCommet]). Either the uTorrent specific part of the provider should know about !ut or the p2p provider should obey a set of exclusion rules (such as that in the standard shield provider). The contents of the archive is supposed to be a single AVI file, but I have no proof of that.

I tried setting the exclusions in the on-demand scanner and the standard shield provider, but neither helps here. I tried excluding the directory, a partial directory, and the file name it thinks it found.

The file that avast! thinks is a Trojan Horse does not exist (it is an artifact of an incomplete archive). The Move/Rename, Delete, and Move to chest buttons do not help, because there is no file to move, rename, or delete. If I click No action, avast! does not learn that this file should be left alone (a bug) and finds the false file again the next time uTorrent accesses the file. My only available action appears to be to move the warning box to the edge of the screen and ignore it.

So, there are at least three bugs:

  1. Misinterpretation of an archive that is incomplete
  2. Ignoring the !ut in uTorrent and not providing a manual way to fix this
  3. Not remembering that a “No action” answer was given for a file, and repeatedly prompting for it.
  4. (possibly) Misreporting the Trojan Horse (the signature could exist)
  5. (possibly) Treating data outside the file as if it is inside the file.

I am not a newbie. I have used four other computer security systems in the past two months and I have specified security policy for more than one company. I would be interested in any suggestions you might have.

Martin Katz, Ph.D.

P.S.: Before I sent this message I received another Trojan Horse warning about BEncode Editor.exe. This is NOT a trojan horse and has been scanned by three other antivirus programs (NAV, ESET, and COMODO). It is a utility for low-level editing of the equivalent of compressed XML files (used for BitTorrent p2p). I do not know which part of avast! found this file (the on-demand scan hasn’t gotten to that partition yet).

Not true. Wait for the download to complete (possibly pausing the P2P provider) - and you’ll see that the detection is correct.

What exactly did you enter into the Standard Shield exclusions? I’m not 100% sure about it, but I think it should work…

That’s right, the “No action” is one-time only - if the file is accessed another time, it will be detected again.

Win32:Fabot is algorithmic detection, which is applied only to complete valid PE files (under an maybe incomplete rar in this case, but that doesn’t matter) and i’m quite sure, there’s something fishy inside the archive…

Thank you Igor,

You are correct. WinRAR thinks the file is in there (I don’t know if it would be in there if the archive was complete). I think the real problem is that the entire file could not be moved to the chest (it was open) and there is no way to remove a file from an incomplete RAR without corrupting the RAR.

As to exclusions, I tried everything from excluding the name of the file to excluding the highest level directory (L:\video*). I always ask AV software to ignore !UT extensions, so I assume that the archive should have been ignored. Again, I don’t know which of the providers was triggering the file review in the service, so I don’t know whether the exclusions in the standard shield would apply.

At this point, I have removed avast! from my computer. It appeared to be interfering with uploads (seeding) from my P2P program. Also, the service was using too much CPU time (I have an older, slower computer).

Thank you for your help
Martin Katz, Ph.D.

You should disable adding ut! extension on incomplete bittorrent downloads